ransomware

after-years-of-losing,-it’s-finally-feds’-turn-to-troll-ransomware-group

After years of losing, it’s finally feds’ turn to troll ransomware group

Biz & IT, hacking, lockbit, ransomware, Security, takedowns / /

LOOK WHO’S TROLLING NOW —

Authorities who took down the ransomware group brag about their epic hack.

After years of losing, it’s finally feds’ turn to troll ransomware group

Getty Images

After years of being outmaneuvered by snarky ransomware criminals who tease and brag about each new victim they claim, international authorities finally got their chance to turn the tables, and they aren’t squandering it.

The top-notch trolling came after authorities from the US, UK, and Europol took down most of the infrastructure belonging to LockBit, a ransomware syndicate that has extorted more than $120 million from thousands of victims around the world. On Tuesday, most of the sites LockBit uses to shame its victims for being hacked, pressure them into paying, and brag of their hacking prowess began displaying content announcing the takedown. The seized infrastructure also hosted decryptors victims could use to recover their data.

The dark web site LockBit once used to name and shame victims, displaying entries such as

Enlarge / The dark web site LockBit once used to name and shame victims, displaying entries such as “press releases,” “LB Backend Leaks,” and “LockbitSupp You’ve been banned from Lockbit 3.0.”

this_is_really_bad

Authorities didn’t use the seized name-and-shame site solely for informational purposes. One section that appeared prominently gloated over the extraordinary extent of the system access investigators gained. Several images indicated they had control of /etc/shadow, a Linux file that stores cryptographically hashed passwords. This file, among the most security-sensitive ones in Linux, can be accessed only by a user with root, the highest level of system privileges.

Screenshot showing a folder named

Enlarge / Screenshot showing a folder named “shadow” with hashes for accounts including “root,” “daemon,” “bin,” and “sys.”

Other images demonstrated that investigators also had complete control of the main web panel and the system LockBit operators used to communicate with affiliates and victims.

Screenshot of a panel used to administer the LockBit site.

Enlarge / Screenshot of a panel used to administer the LockBit site.

Screenshot showing chats between a LockBit affiliate and a victim.

Enlarge / Screenshot showing chats between a LockBit affiliate and a victim.

The razzing didn’t stop there. File names of the images had titles including: “this_is_really_bad.png,” “oh dear.png,” and “doesnt_look_good.png.” The seized page also teased the upcoming doxing of LockbitSupp, the moniker of the main LockBit figure. It read: “Who is LockbitSupp? The $10m question” and displayed images of cash wrapped in chains with padlocks. Copying a common practice of LockBit and competing ransomware groups, the seized site displayed a clock counting down the seconds until the identifying information will be posted.

Screenshot showing

Enlarge / Screenshot showing “who is lockbitsupp?”

In all, authorities said they seized control of 14,000 accounts and 34 servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK. Two LockBit suspects have been arrested in Poland and Ukraine, and five indictments and three arrest warrants have been issued. Authorities also froze 200 cryptocurrency accounts linked to the ransomware operation.

“At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement,” Europol officials said. “This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure, and criminal assets linked to these criminal activities.”

LockBit has operated since at least 2019 under the name “ABCD.” Within three years, it was the most widely circulating ransomware. Like most of its peers, LockBit operates under what’s known as ransomware-as-a-service, in which it provides software and infrastructure to affiliates who use it to compromise victims. LockBit and the affiliates then divide any resulting revenue. Hundreds of affiliates participated.

According to KrebsOnSecurity, one of the LockBit leaders said on a Russian-language crime forum that a vulnerability in the PHP scripting language provided the means for authorities to hack the servers. That detail led to another round of razzing, this time from fellow forum participants.

“Does it mean that the FBI provided a pen-testing service to the affiliate program?” one participant wrote, according to reporter Brian Krebs. “Or did they decide to take part in the bug bounty program? :):).”

Several members also posted memes taunting the group about the security failure.

“In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head—offering $10 million to anyone who could discover his real name,” Krebs wrote. “‘My god, who needs me?’ LockBitSupp wrote on January 22, 2024. ‘There is not even a reward out for me on the FBI website.’”

After years of losing, it’s finally feds’ turn to troll ransomware group Read More »

hackers-can-infect-network-connected-wrenches-to-install-ransomware

Hackers can infect network-connected wrenches to install ransomware

Biz & IT, hack, ransomware, Security / /

TORQUE THIS —

Researchers identify 23 vulnerabilities, some of which can exploited with no authentication.

The Rexroth Nutrunner, a line of torque wrench sold by Bosch Rexroth.

Enlarge / The Rexroth Nutrunner, a line of torque wrench sold by Bosch Rexroth.

Bosch Rexroth

Researchers have unearthed nearly two dozen vulnerabilities that could allow hackers to sabotage or disable a popular line of network-connected wrenches that factories around the world use to assemble sensitive instruments and devices.

The vulnerabilities, reported Tuesday by researchers from security firm Nozomi, reside in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B. The cordless device, which wirelessly connects to the local network of organizations that use it, allows engineers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability. When fastenings are too loose, they risk causing the device to overheat and start fires. When too tight, threads can fail and result in torques that are too loose. The Nutrunner provides a torque-level indicator display that’s backed by a certification from the Association of German Engineers and adopted by the automotive industry in 1999. The NEXO-OS, the firmware running on devices, can be controlled using a browser-based management interface.

NEXO-OS's management web application.

Enlarge / NEXO-OS’s management web application.

Nozomi

Nozomi researchers said the device is riddled with 23 vulnerabilities that, in certain cases, can be exploited to install malware. The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place. B

Bosch officials emailed a statement that included the usual lines about security being a top priority. It went on to say that Nozomi reached out a few weeks ago to reveal the vulnerabilities. “Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem,” the statement said. “This patch will be released at the end of January 2024.”

In a post, Nozomi researchers wrote:

The vulnerabilities found on the Bosch Rexroth NXA015S-36V-B allow an unauthenticated attacker who is able to send network packets to the target device to obtain remote execution of arbitrary code (RCE) with root privileges, completely compromising it. Once this unauthorized access is gained, numerous attack scenarios become possible. Within our lab environment, we successfully reconstructed the following two scenarios:

  • Ransomware: we were able to make the device completely inoperable by preventing a local operator from controlling the drill through the onboard display and disabling the trigger button. Furthermore, we could alter the graphical user interface (GUI) to display an arbitrary message on the screen, requesting the payment of a ransom. Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner.
A PoC ransomware running on the test nutrunner.

Enlarge / A PoC ransomware running on the test nutrunner.

Nozomi

  • Manipulation of Control and View: we managed to stealthily alter the configuration of tightening programs, such as by increasing or decreasing the target torque value. At the same time, by patching in-memory the GUI on the onboard display, we could show a normal value to the operator, who would remain completely unaware of the change.
A manipulation of view attack. The actual torque applied in this tightening was 0.15 Nm.

A manipulation of view attack. The actual torque applied in this tightening was 0.15 Nm.

Hackers can infect network-connected wrenches to install ransomware Read More »

alphv-ransomware-site-is-“seized”-by-the-fbi-then-it’s-“unseized”-and-so-on.

AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on.

alphv, Biz & IT, fbi, ransomware, Security, tor / /

DUELING SEIZURES —

In a bizarre twist, both groups issue dueling notices to ransomware website.

Shortly after the FBI posted a notice saying it had seized the dark-web site of AlphV, the ransomware group posted this notice claiming otherwise.

Enlarge / Shortly after the FBI posted a notice saying it had seized the dark-web site of AlphV, the ransomware group posted this notice claiming otherwise.

The FBI spent much of Tuesday locked in an online tug-of-war with one of the Internet’s most aggressive ransomware groups after taking control of infrastructure the group has used to generate more than $300 million in illicit payments to date.

Early Tuesday morning, the dark-web site belonging to AlphV, a ransomware group that also goes by the name BlackCat, suddenly started displaying a banner that said it had been seized by the FBI as part of a coordinated law enforcement action. Gone was all the content AlphV had posted to the site previously.

Around the same time, the Justice Department said it had disrupted AlphV’s operations by releasing a software tool that would allow roughly 500 AlphV victims to restore their systems and data. In all, Justice Department officials said, AlphV had extorted roughly $300 million from 1,000 victims.

An affidavit unsealed in a Florida federal court, meanwhile, revealed that the disruption involved FBI agents obtaining 946 private keys used to host victim communication sites. The legal document said the keys were obtained with the help of a confidential human source who had “responded to an advertisement posted to a publicly accessible online forum soliciting applicants for Blackcat affiliate positions.”

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa O. Monaco said in Tuesday’s announcement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

Within hours, the FBI seizure notice displayed on the AlphV dark-web site was gone. In its place was a new notice proclaiming: “This website has been unseized.” The new notice, written by AlphV officials, downplayed the significance of the FBI’s action. While not disputing the decryptor tool worked for 400 victims, AlphV officials said that the disruption would prevent data belonging to another 3,000 victims from being decrypted.

“Now because of them, more than 3,000 companies will never receive their keys.”

As the hours went on, the FBI and AlphV sparred over control of the dark-web site, with each replacing the notices of the other.

One researcher described the ongoing struggle as a “tug of Tor,” a reference to Tor, the network of servers that allows people to browse and publish websites anonymously. Like most ransomware groups, AlphV hosts its sites over Tor. Not only does this arrangement prevent law enforcement investigators from identifying group members, it also hampers investigators from obtaining court orders compelling the web host to turn over control of the site.

The only way to control a Tor address is with possession of a dedicated private encryption key. Once the FBI obtained it, investigators were able to publish Tuesday’s seizure notice to it. Since AlphV also maintained possession of the key, group members were similarly free to post their own content. Since Tor makes it impossible to change the private key corresponding to an address, neither side has been able to lock the other out.

With each side essentially deadlocked, AlphV has resorted to removing some of the restrictions it previously placed on affiliates. Under the common ransomware-as-a-service model, affiliates are the ones who actually hack victims. When successful, the affiliates use the AlphV ransomware and infrastructure to encrypt data and then negotiate and facilitate a payment by bitcoin or another cryptocurrency.

Up to now, AlphV placed rules on affiliates forbidding them from targeting hospitals and critical infrastructure. Now, those rules no longer apply unless the victim is located in the Commonwealth of Independent States—a list of countries that were once part of the former Soviet Union.

“Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere,” the AlphV notice said. The notice said that AlphV was also allowing affiliates to retain 90 percent of any ransom payments they get, and that ‘VIP’ affiliates would receive a private program on separate isolated data centers. The move is likely an attempt to stanch the possible defection by affiliates spooked by the FBI’s access to the AlphV infrastructure.

The back and forth has prompted some to say that the disruption failed, since AlphV retains control of its site and continues to possess the data it stole from victims. In a discussion on social media with one such critic, ransomware expert Allan Liska pushed back.

“The server and all of its data is still in possession of FBI—and ALPHV ain’t getting none of that back,” Liska, a threat researcher at security firm Recorded Future, wrote.

Social media post by Liska arguing the FBI maintains access to AlphV infrastructure.

Enlarge / Social media post by Liska arguing the FBI maintains access to AlphV infrastructure.

“But, hey you are correct and I am 100% wrong. I encourage you, and all ransomware groups to sign up to be an ALPHV affiliate now, it is definitely safe. Do it, Chicken!”

AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on. Read More »

wolverine-developer-insomniac-games-sees-1.67tb-of-secrets-leaked-in-data-breach

Wolverine-developer Insomniac Games sees 1.67TB of secrets leaked in data breach

gaming, Insomniac Games, leak, PlayStation, ransomware, Sony / /

Ransomware —

Future Ratchet & Clank, X-Men, and Spider-Man games exposed—but it gets worse.

Wolverine sits at a bar in a game screenshot

Enlarge / An officially released image for Insomniac Games’ upcoming game Wolverine.

Acclaimed Sony-owned game development studio Insomniac Games became the victim of a large-scale ransomware attack this week, as initially reported by Cyber Daily. Ransomware group Rhysida dumped 1.67TB of data, including assets and story spoilers from unreleased games, a road map of upcoming titles, internal company communications, employees’ personal data such as passport scans and compensation figures, and much more.

The gang said it chose Insomniac because, as a large and successful studio, it made an attractive target for a money grab. The ransom was $2 million, and Insomniac refused to pay it.

As a result, a trove of emails, Slack messages, slideshow presentations, and more hit the web. Notably, these included screenshots and assets from the studio’s upcoming Wolverine game, as well as confirmation that Wolverine is planned to be the first in a trilogy of games starring X-Men characters. The materials also revealed that the company is working on another Ratchet & Clank game and a new Spider-Man sequel.

Rhysida put some of the data up for bidding by parties other than Insomniac itself, and some was sold.

Insomniac Games has an impressive history of top-selling games, particularly on PlayStation consoles. It became a household name with the Spyro the Dragon series on the first PlayStation. It went on to create and shepherd the Ratchet & Clank series on PlayStation 2, and it released several more Ratchet & Clank games on PlayStation 3, alongside a first-person shooter series dubbed Resistance.

More recently, the studio has released new Ratchet & Clank games on PlayStation 4 and PlayStation 5 and three critically acclaimed games based on Marvel’s Spider-Man. It also dabbled in VR development on the Oculus platform and released an Xbox exclusive called Sunset Overdrive before it was acquired by Sony to become a first-party PlayStation studio in August 2019.

As one of the industry’s most accomplished and successful developers, it has an enormous audience of fans who will likely avail themselves of the leaked information about upcoming titles. The leaks also expose internal company information that may be of interest to Sony’s direct competitors, such as Microsoft.

This is far from the first example of a large leak from a triple-A game developer or publisher. For example, footage of Rockstar Games’ highly anticipated Grand Theft Auto VI made its way onto the Internet last year. There was also a relatively recent high-profile leak affecting Cyberpunk 2077 and The Witcher III: Wild Hunt developer CD Projekt Red. Going back decades, there was the infamous incident of leaked Half-Life 2 source code and many more examples.

The scope of this leak is enormous even by the standards of this industry, though.

It’s important to take some of this leaked information with a grain of salt, because there is no guarantee that the information leaked is up to date. Even if it’s current now, the studio’s plans could change and evolve in the coming months and years. The fact that a new Ratchet & Clank game is planned now doesn’t necessarily mean one will be released in a few years; games are canceled all the time.

Wolverine-developer Insomniac Games sees 1.67TB of secrets leaked in data breach Read More »