How one Ukrainian IT specialist exposed a notorious Russian ransomware gang

Incredible reporting on a Ukrainian cybersecurity expert who fights “with a keyboard and mouse” by exposing files, tools, and internal chat logs belonging to Conti, the notorious Russian-linked ransomware gang. The Conti leaker “quietly lurked on the hackers’ computer servers and would pass along information on the group’s operations to European law enforcement officials,” per the report. The doxes were so effective that the FBI asked him to stop, fearing it would make it more difficult to track them. Also this week, reporting from the Wall Street Journal exposes the inner workings of the Trickbot cybercrime enterprise, a pro-Russia hacking group, thanks to a Ukrainian researcher who infiltrated the group’s servers.

More info

• Shutterfly discloses data breach after Conti ransomware attack

NEW and exclusive: The story of a Ukrainian man who sought to avenge the war by leaking a trove of embarrassing documents on a notorious Russia-linked ransomware gang. “I cannot shoot anything, but I can fight with a keyboard and mouse.” #Urkraine https://t.co/v2I1IwCD9n

— Sean Lyngaas (@snlyngaas) March 30, 2022

New: U.S. officials are weighing whether to sanction the Trickbot group, according to sources familiar with the deliberations. Such a move could make it illegal for U.S. companies to pay its ransomware demands. https://t.co/3muT84apk0

— Dustin Volz (@dnvolz) March 28, 2022

Apple and Meta Gave user data to hackers who used forged legal requests

Well, they finally did it: hackers associated with a group, some of which now operate as part of Lapsus$, tricked Apple and Meta into turning over user data by supplying fake subpoenas sent from hacked email domains belonging to law enforcement. The hackers specifically exploited the “emergency data request” system, which allows the quicker turnover of data under emergency situations — often to prevent loss of life. Discord also fulfilled a forged legal request. The use of Forged Legal Requests was first reported by Krebs on Security.

More info

According to @WilliamTurton's report, some of those involved are believed to be minors, one of which may also be involved with Lapsus$. https://t.co/Z4DjWJ6kf8

— Brett Callow (@BrettCallow) March 30, 2022

For the record, fake law enforcement requests from malicious actors are one of the many reasons I and others have long opposed "exceptional access" mechanisms for encrypted data & devices. When even a 3-trillion-dollar company doesn't bat 1.000… https://t.co/Kf9PtudKjA

— Riana Pfefferkorn (@Riana_Crypto) March 30, 2022

Zero-day flaw found in Java Spring Framework

Dark Reading: A bad bug found in a popular Java web application development framework puts a ton of web apps at risk of remote attack. The bug, named Spring4Shell, affects Spring, whose maintainers confirmed the bug. Patches are out, just after a zero-day exploit was posted to Twitter — then deleted.

More info

• Spring Framework RCE, Early Announcement
• Threat Advisory: Spring4Shell
• Explaining Spring4Shell: The Internet security disaster that wasn’t

Last Wednesday, someone leaked exploit code for an RCE vulnerability in a widely used open-source Java framework. Almost immediately, people were comparing the incident to Log4Shell, the zeroday that surfaced in December and led to an untold number of breaches in the wild. https://t.co/yoY6VFE63K

— Dan Goodin (@dangoodin001) April 2, 2022

How Intrusion Truth is unmasking China’s state hackers

KimZetter is back with a long-read on Intrusion Truth, the anonymous person or group behind a series of doxes of high-level Chinese cyber spies — some of which have proven to be pretty accurate, with U.S. Justice Department indictments dropping soon after. A compelling read, and featuring conversations with Intrusion itself (or themselves).

More info

• Intrusion Truth – Five Years of Naming and Shaming China’s Spies

It’s often said doxxing/indicting China’s hackers is ok because they engage in economic espionage/theft and US spies don’t – as if this means China doesn’t have legit reason to dox/indict. But does China need a reason? Only thing stopping them would be if they care abt US wrath https://t.co/J6SqXsdRBj

— Kim Zetter (@KimZetter) April 2, 2022

I've made my lengthy Intrusion Truth story free for all today. I had previously published this piece about the mysterious group, which has been unmasking China's hackers, for paid subscribers only but now everyone can read it. https://t.co/jFOsNr3RnW

— Kim Zetter (@KimZetter) April 1, 2022

People are getting scam texts from… themselves

We’ve all had weird spam in our time, but more people seem to be getting spam from… themselves. It’s what appears to be part of a widespread scam aimed at getting people to click on a phishing link that comes from the target’s own number. Many Verizon customers appear to be affected, which seems to be having trouble doing anything about it.

More info

• My own phone number is now spam texting me
• Verizon blames ‘bad actors’ for the spam text you got from your own number

Mystery GPS tracker found on an EFF supporter’s car

Electronic Frontier Foundation: Why did an EFF supporter’s car have a GPS tracker on it? Did they have a stalker? No, it turns out a GPS tracker was installed to their vehicles by car dealerships, but weren’t activated until the buyer paid for services. @cooperq ripped the device to bits and figured out how it works — and left open a ton of questions about the sort of data that’s being stored on the device regardless of whether it’s activated or not. Very creepy.

An EFF supporter found a GPS device attached to her car, you won't believe what happened next! https://t.co/ejKAdxwwj9

— Exploit code not people 🏴 (@cooperq) March 28, 2022

Safari vulnerability allowed for Gatekeeper bypass

An interesting newly discovered bug in macOS, dating back to as far back as Safari 14 on Big Sur, allowed for an attacker to bypass in-built Gatekeeper protections in macOS, which protect the operating system from automatically opening apps and files downloaded from the internet. The researchers found the bug as what appeared to be an intended feature from a popular game hosting site, but turned out to allow unauthorized code without a pop-up prompt.

Google Project Zero explains how NSO’s ForcedEntry exploit escapes the iOS sandbox

Google Project Zero: Google, with help from Apple and Citizen Lab, analyzed a sample of NSO Group’s “ForcedEntry” exploit, which can remotely compromise an iOS device for the purpose of installing the Pegasus spyware. This blog post explains the sandbox escape part of the bug.

FORCEDENTRY was the exploit that targeted Apple's BlastDoor feature, which was supposed(!) to protect iMessage from zero-click attacks. The exploit involves sending a .GIF file that's *actually* a malicious PDF, which then triggers the sandbox escape, which Google explains today.

— Zack Whittaker (@zackwhittaker) March 31, 2022

Ronin Network: What a $615m hack says about the state of crypto

A hack of the Ronin Network, a key platform powering the game Axie Infinity, had $615 million in cryptocurrency stolen, in one of — if not the biggest cryptocurrency hack to date. Hackers used private keys to exploit a bug in the Ronin bridge. (A bridge lets people convert tokens to ones that can be used on another network.) A lot of people lost a lot of money, once again because of weaknesses in poorly coded and unaudited software, explains Bloomberg.

More info

• Hackers Steal About $600 Million in One of the Biggest Crypto Heists

Major Ukraine ISP hit by DDoS

BBC News reporting major disruptions at one of Ukraine’s largest telecoms, Ukrtelecom, following a DDoS powerful enough to affect its core infrastructure. Forbes ($) spoke with Victor Zhora, Ukraine’s deputy head of state infosec protection, who said the incident at Ukrtelecom as the “most severe” cyberattack since the start of the Russian invasion in February. That’s presumably including the mass modem bricking attack at Viasat…

More info

• Ukraine war: Major internet provider suffers cyber-attack
• ‘Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider

Viasat attack caused by Russian wiper malware

Speaking of Viasat… SentinelOne security researchers found evidence that the Viasat satellite network — which went down over Europe and Ukraine just as Russia was crossing the border — was downed by destructive malware dubbed AcidRain, which they think is ultimately linked to the GRU. Viasat told TechCrunch that the findings were “consistent with the facts in our report,” which it had published a day earlier, which you can read here and Cyberscoop parsed here.

More info

• AcidRain | A Modem Wiper Rains Down on Europe
• Viasat cyberattack blamed on Russian wiper malware
• US telecommunications company likely targeted by Russian hackers shares details of Feb. 24 attack

Browser-in-a-browser phishing linked to Ghostwriter

Google TAG dropping new IOCs on threat activity and actors it’s tracking with regard to the war in Ukraine. Among the new data drop is Belarus-linked threat actor Ghostwriter, otherwise known as UNC1151, which was found using the same browser-in-a-browser phishing technique. The technique relies on imitating an OAuth login popup using HTML and CSS.

More info

• Tracking cyber activity in Eastern Europe

It’s Section 702 renewal time (again)

Every few years key U.S. surveillance powers come up for renewal — and this time it’s the notorious Section 702 (of the Foreign Intelligence Surveillance Act), the core powers that U.S. intelligence rely on for warrantless snooping on communications. The powers are set to sunset in December 2023 unless lawmakers act, reports The Record. That’s a year and a half away — plenty of time for a spirited debate that will only be ignored in favor of inevitable sweeping reauthorization like every other time this has happened. Maybe this time we can hope for real reform, if not least to protect Americans’ rights from their own government?

More info

• Intelligence community gears up for surveillance powers renewal

Wyze bug ignored for two years

A relatively simple-to-exploit bug in those cheap Wyze cameras allows remote access to the contents of its SD card in the camera via a webserver that doesn’t require authentication to access. Per Bleeping Computer, which outlines the two-year-long process by BitDefender to get Wyze to fix the bug — only to have security updates pushed only to newer devices, leaving 2017 models still vulnerable. Wyze said it takes “all security concerns seriously,” which as you know is corporate code for “dgaf”.

More info

• Wyze Cam flaw lets hackers remotely access your saved videos
• Vulnerabilities Identified in Wyze Cam IoT Device

The post Cybersecurity and Infosec News Headlines Update on April 03, 2022 appeared first on PUPUWEB - Information Resource for Emerging Technology Trends and Cybersecurity.