Trickbot sanctions, hypervisor woes and ransomware by any other name
Jp Valery / Unsplash
Welcome to Changelog for 2/12/23, published by Synack! The weather’s been nice here in upstate New York, but that hasn’t warmed my heart quite as much as international efforts to make life a little bit harder for some cybercriminals. See:
The payload
The U.S. and U.K. governments this week announced sanctions against seven individuals who are allegedly part of the Russia-based cybercrime gang Trickbot.
Trickbot operates a trojan of the same name that Malwarebytes said was discovered in 2016. It was originally used to steal banking credentials but has since been adapted to “move laterally and gain a foothold within an affected network using exploits, propagate copies of itself via Server Message Block (SMB) shares, drop other malware like Ryuk ransomware, and scout for documents and media files on infected host machines.”
The U.S. Treasury Department said “this action represents the very first sanctions of their kind for the U.K.” But it’s not the first time these governments have worked to rein in cybercriminal gangs. The U.S. sanctioned Evil Corp in 2019, for example, and the FBI said in January that it had collaborated with law enforcement organizations around the world to disrupt the operations of the Hive ransomware gang.
Both approaches—issuing sanctions and disrupting operations—have their merits when it comes to putting ransomware operators on the back foot. U.S. sanctions are widely credited with forcing Evil Corp to rebrand and develop new ransomware simply because its victims didn’t want to violate these restrictions. Disrupting operations can also force cybercriminals to rebuild their infrastructure from scratch. Neither is a permanent solution to the ransomware problem, but the U.K.-U.S. announcement was a breath of fresh air in a cyber news cycle that’s all too often doom and gloom.
The week, compiled
Some users of the VMware ESXi hypervisor—a tool used to manage virtual machines—have been having a bad time amid a spate of recent hacks. But it shouldn’t come as a surprise: The wave of attacks on these servers is two years in the making.
BleepingComputer reported on Feb. 3 that an unknown threat actor was exploiting a vulnerability that was disclosed in January 2021, CVE-2021–21972, to spread a new ransomware known as “ESXiArgs.” VMware confirmed these reports in a security advisory published on Feb. 6.
A day later, the U.S. Cybersecurity and Infrastructure Security Agency released a script that could be used to recover ESXi servers affected by this ransomware without capitulating to its operator’s demands… only for that script to be obviated the next day by a new version of ESXiArgs.
So if you’re running a version of ESXi that features CVE-2021–21972, there’s no better time to update to a new version, apply patches to your hypervisor or make sure your vulnerable servers aren’t exposed to the internet.
Here are some of the other things that caught my eye this week:
Gizmodo: Reddit was hacked. The social networking company for people who swear they don’t like social networking said on Feb. 9 that it “became aware of a sophisticated phishing campaign that targeted Reddit employees” on Feb. 5, with the attacker gaining “access to some internal docs, code, as well as some internal dashboards and business systems.”
Reuters: LockBit finally claimed responsibility for the ransomware attack on Royal Mail, which prevented the U.K. postal company from delivering packages overseas, on Feb. 7. The group said it would leak data from Royal Mail on Feb. 9 if the ransom wasn’t paid, but that didn’t happen.
A message from Synack
Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.
Flash memory
Anna Kournikova is famous for a lot of things. She’s a successful tennis player, and Wikipedia claims that at one point “fans looking for images of Kournikova made her name one of the most common search strings on Google Search.” She also has a virus named after her.
Symantec’s Paul Wood said in a 2011 forum post that in February 2001 the Anna Kournikova Virus was simple: It promised someone a message contained pictures of Kournikova, waited for them to open it and then “plundered the user’s email inbox, accessed their address book and sent itself to every contact in it.” Then it would do the same thing over again.
Despite that simplicity—or perhaps because of it—Wood said the Anna Kournikova Virus “wreaked such havoc that our analysts at the time commented that it was ‘spreading twice as fast as the Love Bug’, the notorious ILOVEYOU virus we identified before anybody else back in 2000.”
Local files
The Record: Munster Technological University, an Irish college founded in 2021, said on Feb. 6 that all classes would be canceled due to a “significant IT breach and telephone outage.” The university hadn’t said the incident involved ransomware, if it walks like a duck and quacks like a duck… it’s probably ransomware. (MTU confirmed on Feb. 11 that it was indeed targeted by ransomware, RTE reported, with the BlackCat ransomware gang claiming responsibility for the incident.)
TechCrunch: The New York Attorney General said on Feb. 9 that a stalkerware maker, Patrick Hinchy, had agreed to pay a $410,000 fine and inform victims whose devices were compromised by his products that they were being spied upon. The apps could reportedly be used to access “text messages and emails, photos, browsing history and precise location data.”
WVMN: Ransomware operators aren’t just targeting Irish colleges. WV Metro News reported on Feb. 6 that Berkeley County Schools canceled classes for all 19,000 of its students due to what the outlet described as “a network outage on Friday that limited IT operations throughout the district.” (Again: they haven’t called it a duck, but it sure seems like it is.)
Off-script
It would be fair to say I’m a Legend of Zelda fan. Some of my fondest memories are of playing Ocarina of Time with my great aunt—and later making it through the Water Temple in Ocarina of Time 3D without the Zora Tunic—and picking up Breath of the Wild at the Nintendo Switch’s launch.
So it should come as little surprise that I’m excited for the next installment, Tears of the Kingdom, which is set to arrive on May 12. Nintendo has shared very little about this Breath of the Wild sequel since its 2019 announcement, but that changed with the publication of a new trailer on Feb. 8.
Would it be nice to have more information about Tears of the Kingdom this close to its launch? Sure. Am I miffed that I’m going to spend at least $70 on a game for a six-year-old console? Yeah. But am I going to play this game for dozens of hours, just like I did with its predecessors? You bet.
That’s all for this week’s installment of Changelog. Send in tips—or your favorite Zelda moments—to nmott@synack.com.