Spear-Phishing SugarGh0st Campaign Targets AI Experts

Potential Motivations, Attribution and Context

It is taking fast fashion to ever faster and ever cheaper extremes, and making billions from it. Why is the whole world shopping at Shein? By Nicole Lipman

GhostSec Will Transfer Existing Ransomware Clients to Stormous

GhostSec Returns to Hacktivism

Government Response to MediSecure Data Breach

“Speculation at this stage risks undermining significant work underway to support the company's response,” O'Neil added.

“Criminal actors like to use it for ransomware because the health sector is often vulnerable to those targets, and sometimes they do pay. And nation state backed actors use it as an opportunity to gather intelligence and information about us,” Paterson explained.

Cyberattacks on the Healthcare Sector

Customer and Employee Data Compromised in Santander Data Breach

• Santander will never ask you for codes, OTPs or passwords.
• Always verify information your receive and contact us through official bank channels.
• If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
• Never access your online banking via links from suspicious emails or unsolicited emails.
• Never ignore security notifications or alerts from Santander related to your accounts.

Financial and Banking Sector Hit By Data Breaches

Source: krebsonsecurity.com – Author: BrianKrebs Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which […]

La entrada Patch Tuesday, May 2024 Edition – Source: krebsonsecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.

First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.

“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”

Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.

Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.

CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.

“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.

Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.

Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.

Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.

Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.

Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.

Source: www.infosecurity-magazine.com – Author: 1 A well-known threat actor is selling what they claim to be a legitimate trove of highly sensitive internal data stolen from Europol this month. “IntelBroker” took to hacking site BreachForums on Friday to advertise their wares. “In May 2024 Europol suffered a data breach and lead [sic] to the exposure […]

La entrada Threat Actor Claims Major Europol Data Breach – Source: www.infosecurity-magazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Hosocongty Data Breach Exposes Thousands of Job Seekers

Cyberattack on the Recruitment Sector

British Columbia Cyberattacks' Timeline

Another cyberattack was identified on May 6, with Salter saying the same threat actor was responsible for all three incidents.

The cyberattacks were not disclosed to the public until Wednesday late evening when people were busy watching an ice hockey game, prompting accusations from B.C. United MLAs that the government was attempting to conceal the attack.

Farnworth said that the CCCS believes a state-sponsored actor is behind the attack based on the sophistication of the attempted breaches.

"Being able to do what we are seeing, and covering up their tracks, is the hallmarks of a state actor or a state-sponsored actor." - Farnworth

Recently, a wave of malware attacks has surfaced, exploiting vulnerabilities in the update mechanism of the eScan antivirus software. This eScan antivirus backdoor exploit distributes backdoors and cryptocurrency miners, such as XMRig, posing a significant threat to large corporate networks. In this blog, we’ll look into the details of this eScan antivirus backdoor exploit and […]

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on TuxCare.

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on Security Boulevard.

• Names
• Physical addresses
• Dell hardware and order details, comprising service tags, item descriptions, order dates, and relevant warranty information

Dell Data Breach Set Appeared on Dark Web

Enlarge (credit: Boris Zhitkov | Moment)

As the US moves toward criminalizing deepfakes—deceptive AI-generated audio, images, and videos that are increasingly hard to discern from authentic content online—tech companies have rushed to roll out tools to help everyone better detect AI content.

But efforts so far have been imperfect, and experts fear that social media platforms may not be ready to handle the ensuing AI chaos during major global elections in 2024—despite tech giants committing to making tools specifically to combat AI-fueled election disinformation. The best AI detection remains observant humans, who, by paying close attention to deepfakes, can pick up on flaws like AI-generated people with extra fingers or AI voices that speak without pausing for a breath.

Among the splashiest tools announced this week, OpenAI shared details today about a new AI image detection classifier that it claims can detect about 98 percent of AI outputs from its own sophisticated image generator, DALL-E 3. It also "currently flags approximately 5 to 10 percent of images generated by other AI models," OpenAI's blog said.

Read 31 remaining paragraphs | Comments

Google is encouraging the adoption of multi-factor authentication to protect against phishing and other cyberattacks. It hopes 2-Step Verification (2SV) can help.

The post Google Makes Implementing 2FA Simpler appeared first on Security Boulevard.

By Dr. Mike Cohen and Carlos Canto

Rapid7 is very excited to announce that version 0.7.2 of Velociraptor is now fully available for download.

In this post we’ll discuss some of the interesting new features.

EWF Support

Velociraptor has introduced the ability to analyze dead disk images in the past. Although we don’t need to analyze disk images very often, it comes up occasionally.

Previously, Velociraptor only supported analysis of DD images (AKA “Raw images”). Most people use standard acquisition software to acquire images, which uses the common EWF format to compress them.

In this 0.7.2 release, Velociraptor supports EWF (AKA E01) format using the ewf accessor. This allows Velociraptor to analyze E01 image sets.

To analyze dead disk images use the following steps:

1. Create a remapping configuration that maps the disk accessors into the E01 image. This automatically diverts VQL functions that look at the filesystem into the image instead of using the host’s filesystem. In this release you can just point the --add_windows_disk option to the first disk of the EWF disk set (the other parts are expected to be in the same directory and will be automatically loaded).
   The following creates a remapping file by recognizing the windows partition in the disk image.

$ velociraptor-v0.72-rc1-linux-amd64 deaddisk
--add_windows_disk=/tmp/e01/image.E01 /tmp/remapping.yaml -v

2. Next we launch a client with the remapping file. This causes any VQL queries that access the filesystem to come from the image instead of the host. Other than that, the client looks like a regular client and will connect to the Velociraptor server just like any other client. To ensure that this client is unique you can override the writeback location (where the client id is stored) to a new file.

$ velociraptor-v0.72-rc1-linux-amd64 --remap /tmp/remapping.yaml
--config ~/client.config.yaml client -v
--config.client-writeback-linux=/tmp/remapping.writeback.yaml

Allow remapping clients to use SSH accessor

Sometimes we can’t deploy the Velociraptor client on a remote system. (For example, it might be an edge device like an embedded Linux system or it may not be directly supported by Velociraptor.)

In version 0.7.1, Velociraptor introduced the ssh accessor which allows VQL queries to use a remote ssh connection to access remote files.

This release added the ability to apply remapping in a similar way to the dead disk image method above to run a Virtual Client which connects to the remote system via SSH and emulates filesystem access over the sftp protocol.

To use this feature you can write a remapping file that maps the ssh accessor instead of the file and auto accessors:

remappings:

• type: permissions
  permissions:

  • COLLECT_CLIENT
  • FILESYSTEM_READ
  • READ_RESULTS
  • MACHINE_STATE

• type: impersonation
  os: linux
  hostname: RemoteSSH

• type: mount
  scope: |
  LET SSH_CONFIG <= dict(hostname='localhost:22',
  username='test',
  private_key=read_file(filename='/home/test/.ssh/id_rsa'))

  from:
  accessor: ssh

  "on":
  accessor: auto
  path_type: linux

• type: mount
  scope: |
  LET SSH_CONFIG <= dict(hostname='localhost:22',
  username='test',
  private_key=read_file(filename='/home/test/.ssh/id_rsa'))

  from:
  accessor: ssh

  "on":
  accessor: file
  path_type: linux

Now you can start a client with this remapping file to virtualize access to the remote system via SSH.

$ velociraptor-v0.72-rc1-linux-amd64 --remap /tmp/remap_ssh.yaml
--config client.config.yaml client -v
--config.client-writeback-linux=/tmp/remapping.writeback_ssh.yaml
--config.client-local-buffer-disk-size=0

GUI Changes

The GUI has been significantly improved in this release.

Undo/Redo for notebook cells

Velociraptor offers an easy way to experiment and explore data with VQL queries in the notebook interface. Naturally, exploring the data requires going back and forth between different VQL queries.

In this release, Velociraptor keeps several versions of each VQL cell (by default 5) so as users explore different queries they can easily undo and redo queries. This makes exploring data much quicker as you can go back to a previous version instantly.

Hunt view GUI is now paged

Previously, hunts were presented in a table with limited size. In this release, the hunt table is paged and searchable/sortable. This brings the hunts table into line with the other tables in the interface and allows an unlimited number of hunts to be viewable in the system.

Secret Management

Many Velociraptor plugins require secrets to operate. For example, the ssh accessor requires a private key or password to log into the remote system. Similarly the s3 or smb accessors require credentials to upload to the remote file servers. Many connections made over the http_client() plugin require authorization – for example an API key to send Slack messages or query remote services like Virus Total.

Previously, plugins that required credentials needed those credentials to be passed as arguments to the plugin. For example, the upload_s3() plugin requires AWS S3 credentials to be passed in as parameters.

This poses a problem for the Velociraptor artifact writer: how do you safely provide the credentials to the VQL query in a way that does not expose them to every user of the Velociraptor GUI? If the credentials are passed as parameters to the artifact then they are visible in the query logs and request, etc.

This release introduces Secrets as a first class concept within VQL. A Secret is a specific data object (key/value pairs) given a name which is used to configure credentials for certain plugins:

1. A Secret has a name which we use to refer to it in plugins.
2. Secrets have a type to ensure their data makes sense to the intended plugin. For example a secret needs certain fields for consumption by the s3 accessor or the http_client() plugin.
3. Secrets are shared with certain users (or are public). This controls who can use the secret within the GUI.
4. The GUI is careful to not allow VQL to read the secrets directly. The secrets are used by the VQL plugins internally and are not exposed to VQL users (like notebooks or artifacts).

Let’s work through an example of how Secrets can be managed within Velociraptor. In this example we store credentials for the ssh accessor to allow users to glob() a remote filesystem within the notebook.

First we will select manage server secrets from the welcome page.

Next we will choose the SSH PrivateKey secret type and add a new secret.

This will use the secret template that corresponds to the SSH private keys. The acceptable fields are shown in the GUI and a validation VQL condition is also shown for the GUI to ensure that the secret is properly populated. We will name the secret DevMachine to remind us that this secret allows access to our development system. Note that the hostname requires both the IP address (or dns name) and the port.

Next we will share the secrets with some GUI users

We can view the list of users that are able to use the secret within the GUI

Now we can use the new secret by simply referring to it by name:

Not only is this more secure but it is also more convenient since we don’t need to remember the details of each secret to be able to use it. For example, the http_client() plugin will fill the URL field, headers, cookies etc directly from the secret without us needing to bother with the details.

WARNING: Although secrets are designed to control access to the raw credential by preventing users from directly accessing the secrets' contents, those secrets are still written to disk. This means that GUI users with direct filesystem access can simply read the secrets from the disk.

We recommend not granting untrusted users elevated server permissions like EXECVE or Filesystem Read as it can bypass the security measures placed on secrets.

Server improvements

Implemented Websocket based communication mechanism

One of the most important differences between Velociraptor and some older remote DFIR frameworks such as GRR is the fact that Velociraptor maintains a constant, low latency connection to the server. This allows Velociraptor clients to respond immediately without needing to wait for polling on the server.

In order to enhance compatibility between multiple network configurations like MITM proxies, transparent proxies etc., Velociraptor has stuck to simple HTTP based communications protocols. To keep a constant connection, Velociraptor uses the long poll method, keeping HTTP POST operations open for a long time.

However as the Internet evolves and newer protocols become commonly used by major sites, the older HTTP based communication method has proven more difficult to use. For example, we found that certain layer 7 load balancers interfere with the long poll method by introducing buffering to the connection. This severely degrades communications between client and server (Velociraptor falls back to a polling method in this case).

On the other hand, modern protocols are more widely used, so we found that modern load balancers and proxies already support standard low latency communications protocols such as Web Sockets.

In the 0.7.2 release, Velociraptor introduces support for websockets as a communications protocol. The websocket protocol is designed for low latency and low overhead continuous communications methods between clients and server (and is already used by most major social media platforms, for example). Therefore, this new method should be better supported by network infrastructure as well as being more efficient.

To use the new websocket protocol, simply set the client’s server URL to have wss:// scheme:

Client:
server_urls:

• wss://velociraptor.example.com:8000/
• https://velociraptor.example.com:8000/

You can use both https and wss URLs at the same time, Velociraptor will switch from one to the other scheme if one becomes unavailable.

Dynamic DNS providers

Velociraptor has the capability to adjust DNS records by itself (AKA Dynamic DNS). This saves users the hassle of managing a dedicated dynamic DNS service such as ddclient).

Traditionally we used Google Domains as our default Dynamic DNS provider, but Google has decided to shut down this service abruptly forcing us to switch to alternative providers.

The 0.7.2 release has now switched to CloudFlare as our default preferred Dynamic DNS provider. We also added noip.com as a second option.

Setting up CloudFlare as your preferred dynamic DNS provider requires the following steps:

1. Sign into CloudFlare and buy a domain name.
2. Go to https://dash.cloudflare.com/profile/api-tokens to generate an API token. Select Edit Zone DNS in the API Token templates.

You will need to require the “Edit” permission on Zone DNS and include the specific zone name you want to manage. The zone name is the domain you purchased, e.g. “example.com”. You will be able to set the hostname under that domain, e.g. “velociraptor.example.com”.

Using this information you can now create the dyndns configuration:

Frontend:
....
dyn_dns:
type: cloudflare
api_token: XXXYYYZZZ
zone_name: example.com

Make sure the Frontend.Hostname field is set to the correct hostname to update - for example

Frontend:
hostname: velociraptor.example.com

This is the hostname that will be updated.

Enhanced proxy support

Velociraptor is often deployed into complex enterprise networks. Such networks are often locked down with complicated controls (such as MITM inspection proxies or automated proxy configurations) which Velociraptor needs to support.

Velociraptor already supports MITM proxies but previously had inflexible proxy configuration. The proxy could be set or unset but there was no finer grained control over which proxy to choose for different URLs. This makes it difficult to deploy on changing network topologies (such as roaming use).

The 0.7.2 release introduces more complex proxy condition capabilities. It is now possible to specify which proxy to use for which URL based on a set of regular expressions:

Client:
proxy_config:
http: http://192.168.1.1:3128/
proxy_url_regexp:
"^https://www.google.com/": ""
"^https://.+example.com": "https://proxy.example.com:3128/"

The above configuration means to:

1. By default connect to http://192.168.1.1:3128/ for all URLs (including https)
2. Except for www.google.com which will be connected to directly.
3. Any URLs in the example.com domain will be forwarded through https://proxy.example.com:3128

This proxy configuration can apply to the Client section or the Frontend section to control the server’s configuration.

Additionally, Velociraptor now supports a Proxy Auto Configuration (PAC) file. If a PAC file is specified, then the other configuration directives are ignored and all configuration comes from the PAC file. The PAC file can also be read from disk using the file:// URL scheme, or even provided within the configuration file using a data: URL.

Client:
proxy_config:
pac: http://www.example.com/wpad.dat

Note that the PAC file must obviously be accessible without a proxy.

Other notable features

Other interesting improvements include:

Process memory access on MacOS

On MacOS we can now use proc_yara() to scan process memory. This should work providing your TCT profile grants the get-task-allow, proc_info-allow and task_for_pid-allow entitlements. For example the following plist is needed at a minimum:

Multipart uploaders to http_client()

Sometimes servers require uploaded files to be encoded using the mutipart/form method. Previously it was possible to upload files using the http_client() plugin by constructing the relevant request in pure VQL string building operations.

However this approach is limited by available memory and is not suitable for larger files. It is also non-intuitive for users.

This release adds the files parameter to the http_client() plugin. This simplifies uploading multiple files and automatically streams those files without memory buffering - allowing very large files to be uploaded this way.

For example:

SELECT *
FROM http_client(
url='http://localhost:8002/test/',
method='POST',
files=dict(file='file.txt', key='file', path='/etc/passwd', accessor="file")

Here the files can be an array of dicts with the following fields:

• file: The name of the file that will be stored on the server
• key: The name of the form element that will receive the file
• path: This is an OSPath object that we open and stream into the form.
• accessor: Any accessor required for the path.

Yara plugin can now accept compiled rules

The yara() plugin was upgraded to use Yara Version 4.5.0 as well as support compiled yara rules. You can compile yara rules with the yarac compiler to produce a binary rule file. Simply pass the compiled binary data to the yara() plugin’s rules parameter.

WARNING: We do not recommend using compiled yara rules because of their practical limitations:

1. The compiled rules are not portable and must be used on exactly the same version of the yara library as the compiler that created them (Currently 4.5.0)
2. Compiled yara rules are much larger than the text rules.

Compiled yara rules pose no benefit over text based rules, except perhaps being more complex to decompile. This is primarily the reason to use compiled rules - to try to hide the rules (e.g. from commercial reasons).

Conclusions

There are many more new features and bug fixes in the 0.7.2 release. If you’re interested in any of these new features, why not take Velociraptor for a spin by downloading it from our release page? It’s available for free on GitHub under an open-source license.

As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing velociraptor-discuss@googlegroups.com. You can also chat with us directly on our Discord server.

Learn more about Velociraptor by visiting any of our web and social media channels below:

• Official Website
• Documentation Site
• X (Twitter)
• LinkedIn
• Instagram
• YouTube

Okta warned of a spike in credential stuffing attacks using anonymizing services such as Tor, DataImpulse, Luminati, and NSocks.

The post Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies appeared first on SecurityWeek.

Samourai Wallet Operator Arrest and Assets Seized

The Crackdown of Samourai Wallet Operators

For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.

Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, this would be Keel’s third six-year term in that role.

The Associated Press reports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.

“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.

A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.

KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.

On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.”

“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you purchase the entire database, I will give you access to it.”

A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.

“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”

On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond. Update: The Secret Service declined to comment.

On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.

Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.

The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.

“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.

As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.

Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.

Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.

While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.

Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).

According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.

But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.

A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.

A Google-translated version of Shtazi dot ru. Image: Archive.org.

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.

“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”

Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.

Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.

Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.

Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.

“This along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,” McCarthy said. “Microsoft has updated their backend and notified any customers who have been affected by the credential leakage.”

CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDI’s researchers found this vulnerability being exploited in the wild, although Microsoft doesn’t currently list CVE-2024-29988 as being exploited.

“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”

Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.

Satnam Narang at Tenable notes that this month’s release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely” according to Microsoft.

“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”

For links to individual security advisories indexed by severity, check out ZDI’s blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.

Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.

KrebsOnSecurity needs to correct the record on a point mentioned at the end of March’s “Fat Patch Tuesday” post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps won’t use AI to auto-scan your documents, as the original language in its FAQ suggested.

“In practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,” Adobe said earlier this month.

The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years.

Mozilla Monitor. Image Mozilla Monitor Plus video on Youtube.

Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.

On March 14, KrebsOnSecurity published a story showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.

But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 — around the same time he launched Onerep.

Shelest maintained that Nuwber has “zero cross-over or information-sharing with Onerep,” and said any other old domains that may be found and associated with his name are no longer being operated by him.

“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).

Onerep CEO and founder Dimitri Shelest.

In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product.

“Though customer data was never at risk, the outside financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla wrote. “We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.”

KrebsOnSecurity also reported that Shelest’s email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.

Shelest denied ever being associated with Spamit. “Between 2010 and 2014, we put up some web pages and optimize them — a widely used SEO practice — and then ran AdSense banners on them,” Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). “As we progressed and learned more, we saw that a lot of the inquiries coming in were for people.”

Shelest also acknowledged that Onerep pays to run ads on “on a handful of data broker sites in very specific circumstances.”

“Our ad is served once someone has manually completed an opt-out form on their own,” Shelest wrote. “The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep.”

Reached via Twitter/X, HaveIBeenPwned founder Troy Hunt said he knew Mozilla was considering a partnership with Onerep, but that he was previously unaware of the Onerep CEO’s many conflicts of interest.

“I knew Mozilla had this in the works and we’d casually discussed it when talking about Firefox monitor,” Hunt told KrebsOnSecurity. “The point I made to them was the same as I’ve made to various companies wanting to put data broker removal ads on HIBP: removing your data from legally operating services has minimal impact, and you can’t remove it from the outright illegal ones who are doing the genuine damage.”

Playing both sides — creating and spreading the same digital disease that your medicine is designed to treat — may be highly unethical and wrong. But in the United States it’s not against the law. Nor is collecting and selling data on Americans. Privacy experts say the problem is that data brokers, people-search services like Nuwber and Onerep, and online reputation management firms exist because virtually all U.S. states exempt so-called “public” or “government” records from consumer privacy laws.

Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, and bankruptcy filings. Data brokers also can enrich consumer records with additional information, by adding social media data and known associates.

The March 14 story on Onerep was the second in a series of three investigative reports published here this month that examined the data broker and people-search industries, and highlighted the need for more congressional oversight — if not regulation — on consumer data protection and privacy.

On March 8, KrebsOnSecurity published A Close Up Look at the Consumer Data Broker Radaris, which showed that the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

On March 20, KrebsOnSecurity published The Not-So-True People-Search Network from China, which revealed an elaborate web of phony people-search companies and executives designed to conceal the location of people-search affiliates in China who are earning money promoting U.S. based data brokers that sell personal information on Americans.

Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple’s new macOS Sonoma addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.

Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in iOS 17.4, iPadOS 17.4, and iOS 16.7.6.

Apple’s macOS Sonoma 14.4 Security Update addresses dozens of security issues. Jason Kitka, chief information security officer at Automox, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages [full disclosure: Automox is an advertiser on this site].

On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.

Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). Satnam Narang, senior staff research engineer at Tenable, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.

Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).

Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in Microsoft Authenticator, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.

“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in Open Management Infrastructure (OMI), a Linux-based cloud infrastructure in Microsoft Azure. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.

CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said Ben McCarthy, lead cybersecurity engineer at Immersive Labs.

“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”

A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.

Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate. Adobe said it is not aware of active exploitation against any of the flaws.

By the way, Adobe recently enrolled all of its Acrobat users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can  “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.

Last week on Malwarebytes Labs:

• Patch now! VMWare escape flaws are so serious even end-of-life software gets a fix
• Update now! JetBrains TeamCity vulnerability abused at scale
• PetSmart warns customers of credential stuffing attack
• Predator spyware vendor banned in US
• ALPHV ransomware gang fakes own death, fools no one
• Update your iPhones and iPads now: Apple patches security vulnerabilities in iOS and iPadOS
• Check your DNS! Abandoned domains used to bypass spam checks
• American Express warns customers about third party data breach
• No “Apple magic” as 11% of macOS detections last year came from malware
• Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

Predator can turn infected smartphones into surveillance devices. Intellexa is based in Greece but the Treasury Department imposed the sanctions because of the use of the spyware against Americans, including US government officials, journalists, and policy experts.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said:

“Today’s actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens.”

Since its founding in 2019, the Intellexa Consortium has marketed the Predator label as a suite of tools created by a variety of offensive cybercompanies that enable targeted and mass surveillance campaigns.

Predator is capable of infiltrating a range of electronic devices without any user interaction (known as ‘zero-click’). Once installed, Predator deploys its extensive data-stealing and surveillance capabilities, giving the attacker access to a variety of applications and personal information on the compromised device. The spyware is capable of turning on the user’s microphone and camera, downloading their files without their knowledge, tracking their location, and more.

Under the sanctions, Americans and people who do business with the US are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four of the companies affiliated with Intellexa.

Sanctions of this magnitude leveraged against commercial spyware vendors for enabling misuse of their tools are unprecedented, but the US has expressed concerns about commercial spyware vendors before.

“A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.”

In July 2023, the US Commerce Department’s Bureau of Industry and Security (BIS) added Intellexa and Cytrox AD to the Entity List for trafficking in cyber exploits used to gain access to information systems. Cytrox AD is a North Macedonia-based company within the Intellexa Consortium and acts as a developer of the consortium’s Predator spyware.

The Entity List is a trade control list created and maintained by the US government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten US national security or foreign policy interests.

Earlier this month, a California federal judge ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products used to spy on WhatsApp users.

While you’ll see Predator and Pegasus usually deployed in small-scale and targeted attacks, putting a stop to the development and deployment of spyware by these commercial entities is good news for everyone.

How to remove spyware

Because spyware apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1. Open Malwarebytes for Android and navigate to the dashboard
2. Tap Scan now
3. It may take a few minutes to scan your device, but it will tell you if it finds spyware or any other nasties.
4. You can then uninstall the app.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

UEFI threats have historically been limited in number and mostly implemented by nation state actors as stealthy persistence. However, the recent proliferation of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and Glupteba (November 2023) indicates that this historical trend may be changing.

With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field. Rapid7 has also released a white paper providing detailed information about how UEFI malware works and some of the most common types.

Background

Unified Extensible Firmware Interface, or UEFI, is the interface between a system’s hardware and its operating system (OS). The technology can be viewed as an updated BIOS capability to improve and add security to the boot process.

The two main types of UEFI persistence are:

1. Serial Peripheral Interface (SPI) based

• Firmware payload implant that is resilient to even a hard disk format.
• Difficult to implement — there are risks associated with implementing and potentially bricking a machine if there are mistakes with the firmware.
• Difficult to detect at scale — defenders need to extract firmware which typically requires a signed driver, then running tools for analysis.
• Typically an analyst would dump firmware, then extract variables and other interesting files like PEs for deep dive analysis.

2. EFI System Partition (ESP) based

• A special FAT partition that stores bootloaders and sits late in the EFI boot process.
• Much easier to implement, only requiring root privileges and to bypass Secure Boot.
• Does not survive a machine format.

EFI Secure Variables API visibility

EFI Secure Variables (or otherwise known as NVRAM) is how the system distributes components from the firmware during boot. From an analysis point of view, whilst dumping the firmware is difficult needing manual workflow, all operating systems provide some visibility from user space. This blog will discuss the Windows API; however, for reference Linux and macOS provides similar data.

GetFirmwareEnvironmentVariable (Windows) can collect the name, namespace guid and value of EFI secure variables. This collection can be used to check current state including key/signature database and revocation.

Some of the data points it enables extracting are:

• Platform Key (PK) — top level key.
• Key Exchange Key (KEK)  — used to sign Signatures Database and Forbidden Signatures Database updates.
• Signature database (db) — contains keys and/or hashes of allowed EFI binaries.
• Forbidden signatures database (dbx) — contains keys and/or hashes of denylisted EFI binaries.
• Other boot configuration settings.

It's worth noting that this technique is relying on the Windows API and could be subverted with capable malware, but the visibility can provide leads for an analyst around boot configuration or signatures. There are also “boot only” NVRAM variables that can not be accessed outside boot, so a manual chip dump would need to be collected.

Velociraptor has a community contributed capability: Generic.System.EfiSignatures. This artifact collects EFI Signature information from the client to check for unknown certificates and revoked hashes. This is a great artifact for data stacking across machines and is built by parsing data values from the efivariables() plugin.

EFI System Partition (ESP) visibility

The ESP is a FAT partitioned file system that contains boot loaders and other critical files used during the boot process which do not change regularly. As such, it can be a relatively simple task to find abnormalities using forensics.

For example, parsing the File Allocation Table we can review metadata around path, timestamps, and deleted status that may provide leads for analysis.

In the screenshot above we observe several EFI bootloader files with timestamps out of alignment. We would typically expect these files to have the same timestamps around operating system install. We can also observe deleted files and the existence of a System32 folder in the temporal range of these entries.

The EFI/ folder should be the only folder in the ESP root so querying for any paths that do not begin with EFI/ is a great hunt that detects our lead above. You can see in my screenshot below, the BlackLotus staging being bubbled to the top adding filtering for this use case.

Interestingly, BlackLotus was known to use the Baton Drop exploit so we can compare to the publicly available Baton Drop and observe similarities to deleted files on the ESP.

The final component of ESP-based visibility is checking the bytes of file contents. We can run YARA to look for known malware traits, or obtain additional file type metadata that can provide leads for analysis. The screenshot below highlights the well known Black Lotus certificate information and PE header timestamp.

Available Velociraptor artifacts for this visibility of the ESP are:

1. Windows.Forensics.UEFI — This artifact enables disk analysis over an EFI System Partition (ESP). The artifact queries the specified physical disk, parses the partition table to target the ESP File Allocation Table (FAT). The artifact returns file information, and PE enrichment as typical EFI files are in the PE format.
2. Windows.Detection.Yara.UEFI — This artifact expands on basic enumeration of the ESP and enables running yara over the EFI system partition.

Measured Boot log visibility

Bootkit security has always been a “race to the bottom.” If the malware could load prior to security tools, a defender would need to assume they may be defeated. Since Windows 8, Measured Boot is a feature implemented to help protect machines from early boot malware. Measured Boot checks each startup component — from firmware to boot drivers — and stores this information in the Trusted Platform Module (TPM). A binary log is then made available to verify the boot state of the machine. The default Measured Boot log location is C:\Windows\Logs\MeasuredBoot\*.log and a new file is recorded for each boot.

Windows.Forensics.UEFI.BootApplication parses Windows MeasuredBoot TCGLogs to extract PathName of events, which can assist detection of potential ESP based persistence (EV_EFI_Boot_Services_Application). The artifact leverages Velociraptor tools to deploy and execute Matt Graeber’s excellent powershell module TCGLogTools to parse TCGLogs on disk and memory.

We can see when running on an infected machine that the BOOT application path has clearly changed from the default: \EFI\Microsoft\Boot\bootmgfw.efi. Therefore, Boot Application is a field that is stackable across the network.

We can also output extended values, including digest hashes for verification.

Other forensic artifacts

There are many other generic forensic artifacts analysts could focus on for assisting detection of a UEFI threat. From malware network activity to unexpected errors in the event log associated with Antivirus/Security tools on the machine.

For example: BlackLotus made an effort to evade detection by changing Windows Defender access tokens to SE_PRIVILEGE_REMOVED. This technique keeps the Defender service running but effectively disables it. While Velociraptor may not have protected process privileges to check tokens directly, we can check for other indicators such as errors associated with use.

Similarly, Memory integrity (HVCI) is a feature of virtualization-based security (VBS) in Windows. It provides a stronger virtualization environment via isolation and kernel memory allocations.The feature is related to Secure Boot and can be disabled for malware that needs a lower integrity environment to run. It requires setting the configuration registry key value to 0.

HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Value

0 - disabled

1 - enabled
Windows.Registry.HVCI available on the artifact exchange can be used to query for this key value.

Conclusion

Despite UEFI threats possessing intimidating capabilities, security practitioners can deploy some visibility with current tools for remote investigation. Forensically parsing disk and not relying on the Windows API, or reviewing other systemic indicators that may signal compromise, is a practical way to detect components of these threats. Knowing collection capabilities, the gaps, and how to mitigate these is just as important as knowing the threat.

In this post we have covered some of Velociraptor’s visibility for UEFI threats and we have only scratched the surface for those who know their environment and can query it effectively. Rapid7 supports Velociraptor open source, providing the community with Velociraptor and open source features unavailable even in some paid tools.

References:

1. ESET, Martin Smolar - BlackLotus UEFI bootkit: Myth confirmed
2. Microsoft Incident Response - Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
3. Trellix Insights: TrickBot offers new TrickBoot
4. Palo Alto Unit 42: Diving Into Glupteba's UEFI Bootkit
5. Sentinel1: Moving from common sense knowledge about uefi to actually dumping uefi firmware

I know that some of you are expecting a post similar to that about a toothbrush botnet, but this is not a hypothetical case. It actually happened.

A Malwarebytes Premium customer started a thread on Reddit saying we had blocked malware from trying to infect their computer after they connected a vibrator to a USB port in order to charge the device.

The vibrator, Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator, was infected with an information stealer known as Lumma.

Lumma is available through a Malware-as-a-Service (MaaS) model, where cybercriminals pay other cybercriminals for access to malicious software and its related infrastructure. Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details. Lumma is often distributed via email campaigns, but nothing stops the cybercriminals from spreading it through infected USB drives, as is the case here.

The question that remains is, how did the vibrator get infected? The victim bought the vibrator at Spencer’s, so we reached out to the company in an attempt to get to the bottom of this.

Spencer’s acknowledged that it was aware of the problem, but the team investigating the issue was unable to provide further information at this point. We’ll keep you updated if we receive word from them or find out any more information ourselves.

Update February 28, 2024

A spokesperson for Spirit Halloween/Spencer’s reached out asking us to add their official statement:

“We are aware of the issue raised regarding one of our intimate products and can confirm that it is unable to transmit data, as there is no physical connection from the PC board circuitry to the USB data pins.“

This definitely makes sense for a device that is not capable of reprogramming by the user. It basically means the device does not need to be connected with a USB condom.

Our advice when it comes to USB devices, including rechargeable vibrators:

• Don’t connect the USB to your computer for charging. If you use a good old-fashioned AC plug socket then no data transfer can take place while you charge.
• If you still want the option to connect via USB, USB condoms or “juice-jack defenders” as they are sometimes called will prevent accidental data exchange when your device is plugged into another device with a USB cable.
• Treat untrusted devices like you would the “lost USB stick” in the parking lot. You know you shouldn’t connect those to your computer, right?
• Always use security software. In this case, the customer was protected by Malwarebytes Premium. If they weren’t using security software, their personal information might have ended up in the hands of cybercriminals.

Technical details

The customer was kind enough to provide us with the content of the flash drive. On it were a host of XML files and a Microsoft Software Installer file (Mia_Khalifa 18+.msi).

The XML files all look very similar to the above and seem to be designed to functions as an XML bomb. An XML bomb is an exponential entity expansion attack, similar to a ZIP bomb, that is designed to crash the web application. This is likely used to draw the attention of the victim away from the actual malware.

The installer creates a program entry called Outweep Dynes.

The Outweep Dynes “program” is yet another installer dropped in %USERPROFILE%\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe

To hinder reverse engineering, extraction of the executable is password protected. But with the password hardcoded in the file, that was not a problem.

The file then executes a heavily obfuscated portable executable detected by Malwarebytes as Trojan.Crypt.MSIL which is Malwarebytes’ generic detection name for a type of obfuscated Trojan programmed in Microsoft Intermediate Language (MSIL).

The dropped executable is a combination of the Lumma Stealer and an additional .NET dll library.

Malwarebytes ThreatDown customers enjoy protection by Advanced Device Control. When a USB device is connected, ThreatDown now doesn’t just control access—it actively scans it. You can also now choose to block the device until the system scans it. This means threats are stopped in their tracks, well before they can do any harm.

IOCs

Program name:

Outweep Dynes

Folder:

%USERPROFILE%\AppData\Local\Outweep Dynes

Filenames:

• InstallerPlus_v3e.5m.exe
• Installer-Advanced-Installergenius_v4.8z.1l.exe

SHA256 hashes:

• 207ee8fb2a824009fe72a857e041297bde3b82626b8883bc05ca8572b4dd148a
• e0f4382f4534c2c0071ce0779d21f0fed59f428cdb622b1945e0a54157c19f95
• be6efe16701cb69ec6e48441a6ad1c1f934e0f92878ccdfafc3f52cbc97be5c2

Vibrator:

Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In 2020, the United States brought charges against four men accused of building a bulletproof hosting empire that once dominated the Russian cybercrime industry and supported multiple organized cybercrime groups. All four pleaded guilty to conspiracy and racketeering charges. But there is a fascinating and untold backstory behind the two Russian men involved, who co-ran the world’s top spam forum and worked closely with Russia’s most dangerous cybercriminals.

From January 2005 to April 2013, there were two primary administrators of the cybercrime forum Spamdot (a.k.a Spamit), an invite-only community for Russian-speaking people in the businesses of sending spam and building botnets of infected computers to relay said spam. The Spamdot admins went by the nicknames Icamis (a.k.a. Ika), and Salomon (a.k.a. Sal).

Spamdot forum administrator “Ika” a.k.a. “Icamis” responds to a message from “Tarelka,” the botmaster behind the Rustock botnet. Dmsell said: “I’m actually very glad that I switched to legal spam mailing,” prompting Tarelka and Ika to scoff.

As detailed in my 2014 book, Spam Nation, Spamdot was home to crooks controlling some of the world’s nastiest botnets, global malware contagions that went by exotic names like Rustock, Cutwail, Mega-D, Festi, Waledac, and Grum.

Icamis and Sal were in daily communications with these botmasters, via the Spamdot forum and private messages. Collectively in control over millions of spam-spewing zombies, those botmasters also continuously harvested passwords and other data from infected machines.

As we’ll see in a moment, Salomon is now behind bars, in part because he helped to rob dozens of small businesses in the United States using some of those same harvested passwords. He is currently housed in a federal prison in Michigan, serving the final stretch of a 60-month sentence.

But the identity and whereabouts of Icamis have remained a mystery to this author until recently. For years, security experts — and indeed, many top cybercriminals in the Spamit affiliate program — have expressed the belief that Sal and Icamis were likely the same person using two different identities. And there were many good reasons to support this conclusion.

For example, in 2010 Spamdot and its spam affiliate program Spamit were hacked, and its user database shows Sal and Icamis often accessed the forum from the same Internet address — usually from Cherepovets, an industrial town situated approximately 230 miles north of Moscow. Also, it was common for Icamis to reply when Spamdot members communicated a request or complaint to Sal, and vice versa.

Image: maps.google.com

Still, other clues suggested Icamis and Sal were two separate individuals. For starters, they frequently changed the status on their instant messenger clients at different times. Also, they each privately discussed with others having attended different universities.

KrebsOnSecurity began researching Icamis’s real-life identity in 2012, but failed to revisit any of that research until recently. In December 2023, KrebsOnSecurity published new details about the identity of “Rescator,” a Russian cybercriminal who is thought to be closely connected to the 2013 data breach at Target.

That story mentioned Rescator’s real-life identity was exposed by Icamis in April 2013, as part of a lengthy farewell letter Ika wrote to Spamdot members wherein Ika said he was closing the forum and quitting the cybercrime business entirely.

To no one’s shock, Icamis didn’t quit the business: He simply became more quiet and circumspect about his work, which increasingly was focused on helping crime groups siphon funds from U.S. bank accounts. But the Rescator story was a reminder that 10 years worth of research on who Ika/Icamis is in real life had been completely set aside. This post is an attempt to remedy that omission.

The farewell post from Ika (aka Icamis), the administrator of both the BlackSEO forum and Pustota, the successor forum to Spamit/Spamdot.

GENTLEMEN SCAMMERS

Icamis and Sal offered a comprehensive package of goods and services that any aspiring or accomplished spammer would need on a day-to-day basis: Virtually unlimited bulletproof domain registration and hosting services, as well as services that helped botmasters evade spam block lists generated by anti-spam groups like Spamhaus.org. Here’s snippet of Icamis’s ad on Spamdot from Aug. 2008, wherein he addresses forum members with the salutation, “Hello Gentlemen Scammers.”

We are glad to present you our services!
Many are already aware (and are our clients), but publicity is never superfluous.

Domains.
– all major gtlds (com, net, org, info, biz)
– many interesting and uninteresting cctlds
– options for any topic
– processing of any quantities
– guarantees
– exceptionally low prices for domains for white and gray schemes (including any SEO and affiliate spam )
– control panel with balances and auto-registration
– all services under the Ikamis brand, proven over the years;)

Servers.
– long-term partnerships with several [data centers] in several parts of the world for any topic
– your own data center (no longer in Russia ;)) for gray and white topics
– any configuration and any hardware
– your own IP networks (PI, not PA) and full legal support
– realtime backups to neutral sites
– guarantees and full responsibility for the services provided
– non-standard equipment on request
– our own admins to resolve any technical issues (services are free for clients)
– hosting (shared and vps) is also possible

Non-standard and related services.
– ssl certificates signed by geotrust and thawte
– old domains (any year, any quantity)
– beautiful domains (keyword, short, etc.)
– domains with indicators (any, for SEO, etc.)
– making unstable gtld domains stable
– interception and hijacking of custom domains (expensive)
– full domain posting via web.archive.org with restoration of native content (preliminary applications)
– any updates to our panels to suit your needs upon request (our own coders)

All orders for the “Domains” sections and “Servers” are carried out during the day (depending on our workload).
For non-standard and related services, a preliminary application is required 30 days in advance (except for ssl certificates – within 24 hours).

Icamis and Sal frequently claimed that their service kept Spamhaus and other anti-spam groups several steps behind their operations. But it’s clear that those anti-spam operations had a real and painful impact on spam revenues, and Salomon was obsessed with striking back at anti-spam groups, particularly Spamhaus.

In 2007, Salomon collected more than $3,000 from botmasters affiliated with competing spam affiliate programs that wanted to see Spamhaus suffer, and the money was used to fund a week-long distributed denial-of-service (DDoS) attack against Spamhaus and its online infrastructure. But rather than divert their spam botnets from their normal activity and thereby decrease sales, the botmasters voted to create a new DDoS botnet by purchasing installations of DDoS malware on thousands of already-hacked PCs (at a rate of $25 per 1,000 installs).

SALOMON

As an affiliate of Spamdot, Salomon used the email address ad1@safe-mail.net, and the password 19871987gr. The breach tracking service Constella Intelligence found the password 19871987gr was used by the email address grichishkin@gmail.com. Multiple accounts are registered to that email address under the name Alexander Valerievich Grichishkin, from Cherepovets.

In 2020, Grichishkin was arrested outside of Russia on a warrant for providing bulletproof hosting services to cybercriminal gangs. The U.S. government said Grichishkin and three others set up the infrastructure used by cybercriminals between 2009 to 2015 to distribute malware and attack financial institutions and victims throughout the United States.

Those clients included crooks using malware like Zeus, SpyEye, Citadel and the Blackhole exploit kit to build botnets and steal banking credentials.

“The Organization and its members helped their clients to access computers without authorization, steal financial information (including banking credentials), and initiate unauthorized wire transfers from victims’ financial accounts,” the government’s complaint stated.

Grichishkin pleaded guilty to conspiracy charges and was sentenced to four years in prison. He is 36 years old, has a wife and kids in Thailand, and is slated for release on February 8, 2024.

ICAMIS, THE PHANTOM GRADUATE

The identity of Icamis came into view when KrebsOnSecurity began focusing on clues that might connect Icamis to Cherepovets (Ika’s apparent hometown based on the Internet addresses he regularly used to access Spamdot).

Historic domain ownership records from DomainTools.com reveal that many of the email addresses and domains connected to Icamis invoke the name “Andrew Artz,” including icamis[.]ws, icamis[.]ru, and icamis[.]biz. Icamis promoted his services in 2003 — such as bulk-domains[.]info — using the email address icamis@4host.info. From one of his ads in 2005:

Domains For Projects Advertised By Spam

I can register bulletproof domains for sites and projects advertised by spam(of course they must be legal). I can not provide DNS for u, only domains. The price will be:

65$ for domain[if u will buy less than 5 domains]

50$ for domain[more than 5 domains]

45$ for domain[more than 10 domains]

These prices are for domains in the .net & .com zones.

If u want to order domains write me to: icamis@4host.info

In 2009, an “Andrew Artz” registered at the hosting service FirstVDS.com using the email address icamis@4host.info, with a notation saying the company name attached to the account was “WMPay.” Likewise, the bulletproof domain service icamis[.]ws was registered to an Andrew Artz.

The domain wmpay.ru is registered to the phonetically similar name “Andrew Hertz,” at andrew@wmpay.ru. A search on “icamis.ru” in Google brings up a 2003 post by him on a discussion forum designed by and for students of Amtek, a secondary school in Cherepovets (Icamis was commenting from an Internet address in Cherepovets).

The website amtek-foreva-narod.ru is still online, and it links to several yearbooks for Amtek graduates. It states that the yearbook for the Amtek class of 2004 is hosted at 41.wmpay[.]com.

The yearbook photos for the Amtek class of 2004 are not indexed in the Wayback Machine at archive.org, but the names and nicknames of 16 students remain. However, it appears that the entry for one student — the Wmpay[.]com site administrator — was removed at some point.

In 2004, the administrator of the Amtek discussion forum — a 2003 graduate who used the handle “Grand” — observed that there were three people named Andrey who graduated from Amtek in 2004, but one of them was conspicuously absent from the yearbook at wmpay[.]ru: Andrey Skvortsov.

To bring this full circle, Icamis was Andrey Skvortsov, the other Russian man charged alongside Grichiskin (the two others who pleaded guilty to conspiracy charges were from Estonia and Lithuania). All of the defendants in that case pleaded guilty to conspiracy to engage in a Racketeer Influenced Corrupt Organization (RICO).

[Author’s note: No doubt government prosecutors had their own reasons for omitting the nicknames of the defendants in their press releases, but that information sure would have saved me a lot of time and effort].

SKVORTSOV AND THE JABBERZEUS CREW

Skvortsov was sentenced to time served, and presumably deported. His current whereabouts are unknown and he was not reachable for comment via his known contact addresses.

The government says Ika and Sal’s bulletproof hosting empire provided extensive support for a highly damaging cybercrime group known as the JabberZeus Crew, which worked closely with the author of the Zeus Trojan — Evgeniy Mikhailovich Bogachev — to develop a then-advanced strain of the Zeus malware that was designed to defeat one-time codes for authentication. Bogachev is a top Russian cybercriminal with a standing $3 million bounty on his head from the FBI.

The JabberZeus Crew stole money by constantly recruiting money mules, people in the United States and in Europe who could be enticed or tricked into forwarding money stolen from cybercrime victims. Interestingly, Icamis’s various email addresses are connected to websites for a vast network of phony technology companies that claimed they needed people with bank accounts to help pay their overseas employees.

Icamis used the email address tech@safe-mail.net on Spamdot, and this email address is tied to the registration records for multiple phony technology companies that were set up to recruit money mules.

One such site — sun-technology[.]net — advertised itself as a Hong Kong-based electronics firm that was looking for “honest, responsible and motivated people in UK, USA, AU and NZ to be Sales Representatives in your particular region and receive payments from our clients. Agent commission is 5 percent of total amount received to the personal bank account. You may use your existing bank account or open a new one for these purposes.”

In January 2010, KrebsOnSecurity broke the news that the JabberZeus crew had just used money mules to steal $500,000 from tiny Duanesburg Central School District in upstate New York. As part of his sentence, Skvortsov was ordered to pay $497,200 in restitution to the Duanesburg Central School District.

The JabberZeus Crew operated mainly out of the eastern Ukraine city of Donetsk, which was always pro-Russia and is now occupied by Russian forces. But when Russia invaded Ukraine in February 2022, the alleged leader of the notorious cybercrime gang — Vyacheslav Igoravich Andreev (a.ka. Penchukov) — fled his mandatory military service orders and was arrested in Geneva, Switzerland. He is currently in federal custody awaiting trial, and is slated to be arraigned in U.S. federal court tomorrow (Jan. 9, 2024). A copy of the indictment against Andreev is here (PDF).

Andreev, aka “Tank,” seen here performing as a DJ in Ukraine in an undated photo from social media.