Google has updated its Chrome browser to patch a high-severity zero-day vulnerability that allows attackers to execute malicious code on end user devices. The fix marks the fifth time this year the company has updated the browser to protect users from an existing malicious exploit.
The vulnerability, tracked as CVE-2024-4671, is a “use after free,” a class of bug that occurs in C-based programming languages. In these languages, developers must allocate memory space needed to run certain applications or operations. They do this by using “pointers” that store the memory addresses where the required data will reside. Because this space is finite, memory locations should be deallocated once the application or operation no longer needs it.
Use-after-free bugs occur when the app or process fails to clear the pointer after freeing the memory location. In some cases, the pointer to the freed memory is used again and points to a new memory location storing malicious shellcode planted by an attacker’s exploit, a condition that will result in the execution of this code.
On Thursday, Google said an anonymous source notified it of the vulnerability. The vulnerability carries a severity rating of 8.8 out of 10. In response, Google said, it would be releasing versions 124.0.6367.201/.202 for macOS and Windows and 124.0.6367.201 for Linux in subsequent days.
“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” the company said.
Google didn’t provide any other details about the exploit, such as what platforms were targeted, who was behind the exploit, or what they were using it for.
Counting this latest vulnerability, Google has fixed five zero-days in Chrome so far this year. Three of the previous ones were used by researchers in the Pwn-to-Own exploit contest. The remaining one was for a vulnerability for which an exploit was available in the wild.
Chrome automatically updates when new releases become available. Users can force the update or confirm they’re running the latest version by going to Settings > About Chrome and checking the version and, if needed, clicking on the Relaunch button.
Researchers on Wednesday reported critical vulnerabilities in a widely used networking appliance that leaves some of the world’s biggest networks open to intrusion.
The vulnerabilities reside in BIG-IP Next Central Manager, a component in the latest generation of the BIG-IP line of appliances organizations use to manage traffic going into and out of their networks. Seattle-based F5, which sells the product, says its gear is used in 48 of the top 50 corporations as tracked by Fortune. F5 describes the Next Central Manager as a “single, centralized point of control” for managing entire fleets of BIG-IP appliances.
As devices performing load balancing, DDoS mitigation, and inspection and encryption of data entering and exiting large networks, BIG-IP gear sits at their perimeter and acts as a major pipeline to some of the most security-critical resources housed inside. Those characteristics have made BIG-IP appliances ideal for hacking. In 2021 and 2022, hackers actively compromised BIG-IP appliances by exploiting vulnerabilities carrying severity ratings of 9.8 out of 10.
On Wednesday, researchers from security firm Eclypsium reported finding what they said were five vulnerabilities in the latest version of BIG-IP. F5 has confirmed two of the vulnerabilities and released security updates that patch them. Eclypsium said three remaining vulnerabilities have gone unacknowledged, and it’s unclear if their fixes are included in the latest release. Whereas the exploited vulnerabilities from 2021 and 2022 affected older BIG-IP versions, the new ones reside in the latest version, known as BIG-IP Next. The severity of both vulnerabilities is rated as 7.5.
“BIG-IP Next marks a completely new incarnation of the BIG-IP product line touting improved security, management, and performance,” Eclypsium researchers wrote. “And this is why these new vulnerabilities are particularly significant—they not only affect the newest flagship of F5 code, they also affect the Central Manager at the heart of the system.”
The vulnerabilities allow attackers to gain full administrative control of a device and then create accounts on systems managed by the Central Manager. “These attacker-controlled accounts would not be visible from the Next Central Manager itself, enabling ongoing malicious persistence within the environment,” Eclypsium said. The researchers said they have no indication any of the vulnerabilities are under active exploitation.
Both of the fixed vulnerabilities can be exploited to extract password hashes or other sensitive data that allow for the compromise of administrative accounts on BIG-IP systems. F5 described one of them—tracked as CVE-2024-21793—as an Odata injection flaw, a class of vulnerability that allows attackers to inject malicious data into Odata queries. The other vulnerability, CVE-2024-26026, is an SQL injection flaw that can execute malicious SQL statements.
Eclypsium said it reported three additional vulnerabilities. One is an undocumented programming interface that allows for server-side request forgeries, a class of attack that gains access to sensitive internal resources that are supposed to be off-limits to outsiders. Another is the ability for unauthenticated administrators to reset their password even without knowing what it is. Attackers who gained control of an administrative account could exploit this last flaw to lock out all legitimate access to a vulnerable device.
The third is a configuration in the bcrypt password hashing algorithm that makes it possible to perform brute-force attacks against millions of passwords per second. The Open Web Application Security Project says that the bcrypt “work factor”—meaning the amount of resources required to convert plaintext into cryptographic hashes—should be set to a level no lower than 10. When Eclypsium performed its analysis, the Central Manager set it at six.
Eclypsium researchers wrote:
The vulnerabilities we have found would allow an adversary to harness the power of Next Central Manager for malicious purposes. First, the management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the manager itself. Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself.
All 5 vulnerabilities were disclosed to F5 in one batch, but F5 only formally assigned CVEs to the 2 unauthenticated vulnerabilities. We have not confirmed if the other 3 were fixed at the time of publication.
F5 representatives didn’t immediately have a response to the report. Eclypsium went on to say:
These weaknesses can be used in a variety of potential attack paths. At a high level attackers can remotely exploit the UI to gain administrative control of the Central Manager. Change passwords for accounts on the Central Manager. But most importantly, attackers could create hidden accounts on any downstream device controlled by the Central Manager.
Eclypsium
The vulnerabilities are present in BIG-IP Next Central Manager versions 20.0.1 through 20.1.0. Version 20.2.0, released Wednesday, fixes the two acknowledged vulnerabilities. As noted earlier, it’s unknown if version 20.2.0 fixes the other behavior Eclypsium described.
“If they are fixed, it is +- okay-ish, considering the version with them will still be considered vulnerable to other things and need a fix,” Eclypsium researcher Vlad Babkin wrote in an email. “If not, the device has a long-term way for an authenticated attacker to keep their access forever, which will be problematic.”
A query using the Shodan search engine shows only three instances of vulnerable systems being exposed to the Internet.
Given the recent rash of active exploits targeting VPNs, firewalls, load balancers, and other devices positioned at the network edge, BIG-IP Central Manager users would do well to place a high priority on patching the vulnerabilities. The availability of proof-of-concept exploitation code in the Eclypsium disclosure further increases the likelihood of active attacks.
Since at least 2019, a shadowy figure hiding behind several pseudonyms has publicly gloated for extorting millions of dollars from thousands of victims he and his associates had hacked. Now, for the first time, “LockBitSupp” has been unmasked by an international law enforcement team, and a $10 million bounty has been placed for his arrest.
In an indictment unsealed Tuesday, US federal prosecutors unmasked the flamboyant persona as Dmitry Yuryevich Khoroshev, a 31-year-old Russian national. Prosecutors said that during his five years at the helm of LockBit—one of the most prolific ransomware groups—Khoroshev and his subordinates have extorted $500 million from some 2,500 victims, roughly 1,800 of which were located in the US. His cut of the revenue was allegedly about $100 million.
Damage in the billions of dollars
“Beyond ransom payments and demands, LockBit attacks also severely disrupted their victims’ operations, causing lost revenue and expenses associated with incident response and recovery,” federal prosecutors wrote. “With these losses included, LockBit caused damage around the world totaling billions of US dollars. Moreover, the data Khoroshev and his LockBit affiliate co-conspirators stole—containing highly sensitive organizational and personal information—remained unsecure and compromised in perpetuity, notwithstanding Khoroshev’s and his co-conspirators’ false promises to the contrary.”
The indictment charges the Russian national with one count of conspiracy to commit fraud, extortion, and related activity in connection with computers, one count of conspiracy to commit wire fraud, eight counts of intentional damage to a protected computer, eight counts of extortion in relation to confidential information from a protected computer, and eight counts of extortion in relation to damage to a protected computer. If convicted, Khoroshev faces a maximum penalty of 185 years in prison.
In addition to the indictment, officials in the US Treasury Department—along with counterparts in the UK and Australia—announced sanctions against Khoroshev. Among other things, the US sanctions allow officials to impose civil penalties on any US person who makes or facilitates payments to the LockBit group. The US State Department also announced a $10 million reward for any information leading to Khoroshev’s arrest and or conviction.
Rooting out LockBit
Tuesday’s actions come 11 weeks after law enforcement agencies in the US and 10 other countries struck a major blow to the infrastructure LockBit members used to operate their ransomware-as-a-service enterprise. Images federal authorities posted to the dark web site where LockBit named and shamed victims indicated they had taken control of /etc/shadow, a Linux file that stores cryptographically hashed passwords. The file, among the most security-sensitive ones in Linux, can be accessed only by a user with root, the highest level of system privileges.
In all, the authorities said in February, they seized control of 14,000 LockBit-associated accounts and 34 servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK. Two LockBit suspects were arrested in Poland and Ukraine, and five indictments and three arrest warrants were issued. The authorities also froze 200 cryptocurrency accounts linked to the ransomware operation. The UK’s National Crime Agency on Tuesday said the number of active LockBit affiliates has fallen from 114 to 69 since the February action, named Operation Cronos.
In mid-March, an Ontario, Canada, man convicted on charges for working for LockBit was sentenced to four years in prison. Mikhail Vasiliev, 33 years old at the time of sentencing, was arrested in November 2022 and charged with conspiring to infect protected computers with ransomware and sending ransom demands to victims. He pleaded guilty in February to eight counts of cyber extortion, mischief, and weapons charges.
The real-world identity of Khoroshev’s LockBitSupp alter ego has been hotly sought after for years. LockBitSupp thrived on his anonymity in frequent posts to Russian-speaking hacking forums, where he boasted about the prowess and acumen of his work. At one point, he promised a $10 million reward to anyone who revealed his identity. After February’s operation taking down much of the LockBit infrastructure, prosecutors hinted that they knew who LockBitSupp was but stopped short of naming him.
LockBit has operated since at least 2019 and has also been known under the name “ABCD” in the past. Within three years of its founding, the group’s malware was the most widely circulating ransomware. Like most of its peers, LockBit has operated under what’s known as ransomware-as-a-service, in which it provides software and infrastructure to affiliates who use it to do the actual hacking. LockBit and the affiliates then divide any resulting revenue.
Story updated to correct Khoroshev’s age. Initially the State Department said his date of birth was 17 April 1973. Later, the agency said it was 17 April 1993.
Enlarge/ The Atlas V rocket and Starliner spacecraft on their launch pad Monday.
Astronauts Butch Wilmore and Suni Williams climbed into their seats inside Boeing’s Starliner spacecraft Monday night in Florida, but trouble with the capsule’s Atlas V rocket kept the commercial ship’s long-delayed crew test flight on the ground.
Around two hours before launch time, shortly after 8: 30 pm EDT (00: 30 UTC), United Launch Alliance’s launch team stopped the countdown. “The engineering team has evaluated, the vehicle is not in a configuration where we can proceed with flight today,” said Doug Lebo, ULA’s launch conductor.
The culprit was a misbehaving valve on the rocket’s Centaur upper stage, which has two RL10 engines fed by super-cold liquid hydrogen and liquid oxygen propellants.
“We saw a self-regulating valve on the LOX (liquid oxygen) side had a bit of a buzz; it was moving in a strange behavior,” said Steve Stich, NASA’s commercial crew program manager. “The flight rules had been laid out for this flight ahead of time. With the crew at the launch pad, the proper action was to scrub.”
The next opportunity to launch Starliner on its first crew test flight will be Friday night at 9 pm EDT (01: 00 UTC Saturday). NASA announced overnight that officials decided to skip a launch opportunity Tuesday night to allow engineers more time to study the valve problem and decide whether they need to replace it.
Work ahead
Everything else was going smoothly in the countdown Monday night. This mission will also be the first time astronauts have flown on ULA’s Atlas V rocket, which has logged 99 successful flights since 2002. It is the culmination of nearly a decade-and-a-half of development by Boeing, which has a $4.2 billion contract with NASA to ready Starliner for crew missions, then carry out six long-duration crew ferry flights to and from the International Space Station.
This crew test flight will last at least eight days, taking Wilmore and Williams to the space station to verify Starliner’s readiness for operational missions. Once Starliner flies, NASA will have two human-rated spacecraft on contract. SpaceX’s Crew Dragon has been in service since 2020.
When officials scrubbed Monday night’s launch attempt, Wilmore and Williams were already aboard the Starliner spacecraft on top of the Atlas V rocket at Cape Canaveral Space Force Station, Florida. The Boeing and ULA support team helped them out of the capsule and drove them back to crew quarters at the nearby Kennedy Space Center to wait for the next launch attempt.
“I promised Butch and Suni a boring evening,” said Tory Bruno, ULA’s CEO. “I didn’t mean for it to be quite this boring, but we’re going to follow our rules, and we’re going to make sure that the crew is safe.”
When the next launch attempt actually occurs depends on whether ULA engineers determine they can resolve the problem without rolling the Atlas V rocket back to its hangar for repairs.
The valve in question vents gas from the liquid oxygen tank on the Centaur upper stage to maintain the tank at proper pressures. This is important for two reasons. The tank needs to be at the correct pressure for the RL10 engines to receive propellant during the flight, and the Centaur upper stage itself has ultra-thin walls to reduce weight, and requires pressure to maintain structural integrity.
Most scammers and cybercriminals operate in the digital shadows and don’t want you to know how they make money. But that’s not the case for the Yahoo Boys, a loose collective of young men in West Africa who are some of the web’s most prolific—and increasingly dangerous—scammers.
Thousands of people are members of dozens of Yahoo Boy groups operating across Facebook, WhatsApp, and Telegram, a WIRED analysis has found. The scammers, who deal in types of fraud that total hundreds of millions of dollars each year, also have dozens of accounts on TikTok, YouTube, and the document-sharing service Scribd that are getting thousands of views.
Inside the groups, there’s a hive of fraudulent activity with the cybercriminals often showing their faces and sharing ways to scam people with other members. They openly distribute scripts detailing how to blackmail people and how to run sextortionscams—that have driven people to take their own lives—sell albums with hundreds of photographs, and advertise fake social media accounts. Among the scams, they’re also using AI to create fake “nude” images of people and real-time deepfake video calls.
The Yahoo Boys don’t disguise their activity. Many groups use “Yahoo Boys” in their name as well as other related terms. WIRED’s analysis found 16 Yahoo Boys Facebook groups with almost 200,000 total members, a dozen WhatsApp channels, around 10 Telegram channels, 20 TikTok accounts, a dozen YouTube accounts, and more than 80 scripts on Scribd. And that’s just the tip of the iceberg.
Broadly, the companies do not allow content on their platforms that encourages or promotes criminal behavior. The majority of the Yahoo Boys accounts and groups WIRED identified were removed after we contacted the companies about the groups’ overt existence. Despite these removals, dozens more Yahoo Boys groups and accounts remain online.
“They’re not hiding under different names,” says Kathy Waters, the co-founder and executive director of the nonprofit Advocating Against Romance Scammers, which has tracked the Yahoo Boys for years. Waters says the social media companies are essentially providing the Yahoo Boys with “free office space” to organize and conduct their activities. “They’re selling scripts, selling photos, identifications of people, all online, all on the social media platforms,” she says. “Why these accounts still remain is beyond me.”
The Yahoo Boys aren’t a single, organized group. Instead, they’re a collection of thousands of scammers who work individually or in clusters. Often based in Nigeria, their name comes from formerly targeting users of Yahoo services, with links back to the Nigerian Prince email scams of old. Groups in West Africa can be often organized in various confraternities, which are cultish gangs.
“Yahoo is a set of knowledge that allows you to conduct scams,” says Gary Warner, the director of intelligence at DarkTower and director of the University of Alabama at Birmingham’s Computer Forensics Research Laboratory. While there are different levels of sophistication of Yahoo Boys, Warner says, many simply operate from their phones. “Most of these threat actors are only using one device,” he says.
The Yahoo Boys run dozens of scams—from romance fraud to business email compromise. When making contact with potential victims, they’ll often “bomb” people by sending hundreds of messages to dating app accounts or Facebook profiles. “They will say anything they can in order to get the next dime in their pocket,” Waters says.
Searching for the Yahoo Boys on Facebook brings up two warnings: Both say the results may be linked to fraudulent activity, which isn’t allowed on the website. Clicking through the warnings reveals Yahoo Boy groups with thousands of members—one had more than 70,000.
Within the groups—alongside posts selling SIM cards and albums with hundreds of pictures—many of the scammers push people toward other messaging platforms such as Meta’s WhatsApp or Telegram. Here, the Yahoo Boys are at their most bold. Some groups and channels on the two platforms receive hundreds of posts per day and are part of their wider web of operations.
After WIRED asked Facebook about the 16 groups we identified, the company removed them, and some WhatsApp groups were deactivated. “Scammers use every platform available to them to defraud people and constantly adapt to avoid getting caught,” says Al Tolan, a Meta spokesperson. They did not directly address the accounts that were removed or that they were easy to find. “Purposefully exploiting others for money is against our policies, and we take action when we become aware of it,” Tolan says. “We continue to invest in technology and cooperate with law enforcement so they can prosecute scammers. We also actively share tips on how people can protect themselves, their accounts, and avoid scams.”
Groups on Telegram were removed after WIRED messaged the company’s press office; however, the platform did not respond about why it had removed them.
Across all types of social media, Yahoo Boys scammers share “scripts” that they use to socially manipulate people—these can run to thousands of words long and can be copied and pasted to different victims. Many have been online for years. “I’ve seen some scripts that are 30 and 60 layers deep, before the scammer actually would have to go and think of something else to say,” says Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims. “It’s 100 percent how they’ll manipulate the people,” Tokazowski says.
Among the many scams, they pretend to be military officers, people offering “hookups,” the FBI, doctors, and people looking for love. One “good morning” script includes around a dozen messages the scammers can send to their targets. “In a world full of deceit and lies, I feel lucky when see the love in your eyes. Good morning,” one says. But things get much darker.
Translating human-readable domain names into numerical IP addresses has long been fraught with gaping security risks. After all, lookups are rarely end-to-end encrypted. The servers providing domain name lookups provide translations for virtually any IP address—even when they’re known to be malicious. And many end-user devices can easily be configured to stop using authorized lookup servers and instead use malicious ones.
Microsoft on Friday provided a peek at a comprehensive framework that aims to sort out the Domain Name System (DNS) mess so that it’s better locked down inside Windows networks. It’s called ZTDNS (zero trust DNS). Its two main features are (1) encrypted and cryptographically authenticated connections between end-user clients and DNS servers and (2) the ability for administrators to tightly restrict the domains these servers will resolve.
Clearing the minefield
One of the reasons DNS has been such a security minefield is that these two features can be mutually exclusive. Adding cryptographic authentication and encryption to DNS often obscures the visibility admins need to prevent user devices from connecting to malicious domains or detect anomalous behavior inside a network. As a result, DNS traffic is either sent in clear text or it’s encrypted in a way that allows admins to decrypt it in transit through what is essentially an adversary-in-the-middle attack.
Admins are left to choose between equally unappealing options: (1) route DNS traffic in clear text with no means for the server and client device to authenticate each other so malicious domains can be blocked and network monitoring is possible, or (2) encrypt and authenticate DNS traffic and do away with the domain control and network visibility.
ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform—the core component of the Windows Firewall—directly into client devices.
Jake Williams, VP of research and development at consultancy Hunter Strategies, said the union of these previously disparate engines would allow updates to be made to the Windows firewall on a per-domain name basis. The result, he said, is a mechanism that allows organizations to, in essence, tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”
By default, the firewall will deny resolutions to all domains except those enumerated in allow lists. A separate allow list will contain IP address subnets that clients need to run authorized software. Key to making this work at scale inside an organization with rapidly changing needs. Networking security expert Royce Williams (no relation to Jake Williams) called this a “sort of a bidirectional API for the firewall layer, so you can both trigger firewall actions (by input *tothe firewall), and trigger external actions based on firewall state (output *fromthe firewall). So instead of having to reinvent the firewall wheel if you are an AV vendor or whatever, you just hook into WFP.”
A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January.
A change GitLab implemented in May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn’t have access to the email address used to establish the account. In January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account.
While exploits require no user interaction, hijackings work only against accounts that aren’t configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.
On Wednesday, the US Cybersecurity and Infrastructure Security Agency said it is aware of “evidence of active exploitation” and added the vulnerability to its list of known exploited vulnerabilities. CISA provided no details about the in-the-wild attacks. A GitLab representative declined to provide specifics about the active exploitation of the vulnerability.
The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment. An example of a similar supply chain attack is the one that hit SolarWinds in 2020 and pushed malware to more than 18,000 of its customers, 100 of whom received follow-on hacks. Other recent examples of supply chain attacks are here, here, and here.
These sorts of attacks are powerful. By hacking a single, carefully selected target, attackers gain the means to infect thousands of downstream users, often without requiring them to take any action at all.
According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances.
Shadowserver
The biggest concentration of IP addresses was in India, followed by the US, Indonesia, Algeria, and Thailand.
Shadowserver
The number of IP addresses showing vulnerable instances has fallen over time. Shadowserver shows that there were more than 5,300 addresses on January 22, one week after GitLab issued the patch.
Shadowserver
The vulnerability is classed as an improper access control flaw.
CISA has ordered all civilian federal agencies that have yet to patch the vulnerability to do so immediately. The agency made no mention of MFA, but any GitLab users who haven’t already done so should enable it, ideally with a form that complies with the FIDO industry standard.
GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits. GitLab has published incident response guidance here.
Cybercriminals and spies working for nation-states are surreptitiously coexisting inside the same compromised name-brand routers as they use the devices to disguise attacks motivated both by financial gain and strategic espionage, researchers said.
In some cases, the coexistence is peaceful, as financially motivated hackers provide spies with access to already compromised routers in exchange for a fee, researchers from security firm Trend Micro reported Wednesday. In other cases, hackers working in nation-state-backed advanced persistent threat groups take control of devices previously hacked by the cybercrime groups. Sometimes the devices are independently compromised multiple times by different groups. The result is a free-for-all inside routers and, to a lesser extent, VPN devices and virtual private servers provided by hosting companies.
“Cybercriminals and Advanced Persistent Threat (APT) actors share a common interest in proxy anonymization layers and Virtual Private Network (VPN) nodes to hide traces of their presence and make detection of malicious activities more difficult,” Trend Micro researchers Feike Hacquebord and Fernando Merces wrote. “This shared interest results in malicious internet traffic blending financial and espionage motives.”
Pawn Storm, a spammer, and a proxy service
A good example is a network made up primarily of EdgeRouter devices sold by manufacturer Ubiquiti. After the FBI discovered it had been infected by a Kremlin-backed group and used as a botnet to camouflage ongoing attacks targeting governments, militaries, and other organizations worldwide, it commenced an operation in January to temporarily disinfect them.
The Russian hackers gained control after the devices were already infected with Moobot, which is botnet malware used by financially motivated threat actors not affiliated with the Russian government. These threat actors installed Moobot after first exploiting publicly known default administrator credentials that hadn’t been removed from the devices by the people who owned them. The Russian hackers—known by a variety of names including Pawn Storm, APT28, Forest Blizzard, Sofacy, and Sednit—then exploited a vulnerability in the Moobot malware and used it to install custom scripts and malware that turned the botnet into a global cyber espionage platform.
The Trend Micro researchers said that Pawn Storm was using the hijacked botnet to proxy (1) logins that used stolen account credentials and (2) attacks that exploited a critical zero-day vulnerability in Microsoft Exchange that went unfixed until March 2023. The zero-day exploits allowed Pawn Storm to obtain the cryptographic hash of users’ Outlook passwords simply by sending them a specially formatted email. Once in possession of the hash, Pawn Storm performed a so-called NTLMv2 hash relay attack that funneled logins to the user accounts through one of the botnet devices. Microsoft provided a diagram of the attack pictured below:
Microsoft
Trend Micro observed the same botnet being used to send spam with pharmaceutical themes that have the hallmarks of what’s known as the Canadian Pharmacy gang. Yet another group installed malware known as Ngioweb on botnet devices. Ngioweb was first found in 2019 running on routers from DLink, Netgear, and other manufacturers, as well as other devices running Linux on top of x86, ARM, and MIPS hardware. The purpose of Ngioweb is to provide proxies individuals can use to route their online activities through a series of regularly changing IP addresses, particularly those located in the US with reputations for trustworthiness. It’s not clear precisely who uses the Ngioweb-powered service.
The Trend Micro researchers wrote:
In the specific case of the compromised Ubiquiti EdgeRouters, we observed that a botnet operator has been installing backdoored SSH servers and a suite of scripts on the compromised devices for years without much attention from the security industry, allowing persistent access. Another threat actor installed the Ngioweb malware that runs only in memory to add the bots to a commercially available residential proxy botnet. Pawn Storm most likely easily brute forced the credentials of the backdoored SSH servers and thus gained access to a pool of EdgeRouter devices they could abuse for various purposes.
The researchers provided the following table, summarizing the botnet-sharing arrangement among Pawn Storm and the two other groups, tracked as Water Zmeu and Water Barghest:
Trend Micro
It’s unclear if either of the groups was responsible for installing the previously mentioned Moobot malware that the FBI reported finding on the devices. If not, that would mean routers were independently infected by three financially motivated groups, in addition to Pawn Storm, further underscoring the ongoing rush by multiple threat groups to establish secret listening posts inside routers. Trend Micro researchers weren’t available to clarify.
The post went on to report that while the January operation by the FBI put a dent in the infrastructure Pawn Storm depended on, legal constraints prevented the operation from preventing reinfection. What’s more, the botnet also comprised virtual public servers and Raspberry Pi devices that weren’t affected by the FBI action.
“This means that despite the efforts of law enforcement, Pawn Storm still has access to many other compromised assets, including EdgeServers,” the Trend Micro report said. “For example, IP address 32[.]143[.]50[.]222 was used as an SMB reflector around February 8, 2024. The same IP address was used as a proxy in a credential phishing attack on February 6 2024 against various government officials around the world.”
Change Healthcare, the health care services provider that recently experienced a ransomware attack that hamstrung the US prescription market for two weeks, was hacked through a compromised account that failed to use multifactor authentication, the company CEO told members of Congress.
The February 21 attack by a ransomware group using the names ALPHV or BlackCat took down a nationwide network Change Healthcare administers to allow healthcare providers to manage customer payments and insurance claims. With no easy way for pharmacies to calculate what costs were covered by insurance companies, payment processors, providers, and patients experienced long delays in filling prescriptions for medicines, many of which were lifesaving. Change Healthcare has also reported that hackers behind the attacks obtained personal health information for a “substantial portion” of the US population.
Standard defense not in place
Andrew Witty, CEO of Change Healthcare parent company UnitedHealth Group, said the breach started on February 12 when hackers somehow obtained an account password for a portal allowing remote access to employee desktop devices. The account, Witty admitted, failed to use multifactor authentication (MFA), a standard defense against password compromises that requires additional authentication in the form of a one-time password or physical security key.
“The portal did not have multi-factor authentication,” Witty wrote in comments submitted before his scheduled testimony on Wednesday to the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations. “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data.” Witty is also scheduled to appear at a separate Wednesday hearing before the Senate Committee on Finance.
Witty didn’t explain why the account, on a portal platform provided by software maker Citrix, wasn’t configured to use MFA. The failure is likely to be a major focus during Wednesday’s hearing.
After burrowing into the Change Healthcare network undetected for nine days, the attackers deployed ransomware that prevented the company from accessing its IT environment. In response, the company severed its connection to its data centers. The company spent the next two weeks rebuilding its entire IT infrastructure “from the ground up.” In the process, it replaced thousands of laptops, rotated credentials, and added new server capacity. By March 7, 99 percent of pre-incident pharmacies were once again able to process claims.
Witty also publicly confirmed that Change Healthcare paid a ransom, a practice that critics say incentivizes ransomware groups who often fail to make good on promises to destroy stolen data. According to communications uncovered by Dmitry Smilyanets, product management director at security firm Recorded Future, Change Healthcare paid $22 million to ALPHV. Principal members of the group then pocketed the funds rather than sharing it with an affiliate group that did the actual hacking, as spelled out in a pre-existing agreement. The affiliate group published some of the stolen data, largely validating a chief criticism of ransomware payments.
“As chief executive officer, the decision to pay a ransom was mine,” Witty wrote. “This was one of the hardest
decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”
Bleeping Computer reported that Change Healthcare may have paid both ALPHV and the affiliate through a group calling itself RansomHub.
Two weeks ago, UnitedHealth Group reported the ransomware attack resulted in a $872 million cost in its first quarter. That amount included $593 million in direct response costs and $279 million in disruptions. Witty’s written testimony added that as of last Friday, his company had advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of providers that were left financially struggling during the prolonged outage. UnitedHealth Care reported $99.8 billion in sales for the quarter. The company had an annual revenue of $371.6 billion in 2023.
Payment processing by Change Healthcare is currently about 86 percent of its pre-incident levels and will increase as the company further restores its systems, Witty said. The number of pharmacies it serves remains a “fraction of a percent” below pre-incident levels.
If you build a gadget that connects to the Internet and sell it in the United Kingdom, you can no longer make the default password “password.” In fact, you’re not supposed to have default passwords at all.
A new version of the 2022 Product Security and Telecommunications Infrastructure Act (PTSI) is now in effect, covering just about everything that a consumer can buy that connects to the web. Under the guidelines, even the tiniest Wi-Fi board must either have a randomized password or else generate a password upon initialization (through a smartphone app or other means). This password can’t be incremental (“password1,” “password54”), and it can’t be “related in an obvious way to public information,” such as MAC addresses or Wi-Fi network names. A device should be sufficiently strong against brute-force access attacks, including credential stuffing, and should have a “simple mechanism” for changing the password.
There’s more, and it’s just as head-noddingly obvious. Software components, where reasonable, “should be securely updateable,” should actually check for updates, and should update either automatically or in a way “simple for the user to apply.” Perhaps most importantly, device owners can report security issues and expect to hear back about how that report is being handled.
Violations of the new device laws can result in fines up to 10 million pounds (roughly $12.5 million) or 4 percent of related worldwide revenue, whichever is higher.
Besides giving consumers better devices, these regulations are aimed squarely at malware like Mirai, which can conscript devices like routers, cable modems, and DVRs into armies capable of performing distributed denial-of-service attacks (DDoS) on various targets.
As noted by The Record, the European Union’s Cyber Resilience Act has been shaped but not yet passed and enforced, and even if it does pass, would not take effect until 2027. In the US, there is the Cyber Trust Mark, which would at least give customers the choice of buying decently secured or genially abandoned devices. But the particulars of that label are under debate and seemingly a ways from implementation. At the federal level, a 2020 bill tasked the National Institutes of Standard and Technology with applying related standards to connected devices deployed by the feds.
Authentication service Okta is warning about the “unprecedented scale” of an ongoing campaign that routes fraudulent login requests through the mobile devices and browsers of everyday users in an attempt to conceal the malicious behavior.
The attack, Okta said, uses other means to camouflage the login attempts as well, including the TOR network and so-called proxy services from providers such as NSOCKS, Luminati, and DataImpulse, which can also harness users’ devices without their knowledge. In some cases, the affected mobile devices are running malicious apps. In other cases, users have enrolled their devices in proxy services in exchange for various incentives.
Unidentified adversaries then use these devices in credential-stuffing attacks, which use large lists of login credentials obtained from previous data breaches in an attempt to access online accounts. Because the requests come from IP addresses and devices with good reputations, network security devices don’t give them the same level of scrutiny as logins from virtual private servers (VPS) that come from hosting services threat actors have used for years.
“The net sum of this activity is that most of the traffic in these credential-stuffing attacks appears to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” according to an advisory that Okta published over the weekend.
Okta’s advisory comes two weeks after Cisco’s Talos security team reported seeing a large-scale credential compromise campaign that was indiscriminately assailing networks with login attempts aimed at gaining unauthorized access to VPN, SSH, and web application accounts. These login attempts used both generic and valid usernames targeted at specific organizations. Cisco included a list of more than 2,000 usernames and almost 100 passwords used in the attacks, along with nearly 4,000 IP addresses that are sending the login traffic. The attacks led to hundreds of thousands or even millions of rejected authentication attempts.
Within days of Cisco’s report, Okta’s Identity Threat Research team observed a spike in credential-stuffing attacks that appeared to use a similar infrastructure. Okta said the spike lasted from April 19 through April 26, the day the company published its advisory.
Okta officials wrote:
Residential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber. Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone, or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of the traffic.
Residential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet. More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network.
People who want to ensure that malicious behavior isn’t routed through their devices or networks should pay close attention to the apps they install and the services they enroll in. Free or discounted services may be contingent on a user agreeing to terms of service that allow their networks or devices to proxy traffic from others. Malicious apps may also surreptitiously provide such proxy services.
Okta provides guidance for network administrators to repel credential-stuffing attacks. Chief among them is protecting accounts with a strong password—meaning one randomly generated and consisting of at least 11 characters. Accounts should also use multifactor authentication, ideally in a form that is compliant with the FIDO industry standard. The Okta advisory also includes advice for blocking malicious behavior from anonymizing proxy services.
Hackers are assailing websites using a prominent WordPress plugin with millions of attempts to exploit a high-severity vulnerability that allows complete takeover, researchers said.
The vulnerability resides in WordPress Automatic, a plugin with more than 38,000 paying customers. Websites running the WordPress content management system use it to incorporate content from other sites. Researchers from security firm Patchstack disclosed last month that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, silently published a patch, which is available in versions 3.92.1 and beyond.
Researchers have classified the flaw, tracked as CVE-2024-27956, as a SQL injection, a class of vulnerability that stems from a failure by a web application to query backend databases properly. SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.
“This vulnerability is highly dangerous and expected to become mass exploited,” Patchstack researchers wrote on March 13.
Fellow web security firm WPScan said Thursday that it has logged more than 5.5 million attempts to exploit the vulnerability since the March 13 disclosure by Patchstack. The attempts, WPScan said, started slowly and peaked on March 31. The firm didn’t say how many of those attempts succeeded.
WPScan said that CVE-2024-27596 allows unauthenticated website visitors to create admin‑level user accounts, upload malicious files, and take full control of affected sites. The vulnerability, which resides in how the plugin handles user authentication, allows attackers to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. From there, they can upload and execute malicious payloads that rename sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site.
Successful attacks typically follow this process:
SQL Injection (SQLi): Attackers leverage the SQLi vulnerability in the WP‑Automatic plugin to execute unauthorized database queries.
Admin User Creation: With the ability to execute arbitrary SQL queries, attackers can create new admin‑level user accounts within WordPress.
Malware Upload: Once an admin‑level account is created, attackers can upload malicious files, typically web shells or backdoors, to the compromised website’s server.
File Renaming: Attacker may rename the vulnerable WP‑Automatic file, to ensure only he can exploit it.
WPScan researchers explained:
Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites. Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.
The attacks began shortly after March 13, 15 days after ValvePress released version 3.92.1 without mentioning the critical patch in the release notes. ValvePress representatives didn’t immediately respond to a message seeking an explanation.
While researchers at Patchstack and WPScan are classifying CVE-2024-27956 as SQL injection, an experienced developer said his reading of the vulnerability is that it’s either improper authorization (CWE-285) or a subcategory of improper access control (CWE-284).
“According to Patchstack.com, the program is supposed to receive and execute an SQL query, but only from an authorized user,” the developer, who didn’t want to use his name, wrote in an online interview. “The vulnerability is in how it checks the user’s credentials before executing the query, allowing an attacker to bypass the authorization. SQL injection is when the attacker embeds SQL code in what was supposed to be only data, and that’s not the case here.”
Whatever the classification, the vulnerability is about as severe as it gets. Users should patch the plugin immediately. They should also carefully analyze their servers for signs of exploitation using the indicators of compromise data provided in the WPScan post linked above.
