Conti Ransomware Group Diaries, Part III: Weaponry

March 4, 2022
23 Comments

Part I of this series examined newly-leaked internal chats from the Conti ransomware group, and how the crime gang dealt with its own internal breaches. Part II explored what it’s like to be an employee of Conti’s sprawling organization. Today’s Part III looks at how Conti abused popular commercial security services to undermine the security of their targets, as well as how the team’s leaders strategized for the upper hand in ransom negotiations with victims.

Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis

Conti is by far the most successful ransomware group in operation today, routinely pulling in multi-million dollar payments from victim organizations. That’s because more than perhaps any other ransomware outfit, Conti has chosen to focus its considerable staff and talents on targeting companies with more than $100 million in annual revenues.

As it happens, Conti itself recently joined the $100 million club. According to the latest Crypto Crime Report (PDF) published by virtual currency tracking firm Chainalysis, Conti generated at least $180 million in revenue last year.

On Feb. 27, a Ukrainian cybersecurity researcher who is currently in Ukraine leaked almost two years’ worth of internal chat records from Conti, which had just posted a press release to its victim shaming blog saying it fully supported Russia’s invasion of his country. Conti warned it would use its cyber prowess to strike back at anyone who interfered in the conflict.

The leaked chats show that the Conti group — which fluctuated in size from 65 to more than 100 employees — budgeted several thousand dollars each month to pay for a slew of security and antivirus tools. Conti sought out these tools both for continuous testing (to see how many products detected their malware as bad), but also for their own internal security.

A chat between Conti upper manager “Reshaev” and subordinate “Pin” on Aug. 8, 2021 shows Reshaev ordering Pin to quietly check on the activity of the Conti network administrators once a week — to ensure they’re not doing anything to undermine the integrity or security of the group’s operation. Reshaev tells Pin to install endpoint detection and response (EDR) tools on every administrator’s computer.

“Check admins’ activity on servers each week,” Reshaev said. “Install EDR on every computer (for example, Sentinel, Cylance, CrowdStrike); set up more complex storage system; protect LSAS dump on all computers; have only 1 active accounts; install latest security updates; install firewall on all network.”

Conti managers were hyper aware that their employees handled incredibly sensitive and invaluable data stolen from companies, information that would sell like hotcakes on the underground cybercrime forums. But in a company run by crooks, trust doesn’t come easily.

“You check on me all the time, don’t you trust me?,” asked mid-level Conti member “Bio” of “Tramp” (a.k.a. “Trump“), a top Conti overlord. Bio was handling a large bitcoin transfer from a victim ransom payment, and Bio detected that Trump was monitoring him.

“When that kind of money and people from the street come in who have never seen that kind of money, how can you trust them 1,000%?” Trump replied. “I’ve been working here for more than 15 years and haven’t seen anything else.” Continue reading

Conti Ransomware Group Diaries, Part II: The Office

March 2, 2022
33 Comments

Earlier this week, a Ukrainian security researcher leaked almost two years’ worth of internal chat logs from Conti, one of the more rapacious and ruthless ransomware gangs in operation today. Tuesday’s story examined how Conti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of this series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves.

The Conti group’s chats reveal a great deal about its internal structure and hierarchy. Conti maintains many of the same business units as a legitimate, small- to medium-sized enterprise, including a Human Resources department that is in charge of constantly interviewing potential new hires.

Other Conti departments with their own distinct budgets, staff schedules, and senior leadership include:

Coders: Programmers hired to write malicious code, integrate disparate technologies
Testers: Workers in charge of testing Conti malware against security tools and obfuscating it
Administrators: Workers tasked with setting up, tearing down servers, other attack infrastructure
Reverse Engineers: Those who can disassemble computer code, study it, find vulnerabilities or weaknesses
Penetration Testers/Hackers: Those on the front lines battling against corporate security teams to steal data, and plant ransomware.

Conti appears to have contracted out much of its spamming operations, or at least there was no mention of “Spammers” as direct employees. Conti’s leaders seem to have set strict budgets for each of its organizational units, although it occasionally borrowed funds allocated for one department to address the pressing cashflow needs of another.

A great many of the more revealing chats concerning Conti’s structure are between “Mango” — a mid-level Conti manager to whom many other Conti employees report each day — and “Stern,” a sort of cantankerous taskmaster who can be seen constantly needling the staff for reports on their work.

In July 2021, Mango told Stern that the group was placing ads on several Russian-language cybercrime forums to hire more workers. “The salary is $2k in the announcement, but there are a lot of comments that we are recruiting galley slaves,” Mango wrote. “Of course, we dispute that and say those who work and bring results can earn more, but there are examples of coders who work normally and earn $5-$10k salary.”

The Conti chats show the gang primarily kept tabs on the victim bots infected with their malware via both the Trickbot and Emotet crimeware-as-a-service platforms, and that it employed dozens of people to continuously test, maintain and expand this infrastructure 24 hours a day, 7 days a week.

Conti members referred to Emotet as “Booz” or “Buza,” and it is evident from reading these chat logs that Buza had its own stable of more than 50 coders, and likely much of the same organizational structure as Conti.

According to Mango, as of July 18, 2021 the Conti gang employed 62 people, mostly low-level malware coders and software testers. However, Conti’s employee roster appears to have fluctuated wildly from one month to the next. For example, on multiple occasions the organization was forced to fire many employees as a security precaution in the wake of its own internal security breaches.

In May 2021, Stern told Mango he wanted his underlings to hire 100 more “encoders” to work with the group’s malware before the bulk of the gang returns from their summer vacations in Crimea. Most of these new hires, Stern says, will join the penetration testing/hacking teams headed by Conti leaders “Hof” and “Reverse.” Both Hof and Reverse appear to have direct access to the Emotet crimeware platform.

On July 30, 2021, Mango tells stern the payroll has increased to 87 salaried employees, with more hires on the way. But trying to accurately gauge the size of the Conti organization is problematic, in part because cybersecurity experts have long held that Conti is merely a rebrand of another ransomware strain and affiliate program known as Ryuk.

First spotted in 2018, Ryuk was just as ruthless and mercenary as Conti, and the FBI says that in the first year of its operation Ryuk earned more than $61 million in ransom payouts.

“Conti is a Targeted version of Ryuk, which comes from Trickbot and Emotet which we’ve been monitoring for some time,” researchers at Palo Alto Networks wrote about Ryuk last year. “A heavy focus was put on hospital systems, likely due to the necessity for uptime, as these systems were overwhelmed with handling the ongoing COVID-19 pandemic. We observed initial Ryuk ransom requests ranging from US$600,000 to $10 million across multiple industries.”

On May 14, 2021, Ireland’s Health Service Executive (HSE) suffered a major ransomware attack at the hands of Conti. The attack would disrupt services at several Irish hospitals, and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. It took the HSE until Sept. 21, 2021 to fully restore all of its systems from the attack, at an estimated cost of more than $600 million.

It remains unclear from reading these chats how many of Conti’s staff understood how much of the organization’s operations overlapped with that of Ryuk. Lawrence Abrams at Bleeping Computer pointed to an October 2020 Conti chat in which the Emotet representative “Buza” posts a link to a security firm’s analysis of Ryuk’s return.

Professor,” the nickname chosen by one of Conti’s most senior generals, replies that indeed Ryuk’s tools, techniques and procedures are nearly identical to Conti’s.

“adf.bat — this is my fucking batch file,” Professor writes, evidently surprised at having read the analysis and spotting his own code being re-used in high-profile ransomware attacks by Ryuk.

“Feels like [the] same managers were running both Ryuk and Conti, with a slow migration to Conti in June 2020,” Abrams wrote on Twitter. “However, based on chats, some affiliates didn’t know that Ryuk and Conti were run by the same people.” Continue reading

Advertisement

Conti Ransomware Group Diaries, Part I: Evasion

March 1, 2022
22 Comments

A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.

Conti’s threatening message this week regarding international interference in Ukraine.

Conti makes international news headlines each week when it publishes to its dark web blog new information stolen from ransomware victims who refuse to pay an extortion demand. In response to Russia’s invasion of Ukraine, Conti published a statement announcing its “full support.”

“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” the Conti blog post read.

On Sunday, Feb. 27, a new Twitter account “Contileaks” posted links to an archive of chat messages taken from Conti’s private communications infrastructure, dating from January 29, 2021 to the present day. Shouting “Glory for Ukraine,” the Contileaks account has since published additional Conti employee conversations from June 22, 2020 to Nov. 16, 2020.

The Contileaks account did not respond to requests for comment. But Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security, said the person who leaked the information is not a former Conti affiliate — as many on Twitter have assumed. Rather, he said, the leaker is a Ukrainian security researcher who has chosen to stay in his country and fight.

“The person releasing this is a Ukrainian and a patriot,” Holden said. “He’s seeing that Conti is supporting Russia in its invasion of Ukraine, and this is his way to stop them in his mind at least.”

GAP #1

The temporal gaps in these chat records roughly correspond to times when Conti’s IT infrastructure was dismantled and/or infiltrated by security researchers, private companies, law enforcement, and national intelligence agencies. The holes in the chat logs also match up with periods of relative quiescence from the group, as it sought to re-establish its network of infected systems and dismiss its low-level staff as a security precaution.

On Sept. 22, 2020, the U.S. National Security Agency (NSA) began a weeks-long operation in which it seized control over the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. Conti is one of several cybercrime groups that has regularly used Trickbot to deploy malware.

Once in control over Trickbot, the NSA’s hackers sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers. On top of that, the NSA stuffed millions of bogus records about new victims into the Trickbot database.

News of the Trickbot compromise was first published here on Oct. 2, 2020, but the leaked Conti chats show that the group’s core leadership detected something was seriously wrong with their crime machine just a few hours after the initial compromise of Trickbot’s infrastructure on Sept. 22.

“The one who made this garbage did it very well,” wrote “Hof,” the handle chosen by a top Conti leader, commenting on the Trickbot malware implant that was supplied by the NSA and quickly spread to the rest of the botnet. “He knew how the bot works, i.e. he probably saw the source code, or reversed it. Plus, he somehow encrypted the config, i.e. he had an encoder and a private key, plus uploaded it all to the admin panel. It’s just some kind of sabotage.”

“Moreover, the bots have been flooded with such a config that they will simply work idle,” Hof explained to his team on Sept. 23, 2020. Hof noted that the intruder even kneecapped Trickbot’s built-in failsafe recovery mechanism. Trickbot was configured so that if none of the botnet’s control servers were reachable, the bots could still be recaptured and controlled by registering a pre-computed domain name on EmerDNS, a decentralized domain name system based on the Emercoin virtual currency.

“After a while they will download a new config via emercoin, but they will not be able to apply this config, because this saboteur has uploaded the config with the maximum [version] number, and the bot is checking that the new config [version number] should be larger than the old one,” Hof wrote. “Sorry, but this is fucked up. I don’t know how to get them back.”

It would take the Conti gang several weeks to rebuild its malware infrastructure, and infect tens of thousands of new Microsoft Windows systems. By late October 2020, Conti’s network of infected systems had grown to include 428 medical facilities throughout the United States. The gang’s leaders saw an opportunity to create widespread panic — if not also chaos — by deploying their ransomware simultaneously to hundreds of American healthcare organizations already struggling amid a worldwide pandemic.

“Fuck the clinics in the USA this week,” wrote Conti manager “Target” on Oct. 26, 2020. “There will be panic. 428 hospitals.”

On October 28, the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Follow-up reporting confirmed that at least a dozen healthcare organizations were hit with ransomware that week, but the carnage apparently was not much worse than a typical week in the healthcare sector. One information security leader in the healthcare industry told KrebsOnSecurity at the time that it wasn’t uncommon for the industry to see at least one hospital or health care facility hit with ransomware each day. Continue reading

Russia Sanctions May Spark Escalating Cyber Conflict

February 25, 2022
54 Comments

President Biden joined European leaders this week in enacting economic sanctions against Russia in response to its invasion of Ukraine. The West has promised tougher sanctions are coming, but experts warn these will almost certainly trigger a Russian retaliation against America and its allies, which could escalate into cyber attacks on Western financial institutions and energy infrastructure.

Michael Daniel is a former cybersecurity advisor to the White House during the Obama administration who now heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia.

The first involves what Daniel called “spillover and collateral damage” — a global malware contagion akin to a NotPeyta event — basically some type of cyber weapon that has self-propagating capabilities and may even leverage a previously unknown security flaw in a widely-used piece of hardware or software.

Russia has been suspected of releasing NotPetya, a large-scale cyberattack in 2017 initially aimed at Ukrainian businesses that mushroomed into an extremely disruptive and expensive global malware outbreak.

“The second level [is that] in retaliation for sanctions or perceived interference, Russia steps up more direct attacks on Western organizations,” Daniel said. “The Russians have shown themselves to be incredibly ingenious and creative in terms of how they come up with targets that seem to catch us by surprise. If the situation escalates in cyberspace, there could be some unanticipated organizations that end up in the crosshairs.”

What kinds of attacks are experts most concerned about? In part because the Russian economy is so dependent on energy exports, Russia has invested heavily in probing for weaknesses in the cyber systems that support bulk power production and distribution.

Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities targeting power infrastructure. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

Experts warn that Russia could just as easily use its arsenal of sneaky cyber exploits against energy systems that support U.S. and European nations. In 2014, then National Security Agency Director Mike Rogers told lawmakers that hackers had been breaking into U.S. power utilities to probe for weaknesses, and that Russia had been caught planting malware in the same kind of industrial computers used by power utilities.

“All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” Rogers said at the time.

That haunting prophecy is ringing anew as European leaders work on hammering out additional sanctions, which the European Commission president says will restrict the Russian economy’s ability to function by starving it of important technology and access to finance.

A draft of the new penalties obtained by The New York Times would see the European Union ban the export of aircraft and spare parts that are necessary for the maintenance of Russian fleets.

“The bloc will also ban the export of specialized oil-refining technology as well as semiconductors, and it will penalize more banks — although it will stop short of targeting VTB, Russia’s second-largest bank, which is already crippled by American and British sanctions,” The Times wrote.

Dmitri Alperovitch is co-founder and former chief technology officer at the security firm CrowdStrike. Writing for The Economist, Alperovitch said America must tailor its response carefully to avoid initiating a pattern of escalation that could result in a potentially devastating hot war with Russia.

“The proposed combination of sanctions on top Russian banks and implementation of export controls on semiconductors would be likely to severely debilitate the Russian economy,” Alperovitch wrote. “And although many in the West may initially cheer this outcome as righteous punishment for Russia’s blatant violation of Ukrainian sovereignty, these measures will probably trigger significant Russian retaliation against America. That prospect all but guarantees that the conflict will not come to an end with an invasion of Ukraine.”

Faced with a potentially existential threat to its economic well-being — and seeing itself as having nothing more to lose — Russia will have several tools at its disposal with which to respond, he said: One of those will be carrying out cyber-attacks against American and European financial institutions and energy infrastructure.

“Having already exhausted the power of economic sanctions, America and its European allies would have few choices other than to respond to these attacks with offensive cyber-strikes of their own,” Alperovitch wrote. “This pattern of tit-for-tat cyber retaliation could place Russia and the West on a worrying path. It could end with the conflict spilling out of cyberspace and into the realm of a hot conflict. This outcome—a hot conflict between two nuclear powers with extensive cyber capabilities—is one that everyone in the world should be anxious to avoid.”

In May 2021, Russian cybercriminals unleashed a ransomware attack against Colonial Pipeline, a major fuel distributor in the United States. The resulting outage caused fuel shortages and price spikes across the nation. Alperovitch says a retaliation from Russia in response to sanctions could make the Colonial Pipeline attack seem paltry by comparison.

“The colonial pipeline is going to be like child’s play if the Russians truly unleash all their capability,” Alperovitch told CNBC this week.

For example, having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with “wiper” malware that simply overwrites or corrupts data on infected systems.

Kim Zetter, a veteran Wired reporter who now runs her own cybersecurity-focused Substack newsletter, has painstakingly documented two separate wiper attacks launched in the lead-up to the Russian invasion that targeted Ukrainian government and contractor networks, as well as systems in Latvia and Lithuania.

One contractor interviewed by Zetter said the wiper attacks appeared to be extremely targeted, going after organizations that support the Ukrainian government — regardless of where those organizations are physically located. Continue reading

Report: Missouri Governor’s Office Responsible for Teacher Data Leak

February 22, 2022
38 Comments

Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.

Missouri Gov. Mike Parson (R), vowing to prosecute the St. Louis Post-Dispatch for reporting a security vulnerability that exposed teacher SSNs.

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri education department officials that their website was exposing the Social Security numbers of more than 100,000 primary and secondary teachers in the state. Renaud found teachers’ SSNs were accessible in the HTML source code of some Missouri education department webpages.

After confirming that state IT officials had secured the exposed teacher data, the Post-Dispatch ran a story about their findings. Gov. Parson responded by holding a press conference in which he vowed his administration would seek to prosecute and investigate “the hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson tasked the Missouri Highway Patrol to produce a report on their investigation into “the hackers.”  On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed information that was publicly available.

Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.” The emails also revealed the proposed message when education department leaders initially prepared to respond in October:

“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state’s education commissioner before Parson began shooting the messenger. Continue reading

Red Cross Hack Linked to Iranian Influence Operation?

February 16, 2022
26 Comments

A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.

On Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement. The ICRC said the hacked servers contained data relating to the organization’s Restoring Family Links services, which works to reconnect people separated by war, violence, migration and other causes.

The same day the ICRC went public with its breach, someone using the nickname “Sheriff” on the English-language cybercrime forum RaidForums advertised the sale of data from the Red Cross and Red Crescent Movement. Sheriff’s sales thread suggests the ICRC was asked to pay a ransom to guarantee the data wouldn’t be leaked or sold online.

“Mr. Mardini, your words have been heard,” Sheriff wrote, posting a link to the Twitter profile of ICRC General Director Robert Mardini and urging forum members to tell him to check his email. “Check your email and send a figure you can pay.”

RaidForums member “unindicted” aka Sheriff selling access to the International Red Cross and Red Crescent Movement data. Image: Ke-la.com

In their online statement about the hack (updated on Feb. 7) the ICRC said it had not had any contact with the hackers, and no ransom demand had been made.

“In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” the ICRC statement reads.

Asked to comment on Sheriff’s claims, the ICRC issued the following statement:

“Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web.”

Update, 2:00 p.m., ET: The ICRC just published an update to its FAQ on the breach. The ICRC now says the hackers broke in on Nov. 9, 2021, using an unpatched critical vulnerability (CVE-2021-40539). “This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.”

Original story:

The email address that Sheriff used to register at RaidForums — kelvinmiddelkoop@hotmail.com — appears in an affidavit for a search warrant filed by the FBI roughly a year ago. That FBI warrant came on the heels of an investigation published by security firm FireEye, which examined an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States., U.K. and other western audiences.

“This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye researchers wrote. “These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran.”

The FBI says the domains registered by the email address tied to Sheriff’s RaidForums account were used in service of the Liberty Front Press, a network of phony news sites thought to originate from Iran.

According to the FBI affidavit, the address kelvinmiddelkoop@hotmail.com was used to register at least three different domains for phony news sites, including awdnews[.]com, sachtimes[.]com, and whatsupic[.]com. A reverse WHOIS search on that email address at DomainTools.com (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, moslempress[.]com, and realneinovosti[.]net. Continue reading

Wazawaka Goes Waka Waka

February 14, 2022
20 Comments

In January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists.

Wazawaka, a.k.a. Mikhail P. Matveev, a.k.a. “Orange,” a.k.a. “Boriselcin,” showing off his missing ring finger.

In last month’s story, we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate program, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.”

The same day the initial profile on Wazawaka was published here, someone registered the Twitter account “@fuck_maze,” a possible reference to the now-defunct Maze Ransomware gang.

The background photo for the @fuck_maze profile included a logo that read “Waka Waka;” the bio for the account took a swipe at Dmitry Smilyanets, a researcher and blogger for The Record who was once part of a cybercrime group the Justice Department called the “largest known data breach conspiracy ever prosecuted.”

The @fuck_maze account messaged me a few times on Twitter, but largely stayed silent until Jan. 25, when it tweeted three videos of a man who appeared identical to Matveev’s social media profile on Vkontakte (the Russian version of Facebook). The man seemed to be slurring his words quite a bit, and started by hurling obscenities at Smilyanets, journalist Catalin Cimpanu (also at The Record), and a security researcher from Cisco Talos.

At the beginning of the videos, Matveev holds up his left hand to demonstrate that his ring finger is missing. This he smugly presents as evidence that he is indeed Wazawaka.

The story goes that Wazwaka at one point made a bet wherein he wagered his finger, and upon losing the bet severed it himself. It’s unclear if that is the real story about how Wazawaka lost the ring finger on his left hand; his remaining fingers appear oddly crooked.

“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in the video. “By the way, it is my voice in the background, I just love myself a lot.”

In one of his three videos, Wazawaka says he’s going to release exploit code for a security vulnerability. Later that same day, the @fuck_maze account posted a link to a Pastebin-like site that included working exploit code for a recently patched security hole in SonicWall VPN appliances (CVE-2021-20028).

When KrebsOnSecurity first started researching Wazawaka in 2021, it appeared this individual also used two other important nicknames on the Russian-speaking crime forums. One was Boriselcin, a particularly talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.

The other handle that appeared tied to Wazawaka was “Orange,” the founder of the RAMP ransomware forum. I just couldn’t convincingly connect those two identities with Wazawaka using the information available at the time. This post is an attempt to remedy that. Continue reading

Russian Govt. Continues Carding Shop Crackdown

February 9, 2022
37 Comments

Russian authorities have arrested six men accused of operating some of the most active online bazaars for selling stolen payment card data. The crackdown — the second closure of major card fraud shops by Russian authorities in as many weeks — comes closely behind Russia’s arrest of 14 alleged affiliates of the REvil ransomware gang, and has many in the cybercrime underground asking who might be next.

Dept. K’s message for Trump’s Dumps users.

On Feb. 7 and 8, the domains for the carding shops Trump’s Dumps, Ferum Shop, Sky-Fraud and UAS were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation that focuses on computer crimes. The websites for the carding stores were retrofitted with a message from Dept. K asking, “Which one of you is next?”

According to cyber intelligence analysts at Flashpoint, that same message was included in the website for UniCC, another major and venerated carding shop that was seized by Dept. K in January.

Around the same time Trump’s Dumps and the other three shops began displaying the Dept. K message, the Russian state-owned news outlet TASS moved a story naming six Russian men who were being charged with “the illegal circulation of means of payment.”

TASS reports the six detained include Denis Pachevsky, general director of Saratovfilm Film Company LLC; Alexander Kovalev, an individual entrepreneur; Artem Bystrykh, an employee of Transtekhkom LLC; Artem Zaitsev; an employee of Get-net LLC; and two unemployed workers, Vladislav Gilev and Yaroslav Solovyov.

None of the stories about the arrests tie the men to the four carding sites. But Flashpoint found that all of the domains seized by Dept. K. were registered and hosted through Zaitsev’s company — Get-net LLC.

“All four sites frequently advertised one another, which is generally atypical for two card marketplaces competing in the same space,” Flashpoint analysts wrote.

Stas Alforov is director of research for Gemini Advisory, a New York firm that monitors underground cybercrime markets. Alforov said it is most unusual for the Russians to go after carding sites that aren’t selling data stolen from Russian citizens.

“It’s not in their business to be taking down Russian card shops,” Alforov said. “Unless those shops were somehow selling data on Russian cardholders, which they weren’t.”

A carding shop that sold stolen credit cards and invoked 45’s likeness and name was among those taken down this week by Russian authorities.

Debuting in 2011, Ferum Shop is one of the oldest observed dark web marketplaces selling “card not present” data (customer payment records stolen from hacked online merchants), according to Gemini.

“Every year for the last 5 years, the marketplace has been a top 5 source of card not present records in terms of records posted for sale,” Gemini found. “In this time period, roughly 66% of Ferum Shop’s records have been from United States financial institutions. The remaining 34% have come from over 200 countries.”

In contrast, Trump’s Dumps focuses on selling card data stolen from hacked point-of-sale devices, and it benefited greatly from the January 2021 retirement of Joker’s Stash, which for years dwarfed most other carding shops by volume. Gemini found Trump’s Dumps gained roughly 40 percent market share after Joker’s closure, and that more than 87 percent of the payment card records it sells are from U.S. financial institutions.

“In the past 5 years, Ferum Shop and Trump’s Dumps have cumulatively added over 64 million compromised payment cards,” Alforov wrote. “Based on average demand for CP and CNP records and the median price of $10, the total revenue from these sales is estimated to be over $430 million. Due to the 20 to 30% commission that shops generally receive, the administrators of Ferum Shop and Trump’s Dumps likely generated between $86 and $129 million in profits from these card sales.” Continue reading

Microsoft Patch Tuesday, February 2022 Edition

February 8, 2022
16 Comments

Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month’s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.

While none of the patches address bugs that earned Microsoft’s most dire “critical” rating, there are multiple “remote code execution” vulnerabilities that Redmond believes are ripe for exploitation. Among those is CVE-2022-22005, a weakness in Microsoft’s Sharepoint Server versions 2013-2019 that could be exploited by any authenticated user.

“The vulnerability does require an attacker to be authenticated in order to exploit it, which is likely why Microsoft only labeled it ‘Important,'” said Allan Liska, senior security architect at Recorded Future. “However, given the number of stolen credentials readily available on underground markets, getting authenticated could be trivial. Organizations that have public-facing SharePoint Servers should prioritize implementing this patch.”

Kevin Breen at Immersive Labs called attention to CVE-2022-21996, an elevation of privilege vulnerability in the core Windows component “Win32k.”

“In January we saw CVE-2022-21882, a vulnerability in Win32k that was being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied,” Breen said. “February sees more patches for the same style of vulnerability in this same component. It’s not clear from the release notes whether this is a brand new vulnerability or if it is related to the previous month’s update. Either way, we have seen attackers leverage this vulnerability so it’s safer to err on the side of caution and update this one quickly.”

Another elevation of privilege flaw CVE-2022-21989 — in the Windows Kernel — was the only vulnerability fixed this month that was publicly disclosed prior to today.

“Despite the lack of critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month,” said Greg Wiseman, product manager at Rapid7. “Remote code execution vulnerabilities are also important to patch, even if they may not be considered ‘wormable.’ In terms of prioritization, defenders should first focus on patching server systems.”

February’s Patch Tuesday is once again brought to you by Print Spooler, the Windows component responsible for handling printing jobs. Four of the bugs quashed in this release relate to our friend Mr. Print Spooler. In July 2021, Microsoft issued an emergency fix for a Print Spooler flaw dubbed “PrintNightmare” that was actively being exploited to remotely compromise Windows PCs. Redmond has been steadily spooling out patches for this service ever since. Continue reading