Commit 10_30_2023: Malware and mysteries

Patrick Lindenberg / Unsplash

Welcome to Commit 10_30_2023! README senior editor Nathaniel Mott here the day before Halloween—and therefore, according to retailers, the last day before Christmas—with your infosec news.

Security Joes: Destructive malware targets Israelis

Security Joes said today it has responded to several incidents that involve “what appears to be a new Linux Wiper malware we track as BiBi-Linux Wiper” being deployed against organizations in Israel. (The name is a reference to Israel Prime Minister Benjamin “Bibi” Netanyahu.) The malware reportedly overwrites files and renames them with a mostly random string that’s only guaranteed to contain “Bibi.”

“This new threat does not establish communication with remote Command & Control (C2) servers for data exfiltration, employ reversible encryption algorithms, or leave ransom notes as a means to coerce victims into making payments,” Security Joes said, which means it’s not ransomware. “Instead, it conducts file corruption by overwriting files with useless data, damaging both the data and the operating system.”

Fox: Mayday! LockBit claims Boeing hack

Fox reported on Oct. 29 that LockBit updated its leak site last Friday to say that it hacked Boeing and made off with “sensitive data” that it will publish if the company “[does] not contact within the deadline!” Boeing told Fox it was “assessing” LockBit’s claim. The company has been given until Nov. 2—which is this Thursday—to either meet the ransomware gang’s demands or prepare for the data’s public disclosure.

I mostly associate Boeing with airplanes, but apparently it’s in the “rotorcraft, rockets, satellites, telecommunications equipment, and missiles” businesses, too. As for what aspects of its business may have been affected by this incident, well, I guess there’s a chance we’ll find out in a few days.

The Record: Russia plans to make its own VirusTotal

VirusTotal: The best way to make sure a file you downloaded from a questionable website, Discord server or torrent service isn’t going to get you owned. Unless you’re in Russia, it seems, with The Record today reporting that “​​the Russian government plans to have its own analogous version of the malware scanning platform … up and running within the next two years” due to concerns about how it handles data.

That seems fair to me! It would be weird if U.S. companies were constantly uploading malware samples to a platform managed by a Russian firm; it’s just as weird for Russian companies to do the same with VirusTotal. I just can’t help but wonder how useful that service would prove with limited contributions from organizations around the world, though, and I assume most would stick with the existing platform.

BleepingComputer: So is Hunters International actually Hive or what?

Somebody call Scooby Doo—we need to know if Hunters International is a new cybercrime gang or if it’s just the existing Hive operation under a mask. BleepingComputer reported on Oct. 29 that although researchers believe Hunters International and Hive are one and the same, the cybercriminals themselves claim they merely purchased and patched up the source code that Hive used before it went dormant.

The report breaks down the reasoning behind these researchers’ assertions. It also points out that Hunters International said it’s not interested in the ransomware side of things, preferring instead to steal data and threaten to leak it if they aren’t paid. They’re still going to encrypt their victims’ files, naturally, but they want to make it clear that they’re also going to extort victims with exfiltrated information.

The Register: Stanford has been ransomwared once again

The Register today reported that Stanford University “has confirmed it is ‘investigating a cybersecurity incident’ after an attack last week by the Akira ransomware group.” The college said that it believes the attack was limited to the Stanford University Department of Public Safety, though, and that it doesn’t have any evidence of the incident affecting the myriad other parts of its network.

It’s almost a shame that Akira claimed responsibility for the attack. The Register noted that Stanford was previously compromised by the Cl0p ransomware gang in 2021 and in March of this year; the group could’ve had a hat trick if it were responsible for this most recent incident. (Note that I’m not saying I want Cl0p to pop Stanford again—I am merely pointing out that it would’ve been interesting if it had.)