Changelog: Hello to LockBitSupp and goodbye to Changelog

sebastiaan stam / Unsplash

Welcome to Changelog for 5/14/2024. Nathaniel Mott here with the final installment of this newsletter – more on that below, along with an exciting update on what’s next for me. But first, not to break tradition, here’s the week’s leading security news. 

The payload

The hands of law enforcement agents ‘round the world are probably sore… from all the high-fiving I assume they did last week when they revealed the identity of LockBit creator “LockBitSupp.”

The Justice Department said on May 7 that LockBitSupp’s real name is Dimitry Yuryevich Khoroshev and that he’s a 31-year-old from Voronezh, Russia who, along with LockBit’s affiliates, “extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” via ransomware attacks on more than 2,500 organizations. It also unsealed the indictment (PDF) accusing Khoroshev of 26 counts of various financial crimes.

All of this arrives just a few months after law enforcement agencies disrupted LockBit’s infrastructure and took over its leak site. (Which, as I pointed out at the time, they used to troll LockBitSupp and his affiliates with cheekily-named screenshots proving they had access to at least some of the systems used by the outfit.) The site was taken down shortly after the takeover, but the agencies revived it earlier this week to coincide with the Justice Department’s revelation of LockBitSupp’s identity.

The law enforcement victory was probably made even more satisfying by Khoroshev’s arrogance. He’d previously offered a $1 million reward to anyone who could determine his identity—which he upped to $10 million in January because he was apparently upset that the FBI hadn’t put out a bounty of its own. He doesn’t need to be offended by a lack of a bounty anymore, though, because the State Department is offering up to $10 million for “information that leads to the apprehension of Khoroshev.”

KrebsOnSecurity reported that LockBitSupp denies any connection to Khoroshev, telling the outlet: “It’s not me. I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?” But that seems incredibly unlikely, if only because some of the world’s foremost law enforcement agencies are so confident in their assessment they were willing to take a public victory lap even though they still haven’t actually caught the guy.

The week, compiled

Speaking of victory laps: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) was out in force at the RSA Conference 2024 promoting its Secure by Design Pledge.

The agency said that “68 of the world’s leading software manufacturers voluntarily committed to CISA’s Secure by Design pledge to design products with greater security built in.” The Record reported that “signees include Microsoft, Google, Amazon Web Services, Cisco, GitHub, IBM, HP, Okta, Ivanti, Netgear and more,” and CISA is encouraging other “enterprise software manufacturers” to join that cohort. (The number of signatories has since grown to 80.) 

That voluntary pledge (PDF) includes increasing the use of multi-factor authentication, reducing the use of default passwords, encouraging customers to patch against known vulnerabilities, publishing vulnerability disclosure policies, making it easier “for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products,” filing informative CVEs and “enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.”

Those are worthwhile goals that would have a notable effect on the security of many products. But here’s the rub: They’re also measures that companies have known about for years but still haven’t implemented even as their products continue to lead to high-profile incidents affecting both the public and private sectors around the world. The Secure by Design Pledge seems like it's supposed to nudge organizations in the right direction.

alise-storsul-EWqwxi9He04-unsplash

alise storsul / Unsplash

But if it doesn’t, where will CISA – and, for that matter, the wider U.S. government go? I have a hunch that the answer starts with an “R” and ends with “-ations.” And I don’t mean recommendations.

Now for some of the week’s top security news:

Ars Technica: Enterprise network managers just had a fun weekend. Eclypsium revealed last week five vulnerabilities in BIG-IP Next Central Manager, which Ars Technica described as “a component in the latest generation of the BIG-IP line of appliances organizations use to manage traffic going into and out of their networks,” that can be exploited to “gain full administrative control of a device.”

CyberScoop: Boeing confirmed that a LockBit affiliate demanded “a $200 million extortion payment” in October 2023 and said it didn’t pay the ransom even after 43GB of its data was leaked a month later. (I’ll leave any questions about what Boeing might have done to the affiliate now to the reader’s imagination.) This is reportedly the second-highest ransom demand to date—that we know of.

Bloomberg: The group behind the MGM Resorts hack is reportedly “engaged in a new campaign targeting banks and insurance companies,” including “Visa Inc., PNC Financial Services Group Inc., Transamerica, New York Life Insurance Co. and Synchrony Financial.” It seems to be working quickly, too, with this recent activity reportedly taking place between April 20 and May 6.

Local files

BleepingComputer: The MOVEit Transfer saga isn’t over. The University System of Georgia is reportedly “sending data breach notifications to 800,000 individuals whose data was exposed” as part of the Cl0p ransomware gang’s 2023 campaign against organizations running the popular file transfer software. The data is said to include names, dates of birth, bank account numbers and other sensitive information.

The Record: Paul Nakasone, the former head of U.S. Cyber Command and the NSA who retired earlier this year, is joining Vanderbilt University as “the founding director and leader of its Institute for National Defense and Global Security.” (He also granted an interview to Bloomberg that’s worth checking out.)

TechCrunch: The U.S. Patent and Trademark Office reportedly “said in an email to affected trademark applicants this week that their private domicile address — which can include their home address — appeared in public records between August 23, 2023 and April 19, 2024.” That ain’t great—especially since USPTO had to fess up to making damn near the exact same mistake last June.

Off-script

Let’s just rip off the band-aid: This is the last installment of Changelog. I’m transitioning to a new role at Synack supporting our vulnerability research (yes, I’ll still be writing), so this will most likely be the last thing I contribute to README in a journalistic capacity, too. You may still occasionally see my byline here and there – I’m not going far.

I’ve been writing professionally since 2011. That means I’ve stopped contributing to publications before—I have been laid off, publications have shut down, editors have annoyed me enough that I took my keyboard elsewhere… but this kind of change is new to me. The opportunity to say goodbye means that – for the first time in a long time – I’ve had to write something unlike anything else I’ve written before. It’s a weird feeling!

mk-s-eEqbvQJ0_Sg-unsplash

mk. s / Unsplash

So I’ll start by saying thank you for inviting me into your inbox. I’ve done my best to respect your time, attention and trust with each installment of this newsletter, and I’ve cherished the kind words I’ve received in response. I’m excited to be trying something new that should allow me to gain an even better understanding of how this thing we call cybersecurity works from the inside, but I’ll miss README’s virtual newsroom.

Let me end by highlighting the throughline of many of these “Off-script” sections where I’ve recommended comics, movies, games, music, getting into sports, whatever: following security news can make it seem like everything is awful, and will remain that way, but that doesn’t mean we can’t enjoy our lives. Don’t focus so much on making sure nobody hurts the computer that the computer ends up hurting you.

Farewell, and good luck with whatever network appliance needs to be ripped out next week!