Changelog: Law enforcement disrupts (and trolls) LockBit
Georgia Vagim / Unsplash
Welcome to Changelog for 2/22/2024, published by Synack! README senior editor Nathaniel Mott here with the week’s juiciest security news. (It’s the LockBit disruption. Of course it is.)
The payload
README is typically a schadenfreude-free zone. I’m only human, though, so I’m making an exception for a coalition of international law enforcement agencies well and truly ruining LockBit’s week.
Europol announced on Feb. 20 that “law enforcement from 10 countries have disrupted the criminal operation of the LockBit ransomware group at every level, severely damaging their capability and credibility,” and for once that doesn’t seem like an overstatement. The agencies compromised “LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise,” arrested “two LockBit actors” and froze “more than 200 cryptocurrency accounts” associated with the group.
The U.K. National Crime Agency (NCA) also used LockBit’s leak site to publicize this effort, dubbed Operation Cronos, and show off the degree to which the ransomware gang’s infrastructure was owned. (It also showed that it can meme with the best of them by naming some of the screenshots used to demonstrate its access to LockBit’s systems “oh dear.png,” “doesnt_look_good.png,” “oh_no.png” and “this_is_really_bad.png,” which is just delightful.) More info from the NCA is available here.
But the leaks weren’t pure entertainment. The NCA also revealed that LockBit was retaining some information stolen from its victims even if they paid a ransom, Trend Micro said the group was working on a fourth version of its encryptor and Japan’s National Police Agency made a decryptor for LockBit victims available via No More Ransom. The NCA, FBI and Europol also obtained “over 1,000 decryption keys” that will be offered to organizations in the U.K., U.S. and Europe who’ve fallen victim to LockBit affiliates.
Secureworks has also published an overview of the tactics, techniques and procedures used by LockBit affiliates in 22 incidents between July 2020 and January 2024. The NCA said on the LockBit leak site that it will also publish insight into the profits LockBit has made over the last four years. It also has a section titled “Who is LockbitSupp?”—the group’s leader—which it described as “The $10m question.” Both are set to go live tomorrow morning; the leak site itself is set to shut down over the weekend.
Now, I don’t know how Europol names its task forces, but I’m compelled to note that Operation Cronos shares its name with a Greek Titan who castrated his father Uranus with a stone sickle. The visceral name seems fitting for an operation that effectively neutered what Europol called “the world’s most prolific and harmful ransomware”—even if the law enforcement agencies involved are believed to have exploited a PHP vulnerability rather than resorting to stone sickles. That should be of some comfort to LockbitSupp.
The week, compiled
I’m not done feeling schadenfreude: Earlier this week, a bunch of documents from China-based APT-for-hire I-SOON were leaked via GitHub.
The Washington Post reported that “the cache — containing more than 570 files, images and chat logs — offers an unprecedented look inside the operations of one of the firms that Chinese government agencies hire for on-demand, mass data-collecting operations” thanks to a collection of files that “detail contracts to extract foreign data over eight years and describe targets within at least 20 foreign governments and territories, including India, Hong Kong, Thailand, South Korea, the United Kingdom, Taiwan and Malaysia.”
Brina Blum / Unsplash
The leak, like the Conti leaks of 2022, also serves as a reminder that I-SOON workers are just… average Joes. CyberScoop said the leak “ reveals that Chinese contractors working to support Beijing’s hacking operations are a lot like office drones everywhere but with a twist: They complain about the low pay, gamble in the office and also help to break into the computer systems of foreign governments.” Nobody likes their nine-to-five (except me, boss!) and Chinese APTs are no exception.
Seemingly everyone is taking a gander at these documents. SentinelLabs and Malwarebytes have both published initial takeaways from the leak, and The Washington Post’s report quotes execs at both Mandiant and Silverado Policy Accelerator, so I expect additional reports to arrive sooner than later. Michael Taggart is also working to translate the documents (primarily with Google Translate) via a public GitHub repository, so if you wonder how China’s hacking-focused contractors operate, take a look.
And now for some of the other stories that caught my attention this week:
TechCrunch: ConnectWise isn’t having a great week either. The company disclosed a maximum severity vulnerability in its ScreenConnect offering, and according to a proof-of-concept published by watchTowr, it can be exploited by adding a trailing slash to a URI. No wonder Huntress CEO Kyle Hanslovan told TechCrunch “I can’t sugarcoat it — this shit is bad.” (Huntress’ analysis of the so-called “SlashAndGrab” vuln can be found here.)
Apple: Apple customers are having a better week! The company announced on Feb. 21 that it was deploying “the most significant cryptographic security upgrade in iMessage history with the introduction of PQ3, a groundbreaking post-quantum cryptographic protocol that advances the state of the art of end-to-end secure messaging.” Check out Matthew Green’s analysis for more on these changes.
Signal: Some of Signal’s users are having an even better week, because the encrypted messaging app is beta testing the ability to connect with other people without sharing your phone number, which is the biggest obstacle I’ve encountered in my efforts to use the app to communicate with folks I don’t know. Here’s to hoping the beta tests go well so the rest of us can take advantage of this feature.
A message from Synack
Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.
Flash memory
It seems appropriate to commemorate Operation Cronos by recognizing what the Computer History Museum said was “the first warrant… issued to search a computer storage device.”
Forensic Fellowship said the warrant was issued on Feb. 19, 1971 “through the San Jose-Milpitas district of the Santa Clara County Court through an affidavit made by an Oakland Police Department Sergeant attached to the fraud detail” because “there was probable and reasonable cause to believe that evidence related to felony theft of trade secrets were contained on a data storage device.”
The search reportedly led to the conviction of a former employee for an “information systems” company who stole a program valued at $15,000. (Which, based on inflation, would be worth over $100,000 today.) Now such warrants are commonplace—I suspect that most people steal trade secrets with cloud services, thumb drives and other electronic storage these days rather than relying on printouts and briefcases.
Local files
White House: The Biden administration issued an executive order to “bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity, fortify our supply chains and strengthen the United States industrial base.” (README contributor Cynthia Brumfield has a breakdown of what prompted these changes and what they mean over at CSO Online.)
SentinelLabs: A Russia-aligned influence operation dubbed Doppelgänger has been “intensively targeting German audiences” and “[disseminating] content criticizing the ruling government coalition and its support for Ukraine, likely aiming to influence public opinion before the upcoming elections in Germany,” SentinelLabs reported today. The operation has also been active in the U.S., Israel and France.
NSA: The NSA said on Feb. 20 that director of cybersecurity Rob Joyce—who’s also been the agency’s memer-in-chief on social media—will retire on March 31. Joyce will be succeeded by David Luber, deputy director of the Cybersecurity Directorate, who previously served as executive director for U.S. Cyber Command. (Which made him “the highest-ranking-civilian and third-in-command at USCYBERCOM.”)
Off-script
By now most people know that artists make a pittance on streaming music services. Most artists rely on tours and merch sales to support their craft, which is a bummer, because I’m old. Going to a concert requires careful planning, extensive budgeting and probably about a month of convincing myself I want to listen to worse versions of my favorite songs while surrounded by a bunch of adult-ish people. (See? Old.)
Dollar Gill / Unsplash
Purchasing music through platforms like Bandcamp strikes a middle ground between “just stream their music while repeating ‘there is no ethical consumption under capitalism’ to yourself” and “contribute to the Ticketmaster monopoly to assuage your own guilt.” So I’ve decided to set aside a bit of money each month to purchase my favorite albums outright in addition to ripping the CDs I already own. (SEE? OLD!)
That is, of course, assuming these artists want to sell me their albums. I’ve already found a few that aren’t on Bandcamp and don’t appear to be available in CD form, either. I still have Apple Music for those edge cases—for now—so I won’t have to seek “alternative solutions.” (And right there I had to refrain from making a LimeWire joke. Wait… Chrome just opened a tab for the AARP website? Stop! I’m not ready!)