Commit 12_19_2023: FBI bamboozles BlackCat

Volodymyr Tokar / Unsplash

Welcome to Commit 12_19_2023! README senior editor Nathaniel Mott here with the final installment of the year.

BleepingComputer: FBI seizes BlackCat infrastructure


BleepingComputer today reported that the Department of Justice disrupted the operations of AlphV / BlackCat with the help of “a confidential human source” who became an affiliate of the ransomware gang. Once that source had access to the back panel used by the gang’s partners, the FBI started to examine it, and eventually found a way to disrupt some of the group’s infrastructure earlier this year.

The FBI also created a decryptor that was reportedly used “to help approximately 500 companies recover their data for free.” The successful operation shows how law enforcement organizations attempt to stop ransomware gangs from wreaking havoc—although it’s not uncommon for the groups to establish new infrastructure, find new affiliates and in some cases rebrand entirely as they continue to find new victims.

The Record: Iranian hackers target African telecoms

The Record today reported that “a cyber-espionage group linked to Iran’s intelligence service has been targeting telecommunications companies in Egypt, Sudan and Tanzania,” with Symantec researchers telling the outlet this appears to be the first time the group tracked as Muddy Water has targeted organizations in Africa. (It’s previously been preoccupied with Israel and other Middle Eastern countries.)

The group is also said to be using a new toolset—or at least a toolset unknown to researchers prior to November—as part of these attacks. As for the group’s motivation, Symantec told The Record that it “is highly likely” that it was conducting an espionage campaign, although it’s not clear if the group made off with any information from the telecommunications companies it compromised within these countries.

Ars Technica: Researchers discover SSH attack

SSH is a critical protocol used to remotely access devices around the world. Researchers have now discovered a new attack called Terrapin that Ars Technica today reported has “the potential to undermine, if not cripple, cryptographic SSH protections that the networking world takes for granted.” But several conditions have to be met for the attack to be viable on a particular system accessible via SSH.

Ars Technica said the attack “works only when an attacker has an active adversary-in-the middle position on the connection between the admins and the network they remotely connect to,” and that “the connection it interferes with also must be secured by either ‘ChaCha20-Poly1305’ or ‘CBC with Encrypt-then-MAC,’” although that’s said to apply to the majority of systems running SSH. 

Cyber Daily: Rhysida leaks ‘Wolverine’ footage

Cyber Daily today reported that the Rhysida ransomware gang leaked 1.67 terabytes worth of data consisting of “more than 1.3 million files” pilfered from the network of Insomniac Games. “Looking through the first set of data alone reveals a wide selection of level design and character materials, and even design images and jpegs – all from the ‘Wolverine’ game.” Two other data sets were also published.

The leak means Rhysida wasn’t paid the ransom it demanded in exchange for keeping the stolen data to itself. But it doesn’t seem like the group wasted much effort; a spokesperson told Cyber Daily that they “were able to get the domain administrator within 20–25 minutes of hacking the network.” Little wonder, then, that ransomware gangs have been so prolific throughout 2023.