Russian law enforcement authorities on Friday announced the arrest of 14 members associated with the notorious REvil ransomware gang operating in the country, in a rare instance of the government acting on cyber crime operations from within its borders.
The FSB described its investigation as a complex and coordinated effort that resulted in the operation being taken down and its criminal infrastructure being dismantled at the behest of U.S. authorities.
"As a result of joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist," the FSB said. "The information infrastructure used for criminal purposes was neutralized."
The law enforcement authority said it confiscated 426 million rubles, including in cryptocurrency, $600,000, €500,000, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars that were purchased with money obtained by illicit means.
REvil (aka Sodinokibi) rose to dominance in April 2019 to fill the void left by GandCrab, and quickly developed a reputation for its technical prowess and hard-nosed tactics, which included highly customizable ransomware and public shaming of its victims.
It also made a name for itself on Russian-speaking hacker forums by creating a private, highly profitable ransomware extortion racket that accepted only affiliates with access to large enterprise networks.
Indeed, the rebranded gang practiced what's known in ransomware circles as big-game hunting, wherein the affiliates employ a highly targeted approach of striking entities that are sensitive to downtime in hopes that doing so would increase the motivation to pay multi-million-dollar ransoms.
In 2021, REvil was blamed for some of the most disruptive ransomware offensives against U.S. business and critical infrastructure, including JBS and Kaseya, even as REvil associates working with another ransomware outfit named DarkSide were linked to the onslaught against pipeline operator Colonial Pipeline in May.
Other publicized incidents have seen hospitals and healthcare services, energy suppliers, and local governments hit with file-encrypting malware attacks, preventing access to vital services, while netting the operation more than $200 million in illegal profits.
The REvil takedown is also significant because Russia has historically denied acting as a safe haven for organized ransomware groups and has taken no action despite mounting public evidence to the contrary. Plus, it doesn't help that these actors scrupulously avoid attacking organizations in Russia and mainly target companies in the west.
While the impact of REvil's crackdown remains to be felt, what with the group already having shuttered its operations as of October 2021, the arrests — while possibly a symbolic move — are likely to send a strong message to ransomware cartels and put them on high alert.
Indeed, the increasing law enforcement collaboration to take down ransomware groups prompted chatter on underground forums late last year, with a segment of cybercriminals located in Eastern European sharing concerns that "Russian authorities may be actively hunting them down."
That said, there's also some healthy skepticism giving the curious timing of the actions, which come amid heightened geopolitical tensions between Russia and the U.S. over the former's decision to station 100,000 troops along the nation's border with Ukraine in preparation for a possible invasion.
Dmitri Alperovitch, co-founder of and former chief technology officer for the security firm CrowdStrike, called the REvil arrests in Russia "ransomware diplomacy."
What’s trending in security?
🇺🇦 Ukraine government websites were taken down likely by Russian military hackers amid growing tensions between the two nations. Previously, malware intended to sabotage computers used to control industrial processes shut down electrical substations in Ukraine in 2015 and 2016, and a cyberattack targeting Ukrainian businesses and government agencies resulted in the deployment of NotPetya data wiping malware in 2017 in what was described as "the most devastating cyberattack in history." [The Hacker News]
📶 Researchers from the University of California San Diego have demonstrated that it's possible to track a phone based on its Bluetooth signal. By measuring variations in the radio-frequency characteristics of Bluetooth Low Energy (BLE) transmissions across different gear such as iPhone 10, Thinkpad X1 Carbon, MacBook Pro 2016 edition, Apple Watch 4, Google Pixel 5, and Bose QuietComfort 35 wireless headphones, it was found that it's possible to distinguish one device from the another, making identified devices theoretically trackable. [IEEE Security & Privacy]
🚨 A never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux has been uncovered. Dubbed SysJoker, the malware is a significant discovery, not least because cross-platform malware is something of a rarity, with most malicious software tailored for a specific operating system. [The Hacker News]
ℹ️ The U.S. Federal Communications Commission (FCC) proposes new stricter data breach reporting rules that would eliminate a seven-business-day waiting period granted to telecom companies before notifying customers of a breach or an inadvertent data leak. [The Record]
💬 Anom, the encrypted phone company marketed to criminals which the FBI secretly took over, not only featured capabilities to capture every message sent on the platform, but also collected users' precise GPS location and transferred that information to authorities, new findings show. What's more, the company is believed to have shipped over 100 phones to the U.S., suggesting that more devices were shipped to the country than previously reported. [Vice]
🇮🇷 U.S. intelligence agencies linked the MuddyWater APT group to the Iranian Ministry of Intelligence and Security (MOIS), while also detailing the various tools in its malware arsenal. [The Hacker News]
📃 Threat actors are now using Google Docs' commenting features as a new attack surface to slip malicious content past spam filters and security tools. To carry out this attack, the adversary creates a Google Docs file and adds a comment containing a malicious link. They add the victim to the comment using "@". This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker. [Avanan]
🇨🇭 The Swiss army banned foreign instant-messaging apps such as Signal, Telegram, and WhatsApp, and requires army members to use the locally-developed Threema messaging app instead. [Bleeping Computer]
🖥️ Security researcher Patrick Wardle released a comprehensive list of all the new macOS malware threats that emerged over the course of 2021. Among them are ElectroRAT, Silver Sparrow, XcodeSpy, ElectrumStealer, WildPressure, XLoader, ZuRu, and MACMA. [Objective-See]
🇨🇳 The Cybersecurity Administration of China (CAC) published draft amendments to a 2016 regulation that aims to place even more emphasis on data security and user privacy for app developers and publishers. It requires that app providers carry out a rigorous security assessment before launching "new technologies, new applications and new functions" that have "opinion elements" or are capable of mobilising the public. [South China Morning Post]
📱 The Electronic Frontier Foundation (EFF) "applauded" search giant Google for pushing a new feature in Android 12 that allows users to optionally disable 2G at the modem level in their phones. 2G, which is already phased out in many parts of the world, is outdated and insecure for two reasons — weak encryption between the tower and device and lack of authentication of the tower to the phone, which means that an attacker can not just intercept calls or text messages, but also impersonate a real 2G tower (aka StingRays). The privacy watchdog now wants Apple to follow suit. [EFF]
✈️ A suspected Iranian state-supported threat actor has been observed deploying a newly discovered backdoor named Aclip that abuses the Slack API for covert communications, according to a report by IBM Security X-Force. The hacking group is said to have targeted an unnamed Asian airline to steal flight reservation data. Slack has since shut down the Slack Workspaces used to siphon information.
This is not the only Iran-linked campaign that's come to light in recent weeks. A new espionage campaign has targeted a string of telecoms operators in the Middle East and Asia over the past six months, in addition to a number of IT services organizations and a utility company. The intrusions, which relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics, have been linked to an actor tracked as Seedworm. [Bleeping Computer/Symantec]
🇺🇸 The U.S. Federal Bureau of Investigation (FBI) has warned of a FIN7 cybercrime campaign in which attackers mail USB thumb drives to U.S. organizations with the goal of delivering ransomware into their environments. Recipients who plug these USB drives into their devices would become the victims of a "BadUSB" attack in which the USB would register itself as a keyboard and send preconfigured keystrokes and commands to the machine. These would run PowerShell commands that installed malware and became a backdoor for future access. [The Record]
📧 TinyNuke banking trojan, also known as Nukebot and used to gather login information, resurfaced in a new attack campaign that targets French users and organizations. The attack uses invoice-themed emails as a lure to strike entities in manufacturing, technology, construction, and business sectors. [Heimdal Security]
⚠️ A first-of-its-kind rootkit named iLOBleed has been discovered hiding inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations. [The Hacker News]
🔍 In latest Pegasus spyware news, the NSO Group-made surveillance software was found targeting journalists and NGOs in El Salvador. The malware was discovered on 37 mobile devices belonging to 35 individuals, with 22 of the targeted reporters working for the news site El Faro. The intrusions transpired between July 2020 and November 2021 by a threat actor tracked as Torogoz. The government denied it's a client of NSO Group. [Citizen Lab / AP News]
☁️ Amazon has fixed two vulnerabilities affecting its AWS Glue and CloudFormation services, which allowed an attacker to create resources and access data of other AWS Glue customers due to an internal misconfiguration within Glue's service. AWS confirmed in an advisory that its logs showed that no customer data was impacted by the bugs since Glue's launch in 2017. [Orca Security / AWS]
🔌 David Colombo, a 19-year-old hacker and security researcher, found flaws in a third-party open source app — unnamed, since the issue remains active — which allowed him to track and unlock at least two-dozen Tesla cars. "The crux of the issue was that the third-party app communicates with Tesla to pull the car owner’s data through the company’s API. The problem is that the app exposes the private API key of many owners to the internet, where everyone who knows where to look—like Colombo—can find it." [Motherboard]
⚙️ Analysts from Slovak cybersecurity firm ESET released a detailed look at some of the most common vulnerabilities identified in kernel drivers, including failures to add checks that restrict read and write access to critical model-specific registers (MSR) and exposing the ability to map physical memory and access virtual memory from user mode for reading and writing. Malicious actors like Slingshot have abused the Bring Your Own Vulnerable Driver (BYOVD) technique of using vulnerable signed kernel drivers to run attack code on the Windows kernel. [ESET]
🎌 Phishing containing maldocs are targeting Japanese defense, media, and communication companies since at least October 2020. The documents themselves carried malicious macros which, if activated, drop an initial-stage malware that the researchers dub “Flagpro,” which is used to investigate target's environment, download a second stage malware, and execute it. The attacks have been attributed to a Chinese actor tracked as BlackTech. [NCC Group]
⚡ Researchers have disclosed a new wave of attacks that exploit the Microsoft Exchange “ProxyShell” vulnerabilities to breach networks and distribute phishing emails to internal and external user accounts with payloads of Cobalt Strike, QBot, and DatopLoader, a malware loader that acts as an access broker to provide attackers with an initial foothold into systems and victims' network environments. [Cybereason]
🗂️ The past weeks in data breaches, leaks, and ransomware: Aditya Birla Fashion and Retail, Albuquerque Public Schools, Amedia, Bernalillo County Metropolitan Detention Center, Broward Health, EA, Element Solutions, Fertility Centers of Illinois, FinalSite, FlexBooker, Goodwill, Hensoldt, Impresa, Jerusalem Post, LastPass, Medical Review Institute of America, ONUS, Panasonic, Ravkoo, Saltzer Health, SEGA, Shutterfly, Siriraj Hospital, T-Mobile, Tesla, and UScellular.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!