FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 12, column 94: Self reference doesn't match document location [help]

... rel="self" type="application/rss+xml" />
                                             ^

line 53, column 0: content:encoded should not contain decoding attribute (18 occurrences) [help]
```
<img decoding="async" class="aligncenter wp-image-60331" src="https://kre ...
```
line 53, column 0: content:encoded should not contain sizes attribute (13 occurrences) [help]
```
<img decoding="async" class="aligncenter wp-image-60331" src="https://kre ...
```
line 112, column 0: content:encoded should not contain aria-describedby attribute (9 occurrences) [help]
```
<div id="attachment_67453" style="width: 260px" class="wp-caption alignright ...
```
line 112, column 0: content:encoded should not contain loading attribute (17 occurrences) [help]
```
<div id="attachment_67453" style="width: 260px" class="wp-caption alignright ...
```
line 222, column 0: content:encoded should not contain data-extlink attribute [help]
```
The Justice Department is urging victims targeted by LockBit to contact t ...
```

line 262, column 0: content:encoded should not contain iframe tag [help]

<div style="text-align: center;"><iframe loading="lazy" title="YouTube video ...

line 473, column 3: content:encoded should not contain relative URL references: //www.postandcourier.com/columbia/news/scs-massive-data-breach-10-years-later-questions-linger-as-investigation-remains-open/article_29dd8164-4025-11ed-9433-73cafd23fadb.html [help]
```
]]></content:encoded>
   ^
```

Source: http://feeds.feedburner.com/krebsonsecurity/TEjH

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Krebs on Security</title>
<atom:link href="https://krebsonsecurity.com/feed/?" rel="self" type="application/rss+xml" />
<link>https://krebsonsecurity.com</link>
<description>In-depth security news and investigation</description>
<lastBuildDate>Wed, 15 May 2024 12:28:20 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.2.2</generator>
<item>
<title>Patch Tuesday, May 2024 Edition</title>
<link>https://krebsonsecurity.com/2024/05/patch-tuesday-may-2024-edition/</link>
<comments>https://krebsonsecurity.com/2024/05/patch-tuesday-may-2024-edition/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 14 May 2024 20:19:23 +0000</pubDate>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[acrobat]]></category>
<category><![CDATA[Adobe Aero]]></category>
<category><![CDATA[Adobe Animate]]></category>
<category><![CDATA[Adobe Framemaker]]></category>
<category><![CDATA[Adobe Substance 3D Painter]]></category>
<category><![CDATA[CVE-2024-30040]]></category>
<category><![CDATA[CVE-2024-30044]]></category>
<category><![CDATA[CVE-2024-30051]]></category>
<category><![CDATA[Google Chrome]]></category>
<category><![CDATA[Illustrator]]></category>
<category><![CDATA[Immersive Labs]]></category>
<category><![CDATA[Kevin Breen]]></category>
<category><![CDATA[macOS Sonoma 14.5 update]]></category>
<category><![CDATA[MSHTML]]></category>
<category><![CDATA[Qakbot]]></category>
<category><![CDATA[reader]]></category>
<category><![CDATA[Satnam Narang]]></category>
<category><![CDATA[Sharepoint]]></category>
<category><![CDATA[Tenable]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67337</guid>
<description><![CDATA[Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two "zero-day" vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.]]></description>
<content:encoded><![CDATA[Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.
<img decoding="async" class="aligncenter wp-image-60331" src="https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png" alt="" width="749" height="496" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png 923w, https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate-768x508.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate-782x518.png 782w" sizes="(max-width: 749px) 100vw, 749px" />
First, the zero-days. <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30051" target="_blank" rel="noopener">CVE-2024-30051</a> is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.
“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”
Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published <a href="https://securelist.com/cve-2024-30051/112618/" target="_blank" rel="noopener">a fascinating writeup</a> on how they discovered the exploit in a file shared with Virustotal.com.
Kaspersky said it has since seen the exploit used together with <a href="https://krebsonsecurity.com/2023/08/u-s-hacks-qakbot-quietly-removes-botnet-infections/" target="_blank" rel="noopener">QakBot</a> and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.
<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30040" target="_blank" rel="noopener">CVE-2024-30040</a> is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.
“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30044" target="_blank" rel="noopener">CVE-2024-30044</a>, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.
Five days ago, Google <a href="https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html" target="_blank" rel="noopener">released a security update for Chrome</a> that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.
Apple has just shipped <a href="https://support.apple.com/en-us/HT214106" target="_blank" rel="noopener">macOS Sonoma 14.5 update</a>, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.
Finally, Adobe has <a href="https://helpx.adobe.com/security.html" target="_blank" rel="noopener">critical security patches available</a> for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.
Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the <a href="https://isc.sans.edu/forums/diary/Microsoft%20May%202024%20Patch%20Tuesday/30920/" target="_blank" rel="noopener">SANS Internet Storm Center</a>. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on <a href="http://askwoody.com" target="_blank" rel="noopener">askwoody.com</a>, which usually has the scoop on any wonky Windows patches.
Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/05/patch-tuesday-may-2024-edition/feed/</wfw:commentRss>
<slash:comments>9</slash:comments>
</item>
<item>
<title>How Did Authorities Identify the Alleged Lockbit Boss?</title>
<link>https://krebsonsecurity.com/2024/05/how-did-authorities-identify-the-alleged-lockbit-boss/</link>
<comments>https://krebsonsecurity.com/2024/05/how-did-authorities-identify-the-alleged-lockbit-boss/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Mon, 13 May 2024 11:26:27 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Breadcrumbs]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Ransomware]]></category>
<category><![CDATA[3k@xakep.ru]]></category>
<category><![CDATA[7.9521020220]]></category>
<category><![CDATA[antichat]]></category>
<category><![CDATA[Cerber]]></category>
<category><![CDATA[Constella Intelligence]]></category>
<category><![CDATA[d.horoshev@gmail.com]]></category>
<category><![CDATA[Dmitrij Ju Horoshev]]></category>
<category><![CDATA[Dmitry Yuriyevich Khoroshev]]></category>
<category><![CDATA[exploit]]></category>
<category><![CDATA[ICQ number 669316]]></category>
<category><![CDATA[Intel 471]]></category>
<category><![CDATA[khoroshev1@icloud.com]]></category>
<category><![CDATA[LockBit]]></category>
<category><![CDATA[LockBitSupp]]></category>
<category><![CDATA[NeroWolfe]]></category>
<category><![CDATA[pin@darktower.su]]></category>
<category><![CDATA[Putinkrab]]></category>
<category><![CDATA[ransomware-as-a-service]]></category>
<category><![CDATA[sitedev5@yandex.ru]]></category>
<category><![CDATA[stairwell.ru]]></category>
<category><![CDATA[tkaner.com]]></category>
<category><![CDATA[U.S. Department of the Treasury]]></category>
<category><![CDATA[Verified]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67396</guid>
<description><![CDATA[Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit's leader "LockBitSupp" claims the feds named the wrong guy, saying the charges don't explain how they connected him to Khoroshev. This post examines the activities of Khoroshev's many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.]]></description>
<content:encoded><![CDATA[Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit’s leader “LockBitSupp” claims the feds named the wrong guy, saying the charges don’t explain how they connected him to Khoroshev. This post examines the activities of Khoroshev’s many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.
<div id="attachment_67453" style="width: 260px" class="wp-caption alignright"><img aria-describedby="caption-attachment-67453" decoding="async" loading="lazy" class=" wp-image-67453" src="https://krebsonsecurity.com/wp-content/uploads/2024/05/khoroshev-sq.png" alt="" width="250" height="255" />Dmitry Yuryevich Khoroshev. Image: treasury.gov.</div>
On May 7, the U.S. Department of Justice <a href="https://www.justice.gov/opa/media/1350921/dl?inline" target="_blank" rel="noopener">indicted</a> Khoroshev on 26 criminal counts, including extortion, wire fraud, and conspiracy. The government alleges Khoroshev created, sold and used the LockBit ransomware strain to personally extort more than $100 million from hundreds of victim organizations, and that LockBit as a group extorted roughly half a billion dollars over four years.
Federal investigators say Khoroshev ran LockBit as a “ransomware-as-a-service” operation, wherein he kept 20 percent of any ransom amount paid by a victim organization infected with his code, with the remaining 80 percent of the payment going to LockBit affiliates responsible for spreading the malware.
Financial <a href="https://ofac.treasury.gov/recent-actions/20240507" target="_blank" rel="noopener">sanctions levied against Khoroshev</a> by the U.S. Department of the Treasury listed his known email and street address (in Voronezh, in southwest Russia), passport number, and even his tax ID number (hello, Russian tax authorities). The Treasury filing says Khoroshev used the emails sitedev5@yandex.ru, and khoroshev1@icloud.com.
According to <a href="https://www.domaintools.com" target="_blank" rel="noopener">DomainTools.com</a>, the address sitedev5@yandex.ru was used to register at least six domains, including a Russian business registered in Khoroshev’s name called tkaner.com, which is a blog about clothing and fabrics.
A search at the breach-tracking service <a href="https://constella.ai" target="_blank" rel="noopener">Constella Intelligence</a> on the phone number in Tkaner’s registration records — 7.9521020220 — brings up multiple official Russian government documents listing the number’s owner as Dmitri Yurievich Khoroshev.
Another domain registered to that phone number was stairwell[.]ru, which at one point advertised the sale of wooden staircases. Constella finds that the email addresses webmaster@stairwell.ru and admin@stairwell.ru used the password 225948.
DomainTools reports that stairwell.ru for several years included the registrant’s name as “Dmitrij Ju Horoshev,” and the email address pin@darktower.su. According to Constella, this email address was used in 2010 to register an account for a Dmitry Yurievich Khoroshev from Voronezh, Russia at the hosting provider firstvds.ru.
<div id="attachment_67416" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-67416" decoding="async" loading="lazy" class=" wp-image-67416" src="https://krebsonsecurity.com/wp-content/uploads/2024/05/voronezh.png" alt="" width="750" height="499" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/05/voronezh.png 800w, https://krebsonsecurity.com/wp-content/uploads/2024/05/voronezh-768x511.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/05/voronezh-782x520.png 782w" sizes="(max-width: 750px) 100vw, 750px" />Image: Shutterstock.</div>
Cyber intelligence firm <a href="https://www.intel471.com" target="_blank" rel="noopener">Intel 471</a> finds that pin@darktower.ru was used by a Russian-speaking member called Pin on the English-language cybercrime forum Opensc. Pin was active on Opensc around March 2012, and authored 13 posts that mostly concerned data encryption issues, or how to fix bugs in code.
Other posts concerned custom code Pin claimed to have written that would bypass memory protections on Windows XP and Windows 7 systems, and inject malware into memory space normally allocated to trusted applications on a Windows machine.
Pin also was active at that same time on the Russian-language security forum Antichat, where they told fellow forum members to contact them at the ICQ instant messenger number 669316.
<h2>NEROWOLFE</h2>
A search on the ICQ number 669316 at Intel 471 shows that in April 2011, a user by the name NeroWolfe joined the Russian cybercrime forum Zloy using the email address d.horoshev@gmail.com, and from an Internet address in Voronezh, RU.
Constella finds the same password tied to webmaster@stairwell.ru (225948) was used by the email address 3k@xakep.ru, which Intel 471 says was registered to more than a dozen NeroWolfe accounts across just as many Russian cybercrime forums between 2011 and 2015.
NeroWolfe’s introductory post to the forum Verified in Oct. 2011 said he was a system administrator and C++ coder.
“Installing SpyEYE, ZeuS, any DDoS and spam admin panels,” NeroWolfe wrote. This user said they specialize in developing malware, creating computer worms, and crafting new ways to hijack Web browsers.
<img decoding="async" loading="lazy" class="aligncenter wp-image-53514" src="https://krebsonsecurity.com/wp-content/uploads/2020/11/ransomware.png" alt="" width="750" height="562" srcset="https://krebsonsecurity.com/wp-content/uploads/2020/11/ransomware.png 1016w, https://krebsonsecurity.com/wp-content/uploads/2020/11/ransomware-768x575.png 768w" sizes="(max-width: 750px) 100vw, 750px" />
“I can provide my portfolio on request,” NeroWolfe wrote. “P.S. I don’t modify someone else’s code or work with someone else’s frameworks.”
In April 2013, NeroWolfe wrote in a private message to another Verified forum user that he was selling a malware “loader” program that could bypass all of the security protections on Windows XP and Windows 7.
“The access to the network is slightly restricted,” NeroWolfe said of the loader, which he was selling for $5,000. “You won’t manage to bind a port. However, it’s quite possible to send data. The code is written in C.”
In an October 2013 discussion on the cybercrime forum Exploit, NeroWolfe weighed in on the karmic ramifications of ransomware. At the time, ransomware-as-a-service didn’t exist yet, and many members of Exploit were still making good money from “lockers,” relatively crude programs that locked the user out of their system until they agreed to make a small payment (usually a few hundred dollars via prepaid Green Dot cards).
Lockers, which presaged the coming ransomware scourge, were generally viewed by the Russian-speaking cybercrime forums as harmless moneymaking opportunities, because they usually didn’t seek to harm the host computer or endanger files on the system. Also, there were still plenty of locker programs that aspiring cybercriminals could either buy or rent to make a steady income.
NeroWolfe reminded forum denizens that they were just as vulnerable to ransomware attacks as their would-be victims, and that what goes around comes around.
“Guys, do you have a conscience?,” NeroWolfe wrote. “Okay, lockers, network gopstop aka business in Russian. The last thing was always squeezed out of the suckers. But encoders, no one is protected from them, including the local audience.”
If Khoroshev was ever worried that someone outside of Russia might be able to connect his early hacker handles to his real life persona, that’s not clear from reviewing his history online. In fact, the same email address tied to so many of NeroWolfe’s accounts on the forums — 3k@xakep.ru — was used in 2011 to create an account for a Dmitry Yurevich Khoroshev on the Russian social media network Vkontakte.
NeroWolfe seems to have abandoned all of his forum accounts sometime in 2016. In November 2016, an exploit[.]ru member filed an official complaint against NeroWolfe, saying NeroWolfe had been paid $2,000 to produce custom code but never finished the project and vanished.
It’s unclear what happened to NeroWolfe or to Khoroshev during this time. Maybe he got arrested, or some close associates did. Perhaps he just decided it was time to lay low and hit the reset on his operational security efforts, given his past failures in this regard. It’s also possible NeroWolfe landed a real job somewhere for a few years, fathered a child, and/or had to put his cybercrime career on hold.
<h2>PUTINKRAB</h2>
Or perhaps Khoroshev saw the coming ransomware industry for the endless pot of gold that it was about to become, and then dedicated himself to working on custom ransomware code. That’s what the government believes.
The indictment against Khoroshev says he used the hacker nickname Putinkrab, and Intel 471 says this corresponds to a username that was first registered across three major Russian cybercrime forums in early 2019.
KrebsOnSecurity could find no obvious connections between Putinkrab and any of Khoroshev’s older identities. However, if Putinkrab was Khoroshev, he would have learned from his past mistakes and started fresh with a new identity (which he did). But also, it is likely the government hasn’t shared all of the intelligence it has collected against him (more on that in a bit).
Putinkrab’s first posts on the Russian cybercrime forums XSS, Exploit and UFOLabs saw this user selling ransomware source code written in C.
<div id="attachment_67402" style="width: 795px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-67402" decoding="async" loading="lazy" class="size-full wp-image-67402" src="https://krebsonsecurity.com/wp-content/uploads/2024/05/putinkrab-ufo.png" alt="" width="785" height="849" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/05/putinkrab-ufo.png 785w, https://krebsonsecurity.com/wp-content/uploads/2024/05/putinkrab-ufo-768x831.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/05/putinkrab-ufo-782x846.png 782w" sizes="(max-width: 785px) 100vw, 785px" />A machine-translated ad for ransomware source code from Putinkrab on the Russian language cybercrime forum UFOlabs in 2019. Image: Ke-la.com.</div>
In April 2019, Putkinkrab offered an affiliate program that would run on top of his custom-made ransomware code.
“I want to work for a share of the ransoms: 20/80,” Putinkrab wrote on Exploit. “20 percent is my percentage for the work, you get 80% of the ransoms. The percentage can be reduced up to 10/90 if the volumes are good. But now, temporarily, until the service is fully automated, we are working using a different algorithm.”
Throughout the summer of 2019, Putinkrab posted multiple updates to Exploit about new features being added to his ransomware strain, as well as novel evasion techniques to avoid detection by security tools. He also told forum members he was looking for investors for a new ransomware project based on his code.
In response to an Exploit member who complained that the security industry was making it harder to profit from ransomware, Putinkrab said that was because so many cybercriminals were relying on crappy ransomware code.
“The vast majority of top antiviruses have acquired behavioral analysis, which blocks 95% of crypto-lockers at their root,” Putinkrab wrote. “Cryptolockers made a lot of noise in the press, but lazy system administrators don’t make backups after that. The vast majority of cryptolockers are written by people who have little understanding of cryptography. Therefore, decryptors appear on the Internet, and with them the hope that files can be decrypted without paying a ransom. They just sit and wait. Contact with the owner of the key is lost over time.”
Putinkrab said he had every confidence his ransomware code was a game-changer, and a huge money machine.
“The game is just gaining momentum,” Putinkrab wrote. “Weak players lose and are eliminated.”
The rest of his response was structured like a poem:
<blockquote>“In this world, the strongest survive. 
Our life is just a struggle. 
The winner will be the smartest, 
Who has his head on his shoulders.”</blockquote>
Putinkrab’s final post came on August 23, 2019. The Justice Department says the LockBit ransomware affiliate program was officially launched five months later. From there on out, the government says, Khoroshev adopted the persona of LockBitSupp. In his introductory post on Exploit, LockBit’s mastermind said the ransomware strain had been in development since September 2019.
The original LockBit malware was written in C (a language that NeroWolfe excelled at). Here’s the original description of LockBit, from its maker:
<blockquote>“The software is written in C and Assembler; encryption is performed through the I/O Completion Port; there is a port scanning local networks and an option to find all DFS, SMB, WebDAV network shares, an admin panel in Tor, automatic test decryption; a decryption tool is provided; there is a chat with Push notifications, a Jabber bot that forwards correspondence and an option to terminate services/processes in line which prevent the ransomware from opening files at a certain moment. The ransomware sets file permissions and removes blocking attributes, deletes shadow copies, clears logs and mounts hidden partitions; there is an option to drag-and-drop files/folders and a console/hidden mode. The ransomware encrypts files in parts in various places: the larger the file size, the more parts there are. The algorithms used are AES + RSA.
You are the one who determines the ransom amount after communicating with the victim. The ransom paid in any currency that suits you will be transferred to your wallets. The Jabber bot serves as an admin panel and is used for banning, providing decryption tools, chatting – Jabber is used for absolutely everything.”</blockquote>
<h2>CONCLUSION</h2>
Does the above timeline prove that NeroWolfe/Khoroshev is LockBitSupp? No. However, it does indicate Khoroshev was for many years deeply invested in countless schemes involving botnets, stolen data, and malware he wrote that others used to great effect. NeroWolfe’s many private messages from fellow forum members confirm this.
NeroWolfe’s specialty was creating custom code that employed novel stealth and evasion techniques, and he was always quick to volunteer his services on the forums whenever anyone was looking help on a malware project that called for a strong C or C++ programmer.
Someone with those qualifications — as well as demonstrated mastery of data encryption and decryption techniques — would have been in great demand by the ransomware-as-a-service industry that took off at around the same time NeroWolfe vanished from the forums.
Someone like that who is near or at the top of their game vis-a-vis their peers does not simply walk away from that level of influence, community status, and potential income stream unless forced to do so by circumstances beyond their immediate control.
It’s important to note that Putinkrab didn’t just materialize out of thin air in 2019 — suddenly endowed with knowledge about how to write advanced, stealthy ransomware strains. That knowledge clearly came from someone who’d already had years of experience building and deploying ransomware strains against real-life victim organizations.
Thus, whoever Putinkrab was before they adopted that moniker, it’s a safe bet they were involved in the development and use of earlier, highly successful ransomware strains. One strong possible candidate is <a href="https://blog.malwarebytes.com/detections/ransom-cerber/" target="_blank" rel="noopener noreferrer">Cerber ransomware</a>, the most popular and effective affiliate program operating between early 2016 and mid-2017. Cerber thrived because it emerged as an early mover in the market for ransomware-as-a-service offerings.
In February 2024, <a href="https://krebsonsecurity.com/2024/02/feds-seize-lockbit-ransomware-websites-offer-decryption-tools-troll-affiliates/" target="_blank" rel="noopener">the FBI seized LockBit’s cybercrime infrastructure on the dark web</a>, following an apparently lengthy infiltration of the group’s operations. The United States has already indicted and sanctioned at least five other alleged LockBit ringleaders or affiliates, so presumably the feds have been able to draw additional resources from those investigations.
Also, it seems likely that the three national intelligence agencies involved in bringing these charges are not showing all of their cards. For example, the Treasury documents on Khoroshev mention a single cryptocurrency address, and yet experts interviewed for this story say there are no obvious clues connecting this address to Khoroshev or Putinkrab.
But given that LockBitSupp has been actively involved in Lockbit ransomware attacks against organizations for four years now, the government almost certainly has an extensive list of the LockBit leader’s various cryptocurrency addresses — and probably even his bank accounts in Russia. And no doubt the money trail from some of those transactions was traceable to its ultimate beneficiary (or close enough).
Not long after Khoroshev was charged as the leader of LockBit, a number of open-source intelligence accounts on Telegram began extending the information released by the Treasury Department. Within hours, these sleuths had unearthed more than a dozen credit card accounts used by Khoroshev over the past decade, as well as his various bank account numbers in Russia.
The point is, this post is based on data that’s available to and verifiable by KrebsOnSecurity. Woodward & Bernstein’s source in the Watergate investigation — Deep Throat — famously told the two reporters to “follow the money.” This is always excellent advice. But these days, that can be a lot easier said than done — especially with people who a) do not wish to be found, and b) don’t exactly file annual reports.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/05/how-did-authorities-identify-the-alleged-lockbit-boss/feed/</wfw:commentRss>
<slash:comments>9</slash:comments>
</item>
<item>
<title>U.S. Charges Russian Man as Boss of LockBit Ransomware Group</title>
<link>https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/</link>
<comments>https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 07 May 2024 17:36:14 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Russia's War on Ukraine]]></category>
<category><![CDATA[Dmitry Yuryevich Khoroshev]]></category>
<category><![CDATA[LockBitSupp]]></category>
<category><![CDATA[U.S. Attorney Philip R. Sellinger]]></category>
<category><![CDATA[U.S. Department of Justice]]></category>
<category><![CDATA[Дмитрий Юрьевич Хорошев]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67380</guid>
<description><![CDATA[The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev as the gang's leader "LockbitSupp," and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.]]></description>
<content:encoded><![CDATA[The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.
<div id="attachment_67385" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-67385" decoding="async" loading="lazy" class=" wp-image-67385" src="https://krebsonsecurity.com/wp-content/uploads/2024/05/lockbitsupp-nca.png" alt="" width="750" height="526" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/05/lockbitsupp-nca.png 1174w, https://krebsonsecurity.com/wp-content/uploads/2024/05/lockbitsupp-nca-768x538.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/05/lockbitsupp-nca-782x548.png 782w, https://krebsonsecurity.com/wp-content/uploads/2024/05/lockbitsupp-nca-100x70.png 100w" sizes="(max-width: 750px) 100vw, 750px" />Image: U.K. National Crime Agency.</div>
Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in <a href="https://www.justice.gov/opa/media/1350921/dl?inline" target="_blank" rel="noopener">a 26-count indictment</a> by a grand jury in New Jersey.
“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” U.S. Attorney Philip R. Sellinger said in <a href="https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware" target="_blank" rel="noopener">a statement</a> released by the Justice Department.
The indictment alleges Khoroshev acted as the LockBit ransomware group’s developer and administrator from its inception in September 2019 through May 2024, and that he typically received a 20 percent share of each ransom payment extorted from LockBit victims.
The government says LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.
“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ said. “The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”
The <a href="https://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned" target="_blank" rel="noopener">unmasking of LockBitSupp</a> comes nearly three months after U.S. and U.K. authorities seized the darknet websites run by LockBit, retrofitting it with press releases about the law enforcement action and <a href="https://www.nomoreransom.org/en/decryption-tools.html" target="_blank" rel="noopener">free tools</a> to help LockBit victims decrypt infected systems.
<div id="attachment_66436" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-66436" decoding="async" loading="lazy" class=" wp-image-66436" src="https://krebsonsecurity.com/wp-content/uploads/2024/02/lockbitseized.png" alt="" width="749" height="474" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/02/lockbitseized.png 1379w, https://krebsonsecurity.com/wp-content/uploads/2024/02/lockbitseized-768x486.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/02/lockbitseized-782x494.png 782w" sizes="(max-width: 749px) 100vw, 749px" />The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.</div>
One of the blog captions that authorities left on the seized site was a teaser page that read, “Who is LockbitSupp?,” which promised to reveal the true identity of the ransomware group leader. That item featured a countdown clock until the big reveal, but when the site’s timer expired no such details were offered.
Following the FBI’s raid, LockBitSupp took to Russian cybercrime forums to assure his partners and affiliates that the ransomware operation was still fully operational. LockBitSupp also raised another set of darknet websites that soon promised to release data stolen from a number of LockBit victims ransomed prior to the FBI raid.
One of the victims LockBitSupp continued extorting was Fulton County, Ga. Following the FBI raid, LockbitSupp <a href="https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/" target="_blank" rel="noopener">vowed to release sensitive documents stolen from the county court system</a> unless paid a ransom demand before LockBit’s countdown timer expired. But when Fulton County officials <a href="https://krebsonsecurity.com/2024/02/fulton-county-security-experts-call-lockbits-bluff/" target="_blank" rel="noopener">refused to pay</a> and the timer expired, no stolen records were ever published. Experts said it was likely the FBI had in fact seized all of LockBit’s stolen data.
LockBitSupp also bragged that their real identity would never be revealed, and at one point offered to pay $10 million to anyone who could discover their real name.
KrebsOnSecurity has been in intermittent contact with LockBitSupp for several months over the course of reporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware group leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong guy.
“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”
LockBitSupp, who now has a $10 million bounty for his arrest from the U.S. Department of State, has been known to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims — requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a promise to delete data stolen from its victims.
But Justice Department officials say LockBit never deleted its victim data, regardless of whether those organizations paid a ransom to keep the information from being published on LockBit’s victim shaming website.
Khoroshev is the sixth person officially indicted as active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.
Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also <a href="https://krebsonsecurity.com/wp-content/uploads/2024/02/vasiliev.pdf" target="_blank" rel="noopener">charged</a> (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “<a href="https://krebsonsecurity.com/?s=revil" target="_blank" rel="noopener">REvil</a>“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.
In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev. In January 2022, KrebsOnSecurity published <a href="https://krebsonsecurity.com/2022/01/who-is-the-network-access-broker-wazawaka/" target="_blank" rel="noopener">Who is the Network Access Broker ‘Wazawaka,’</a> which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.
Matveev remains at large, presumably still in Russia. Meanwhile, the U.S. Department of State has <a href="http://www.tips.fbi.gov/" target="_blank" rel="noopener">a standing $10 million reward offer</a> for information leading to Matveev’s arrest.
Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at <a href="https://krebsonsecurity.com/wp-content/uploads/2024/02/vasiliev.pdf" target="_blank" rel="noopener">this PDF</a>).
In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.
The Justice Department is urging victims targeted by LockBit to contact the FBI at <a class="ext" href="https://lockbitvictims.ic3.gov/" target="_blank" rel="noopener" data-extlink="">https://lockbitvictims.ic3.gov/</a> to file an official complaint, and to determine whether affected systems can be successfully decrypted.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/feed/</wfw:commentRss>
<slash:comments>16</slash:comments>
</item>
<item>
<title>Why Your VPN May Not Be As Secure As It Claims</title>
<link>https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/</link>
<comments>https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Mon, 06 May 2024 14:24:47 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[Bill Woodcock]]></category>
<category><![CDATA[Dani Cronce]]></category>
<category><![CDATA[DHCP option 121]]></category>
<category><![CDATA[DHCP starvation attack]]></category>
<category><![CDATA[Dynamic Host Control Protocol]]></category>
<category><![CDATA[John Kristoff]]></category>
<category><![CDATA[Leviathan Security]]></category>
<category><![CDATA[Lizzie Moratti]]></category>
<category><![CDATA[Packet Clearing House]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67184</guid>
<description><![CDATA[Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target's traffic off of the protection provided by their VPN without triggering any alerts to the user.]]></description>
<content:encoded><![CDATA[Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.
<div id="attachment_67354" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-67354" decoding="async" loading="lazy" class=" wp-image-67354" src="https://krebsonsecurity.com/wp-content/uploads/2024/05/tunnelvision.png" alt="" width="750" height="569" />Image: Shutterstock.</div>
When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.
The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.
VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.
“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”
The feature being abused here is known as <a href="https://datatracker.ietf.org/doc/html/rfc3442" target="_blank" rel="noopener">DHCP option 121</a>, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.
“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”
Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a <a href="https://www.prosec-networks.com/en/blog/dhcp-starvation-attack/" target="_blank" rel="noopener">DHCP starvation attack</a>, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.
<div style="text-align: center;"><iframe loading="lazy" title="YouTube video player" src="https://www.youtube.com/embed/ajsLmZia6UU?si=OYDck1VdGoLF0XFU" width="750" height="415" frameborder="0" allowfullscreen="allowfullscreen"></iframe></div>
“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”
The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “<a href="https://www.techtarget.com/searchsecurity/definition/evil-twin" target="_blank" rel="noopener">evil twin</a>” wireless hotspot that mimics the signal broadcast by a legitimate provider.
<H2>ANALYSIS</H2>
Bill Woodcock is executive director at <a href="http://www.pch.net" target="_blank" rel="noopener">Packet Clearing House</a>, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.
“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.
Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.
“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”
Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.
KrebsOnSecurity shared Leviathan’s research with <a href="https://www.netscout.com/asert/john-kristoff" target="_blank" rel="noopener">John Kristoff</a>, founder of <a href="https://dataplane.org/" rel="noopener" target="_blank">dataplane.org</a> and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.
“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If [the] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”
<h2>MITIGATIONS</h2>
According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.
Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.
“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”
Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “<a href="https://www.virtualbox.org/manual/ch06.html#network_bridged" rel="noopener" target="_blank">bridged mode</a>,” which causes the VM to replicate another node on the network.
In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.
“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”
Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.
“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”
A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available <a href="https://www.leviathansecurity.com/blog/tunnelvision" target="_blank" rel="noopener">here</a>.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/feed/</wfw:commentRss>
<slash:comments>37</slash:comments>
</item>
<item>
<title>Man Who Mass-Extorted Psychotherapy Patients Gets Six Years</title>
<link>https://krebsonsecurity.com/2024/04/man-who-mass-extorted-psychotherapy-patients-gets-six-years/</link>
<comments>https://krebsonsecurity.com/2024/04/man-who-mass-extorted-psychotherapy-patients-gets-six-years/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 30 Apr 2024 13:34:32 +0000</pubDate>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Antti Kurittu]]></category>
<category><![CDATA[ColdFusion botnet]]></category>
<category><![CDATA[hack the planet]]></category>
<category><![CDATA[julius zeekill kivimaki]]></category>
<category><![CDATA[Lizard Squad]]></category>
<category><![CDATA[ransom_man]]></category>
<category><![CDATA[Vastaamo Psychotherapy Center]]></category>
<category><![CDATA[Ville Tapio]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67317</guid>
<description><![CDATA[A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.]]></description>
<content:encoded><![CDATA[A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.
<img decoding="async" loading="lazy" class="aligncenter wp-image-61773" src="https://krebsonsecurity.com/wp-content/uploads/2022/11/kikmaki-wanted.png" alt="" width="750" height="357" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/11/kikmaki-wanted.png 2936w, https://krebsonsecurity.com/wp-content/uploads/2022/11/kikmaki-wanted-768x366.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/11/kikmaki-wanted-1536x731.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2022/11/kikmaki-wanted-2048x975.png 2048w, https://krebsonsecurity.com/wp-content/uploads/2022/11/kikmaki-wanted-782x372.png 782w" sizes="(max-width: 750px) 100vw, 750px" />
On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.
Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.
Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was <a href="https://krebsonsecurity.com/2023/02/finlands-most-wanted-hacker-nabbed-in-france/" target="_blank" rel="noopener">arrested four months later in France</a>, hiding out under an assumed name and passport.
Antti Kurittu is a former criminal investigator who worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group <a href="https://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-hijack-of-lenovo-google-domains/" target="_blank" rel="noopener">Hack the Planet</a> (HTP).
Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors knocked a few months off of Kivimäki’s sentence because he agreed to pay compensation to his victims, and that Kivimäki will remain in prison during any appeal process.
“I think the sentencing was as expected, knowing the Finnish judicial system,” Kurittu told KrebsOnSecurity. “As Kivimäki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.”
But because juvenile convictions in Finland don’t count towards determining whether somebody is a first-time offender, Kivimäki will end up serving approximately half of his sentence.
“This seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but it’s almost the maximum the law allows for,” Kurittu said.
Kivimäki initially gained notoriety as a self-professed member of the <a href="https://krebsonsecurity.com/tag/lizard-squad/" target="_blank" rel="noopener">Lizard Squad</a>, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.
Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — <a href="https://en.wikipedia.org/wiki/LulzSec" target="_blank" rel="noopener">LulzSec</a> — who was sentenced to prison for hacking).
Kivimäki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.
In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the group <a href="https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/" target="_blank" rel="noopener">compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet</a>.
The group used the same ColdFusion flaws <a href="https://krebsonsecurity.com/2013/10/data-broker-hackers-also-compromised-nw3c/" target="_blank" rel="noopener">to break into the National White Collar Crime Center (NWC3)</a>, a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d <a href="https://krebsonsecurity.com/2013/03/credit-reports-sold-for-cheap-in-the-underweb/" target="_blank" rel="noopener">assumed control over SSNDOB</a>, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.
Kivimäki was responsible for making <a href="http://www.forbes.com/sites/insertcoin/2014/08/24/sony-online-entertainment-presidents-flight-diverted-by-psn-hackers-bomb-threat/" target="_blank" rel="noopener">an August 2014 bomb threat</a> against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.
Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamo’s sloppy security, noting the company had used the laughably weak username and password “root/root” to protect sensitive patient records.
Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019. In April 2023, a Finnish court handed down <a href="https://yle.fi/a/74-20027665" target="_blank" rel="noopener">a three-month sentence for Tapio</a>, but that sentence was suspended because he had no previous criminal record.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/04/man-who-mass-extorted-psychotherapy-patients-gets-six-years/feed/</wfw:commentRss>
<slash:comments>33</slash:comments>
</item>
<item>
<title>FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data</title>
<link>https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/</link>
<comments>https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Mon, 29 Apr 2024 20:56:42 +0000</pubDate>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[AT&T]]></category>
<category><![CDATA[LocationSmart]]></category>
<category><![CDATA[Securus Technologies]]></category>
<category><![CDATA[Sprint]]></category>
<category><![CDATA[T-Mobile]]></category>
<category><![CDATA[U.S. Federal Communications Commission]]></category>
<category><![CDATA[Verizon]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67297</guid>
<description><![CDATA[The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers -- including AT&T, Sprint, T-Mobile and Verizon -- for illegally sharing access to customers' location information without consent.]]></description>
<content:encoded><![CDATA[The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.
<img decoding="async" loading="lazy" class="aligncenter wp-image-43845" src="https://krebsonsecurity.com/wp-content/uploads/2018/05/locationtracking.jpg" alt="" width="744" height="482" />
The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.
The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” <a href="https://www.fcc.gov/document/fcc-fines-largest-wireless-carriers-sharing-location-data" target="_blank" rel="noopener">an FCC statement</a> on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
The FCC’s <a href="https://docs.fcc.gov/public/attachments/FCC-24-40A1.pdf" target="_blank" rel="noopener">findings against AT&T</a>, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC <a href="https://docs.fcc.gov/public/attachments/FCC-24-41A1.pdf" target="_blank" rel="noopener">found</a> Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.
The commission said it took action after Sen. Ron Wyden (D-Ore.) <a href="https://www.wyden.senate.gov/imo/media/doc/wyden-securus-location-tracking-letter-to-fcc.pdf" target="_blank" rel="noopener">sent a letter to the FCC</a> detailing how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.
That same month, KrebsOnSecurity <a href="https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" target="_blank" rel="noopener">broke the news</a> that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.
The carriers <a href="https://krebsonsecurity.com/2018/06/verizon-to-stop-sharing-customer-location-data-with-third-parties/" target="_blank" rel="noopener">promised to “wind down” location data sharing agreements</a> with third-party companies. But in 2019, reporting at <a href="https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile" target="_blank" rel="noopener">Vice.com showed</a> that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.
Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.
“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.
The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.
Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/feed/</wfw:commentRss>
<slash:comments>34</slash:comments>
</item>
<item>
<title>Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme</title>
<link>https://krebsonsecurity.com/2024/04/russian-fsb-counterintelligence-chief-gets-9-years-in-cybercrime-bribery-scheme/</link>
<comments>https://krebsonsecurity.com/2024/04/russian-fsb-counterintelligence-chief-gets-9-years-in-cybercrime-bribery-scheme/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Mon, 22 Apr 2024 20:07:56 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[Alexander Kovalev]]></category>
<category><![CDATA[Artem Zaitsev]]></category>
<category><![CDATA[Federal Security Service (FSB)]]></category>
<category><![CDATA[Ferum Shop]]></category>
<category><![CDATA[Get-Net LLC]]></category>
<category><![CDATA[Grigory Tsaregorodtsev]]></category>
<category><![CDATA[Sky-Fraud]]></category>
<category><![CDATA[Trump's-Dumps]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67255</guid>
<description><![CDATA[The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump's Dumps.]]></description>
<content:encoded><![CDATA[The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.
<div id="attachment_39492" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-39492" decoding="async" loading="lazy" class=" wp-image-39492" src="https://krebsonsecurity.com/wp-content/uploads/2017/05/trumpsdumps-580x395.png" alt="" width="750" height="511" srcset="https://krebsonsecurity.com/wp-content/uploads/2017/05/trumpsdumps-580x395.png 580w, https://krebsonsecurity.com/wp-content/uploads/2017/05/trumpsdumps-768x524.png 768w, https://krebsonsecurity.com/wp-content/uploads/2017/05/trumpsdumps-940x641.png 940w, https://krebsonsecurity.com/wp-content/uploads/2017/05/trumpsdumps.png 1295w" sizes="(max-width: 750px) 100vw, 750px" />A now-defunct carding shop that sold stolen credit cards and invoked 45’s likeness and name.</div>
As <a href="https://therecord.media/former-fsb-officer-sentenced-russia-helping-hackers" target="_blank" rel="noopener">reported</a> by The Record, a Russian court last week sentenced former FSB officer Grigory Tsaregorodtsev for taking a $1.7 million bribe from a cybercriminal group that was seeking a “roof,” a well-placed, corrupt law enforcement official who could be counted on to both disregard their illegal hacking activities and run interference with authorities in the event of their arrest.
Tsaregorodtsev was head of the counterintelligence department for a division of the FSB based in Perm, Russia. In February 2022, Russian <a href="https://krebsonsecurity.com/2022/02/russian-govt-continues-carding-shop-crackdown/" target="_blank" rel="noopener">authorities arrested six men in the Perm region</a> accused of selling stolen payment card data. They also seized multiple carding shops run by the gang, including Ferum Shop, Sky-Fraud, and Trump’s Dumps, a popular fraud store that invoked the 45th president’s likeness and promised to “make credit card fraud great again.”
All of the domains seized in that raid were registered by an IT consulting company in Perm called Get-net LLC, which was owned in part by Artem Zaitsev — one of the six men arrested. Zaitsev reportedly was a well-known programmer whose company supplied services and leasing to the local FSB field office.
<div id="attachment_58442" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-58442" decoding="async" loading="lazy" class=" wp-image-58442" src="https://krebsonsecurity.com/wp-content/uploads/2022/02/deptk-td.png" alt="" width="749" height="483" />The message for Trump’s Dumps users left behind by Russian authorities that seized the domain in 2022.</div>
Russian news sites report that Internal Affairs officials with the FSB grew suspicious when Tsaregorodtsev became a little too interested in the case following the hacking group’s arrests. The former FSB agent had reportedly assured the hackers he could have their case transferred and that they would soon be free.
But when that promised freedom didn’t materialize, four the of the defendants pulled the walls down on the scheme and brought down their own roof. The FSB arrested Tsaregorodtsev, and seized $154,000 in cash, 100 gold bars, real estate and expensive cars.
At Tsaregorodtsev’s trial, his lawyers argued that their client wasn’t guilty of bribery per se, but that he did admit to fraud because he was ultimately unable to fully perform the services for which he’d been hired.
The Russian news outlet Kommersant reports that all four of those who cooperated were released with probation or correctional labor. Zaitsev received a sentence of 3.5 years in prison, and defendant Alexander Kovalev got four years.
In 2017, KrebsOnSecurity <a href="https://krebsonsecurity.com/2017/05/trumps-dumps-making-dumps-great-again/" target="_blank" rel="noopener">profiled Trump’s Dumps</a>, and found the contact address listed on the site was tied to an email address used to register more than a dozen domains that were made to look like legitimate Javascript calls many e-commerce sites routinely make to process transactions — such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su.”
Searching on those malicious domains revealed <a href="https://web.archive.org/web/20161114152809/https://www.riskiq.com/blog/labs/magecart-keylogger-injection/" target="_blank" rel="noopener">a 2016 report from RiskIQ</a>, which shows the domains featured prominently in a series of hacking campaigns against e-commerce websites. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.
Those shopping cart flaws allowed the crooks to install “web skimmers,” malicious Javascript used to steal credit card details and other information from payment forms on the checkout pages of vulnerable e-commerce sites. The stolen customer payment card details were then sold on sites like Trump’s Dumps and Sky-Fraud.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/04/russian-fsb-counterintelligence-chief-gets-9-years-in-cybercrime-bribery-scheme/feed/</wfw:commentRss>
<slash:comments>15</slash:comments>
</item>
<item>
<title>Who Stole 3.6M Tax Records from South Carolina?</title>
<link>https://krebsonsecurity.com/2024/04/who-stole-3-6m-tax-records-from-south-carolina/</link>
<comments>https://krebsonsecurity.com/2024/04/who-stole-3-6m-tax-records-from-south-carolina/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 16 Apr 2024 11:26:55 +0000</pubDate>
<category><![CDATA[Breadcrumbs]]></category>
<category><![CDATA[Data Breaches]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Tax Refund Fraud]]></category>
<category><![CDATA[Aleksandr Ermakov]]></category>
<category><![CDATA[Associated Press]]></category>
<category><![CDATA[Embargo]]></category>
<category><![CDATA[Home Depot breach]]></category>
<category><![CDATA[Jeffrey Collins]]></category>
<category><![CDATA[Mark Keel]]></category>
<category><![CDATA[Mazafaka]]></category>
<category><![CDATA[Mikhail Shefel]]></category>
<category><![CDATA[Nikki Haley]]></category>
<category><![CDATA[rescator]]></category>
<category><![CDATA[Shtazi]]></category>
<category><![CDATA[target breach]]></category>
<category><![CDATA[tax refund fraud]]></category>
<category><![CDATA[tax return fraud]]></category>
<category><![CDATA[The Post and Courier]]></category>
<category><![CDATA[U.S. Internal Revenue Service]]></category>
<category><![CDATA[Verified]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67190</guid>
<description><![CDATA[For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state's revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.]]></description>
<content:encoded><![CDATA[<img decoding="async" loading="lazy" class="aligncenter wp-image-42398" src="https://krebsonsecurity.com/wp-content/uploads/2018/01/taxthiefa.png" alt="" width="750" height="275" />
For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.
Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, this would be Keel’s third six-year term in that role.
The Associated Press <a href="https://apnews.com/article/south-carolina-hacking-tax-returns-2012-5984ce1c6f47938da7a671d0fccadd22" target="_blank" rel="noopener">reports</a> that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.
“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.
A ten-year <a href="//www.postandcourier.com/columbia/news/scs-massive-data-breach-10-years-later-questions-linger-as-investigation-remains-open/article_29dd8164-4025-11ed-9433-73cafd23fadb.html" target="_blank" rel="noopener">retrospective</a> published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.
KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.
On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.”
“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you purchase the entire database, I will give you access to it.”
A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.
“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”
On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced <a href="https://oag.ca.gov/system/files/Mandiant%20Report_0.pdf" target="_blank" rel="noopener">an incident report</a> (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond. Update: The Secret Service declined to comment.
On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.
Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.
The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.
“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.
As it happens, Rescator’s criminal hacking crew was directly responsible for <a href="https://krebsonsecurity.com/tag/target-breach/" target="_blank" rel="noopener">the 2013 breach at Target</a> and the 2014 <a href="https://krebsonsecurity.com/tag/home-depot-breach/" target="_blank" rel="noopener">hack of Home Depot</a>. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.
Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of <a href="https://krebsonsecurity.com/2023/12/ten-years-later-new-clues-in-the-target-breach/" target="_blank" rel="noopener">a 10-year investigation into the identity of Rescator</a>, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.
<img decoding="async" loading="lazy" class="aligncenter wp-image-67207" src="https://krebsonsecurity.com/wp-content/uploads/2024/04/shefel-fb1.png" alt="" width="750" height="572" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/04/shefel-fb1.png 942w, https://krebsonsecurity.com/wp-content/uploads/2024/04/shefel-fb1-768x585.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/04/shefel-fb1-782x596.png 782w" sizes="(max-width: 750px) 100vw, 750px" />
Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.
While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of <a href="https://krebsonsecurity.com/category/tax-refund-fraud/" target="_blank" rel="noopener">tax refund fraud</a> was skyrocketing.
Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).
According to <a title="http://www.cbsnews.com/news/irs-refunded-4-billion-to-identity-thieves-last-year-inspector-generals-report-says/" href="http://www.cbsnews.com/news/irs-refunded-4-billion-to-identity-thieves-last-year-inspector-generals-report-says/" target="_blank" rel="noopener">a 2013 report</a> from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.
It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.
But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.
A week after those sanctions were put in place, KrebsOnSecurity published <a href="https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/" target="_blank" rel="noopener">a deep dive on Ermakov</a>, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.
<div id="attachment_66196" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-66196" decoding="async" loading="lazy" class=" wp-image-66196" src="https://krebsonsecurity.com/wp-content/uploads/2024/01/shtazi-ru.png" alt="" width="749" height="307" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/01/shtazi-ru.png 1806w, https://krebsonsecurity.com/wp-content/uploads/2024/01/shtazi-ru-768x315.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/01/shtazi-ru-1536x629.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2024/01/shtazi-ru-782x320.png 782w" sizes="(max-width: 749px) 100vw, 749px" />A Google-translated version of Shtazi dot ru. Image: Archive.org.</div>
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/04/who-stole-3-6m-tax-records-from-south-carolina/feed/</wfw:commentRss>
<slash:comments>15</slash:comments>
</item>
<item>
<title>Crickets from Chirp Systems in Smart Lock Key Leak</title>
<link>https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/</link>
<comments>https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Mon, 15 Apr 2024 14:51:17 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[Security Tools]]></category>
<category><![CDATA[August.com]]></category>
<category><![CDATA[Chirp Systems]]></category>
<category><![CDATA[Matt Brown]]></category>
<category><![CDATA[ProPublica]]></category>
<category><![CDATA[RealPage Inc.]]></category>
<category><![CDATA[U.S. Cybersecurity & Infrastructure Security Agency]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67102</guid>
<description><![CDATA[The U.S. government is warning that smart locks securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock's maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp's parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.]]></description>
<content:encoded><![CDATA[The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.
<img decoding="async" loading="lazy" class="aligncenter wp-image-67129" src="https://krebsonsecurity.com/wp-content/uploads/2024/04/chirpsystems.png" alt="" width="751" height="451" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/04/chirpsystems.png 1309w, https://krebsonsecurity.com/wp-content/uploads/2024/04/chirpsystems-768x462.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/04/chirpsystems-782x470.png 782w" sizes="(max-width: 751px) 100vw, 751px" />
On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01" target="_blank" rel="noopener">warned</a> about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.
“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”
Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.
“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”
Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.
Update, April 18, 11:55 a.m. ET: August has provided a statement saying it does not believe August or Yale locks are vulnerable to the hack described by Brown.
“We were recently made aware of a vulnerability disclosure regarding access control systems provided by Chirp, using August and Yale locks in multifamily housing,” the company said. “Upon learning of these reports, we immediately and thoroughly investigated these claims. Our investigation found no evidence that would substantiate the vulnerability claims in either our product or Chirp’s as it relates to our systems.”
Update, April 25, 2:45 p.m. ET: Based on feedback from Chirp, CISA has downgraded the severity of this flaw and revised their security advisory to say that the hard-coded credentials do not appear to expose the devices to remote locking or unlocking. CISA says the hardcoded credentials could be used by an attacker within the range of Bluetooth (~30 meters) “to change the configuration settings within the Bluetooth beacon, effectively removing Bluetooth visibility from the device. This does not affect the device’s ability to lock or unlock access points, and access points can still be operated remotely by unauthorized users via other means.”

Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.
Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with <a href="https://play.google.com/store/apps/details?id=com.wakdev.wdnfc&hl=en_US&gl=US" target="_blank" rel="noopener">a smartphone app</a> made to read and write NFC tags.
Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.
Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant <a href="https://en.wikipedia.org/wiki/Thoma_Bravo" target="_blank" rel="noopener">Thoma Bravo</a>.
Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”
“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”
In October 2022, <a href="https://www.propublica.org/article/yieldstar-rent-increase-realpage-rent" target="_blank" rel="noopener">an investigation</a> by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”
“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”
Last year, the U.S. Department of Justice <a href="https://www.propublica.org/article/doj-backs-tenants-price-fixing-case-big-landlords-real-estate-tech" target="_blank" rel="noopener">threw its weight behind</a> a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.
In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/feed/</wfw:commentRss>
<slash:comments>41</slash:comments>
</item>
<item>
<title>Why CISA is Warning CISOs About a Breach at Sisense</title>
<link>https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/</link>
<comments>https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 11 Apr 2024 20:48:06 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Data Breaches]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Nicholas Weaver]]></category>
<category><![CDATA[Sangram Dash]]></category>
<category><![CDATA[Sisense breach]]></category>
<category><![CDATA[U.S. Cybersecurity and Infrastructure Security Agency]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=67160</guid>
<description><![CDATA[The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.]]></description>
<content:encoded><![CDATA[The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.
<img decoding="async" loading="lazy" class="aligncenter wp-image-67162" src="https://krebsonsecurity.com/wp-content/uploads/2024/04/sisense.png" alt="" width="749" height="340" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/04/sisense.png 1304w, https://krebsonsecurity.com/wp-content/uploads/2024/04/sisense-768x348.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/04/sisense-782x354.png 782w" sizes="(max-width: 749px) 100vw, 749px" />
New York City based Sisense has more than a thousand customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)”
“We are taking this matter seriously and promptly commenced an investigation,” Dash continued. “We engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.”
In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.
“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the sparse alert reads. “We will provide updates as more information becomes available.”
<img decoding="async" loading="lazy" class="aligncenter wp-image-67161" src="https://krebsonsecurity.com/wp-content/uploads/2024/04/cisa-sisense.png" alt="" width="750" height="688" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/04/cisa-sisense.png 884w, https://krebsonsecurity.com/wp-content/uploads/2024/04/cisa-sisense-768x705.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/04/cisa-sisense-782x717.png 782w" sizes="(max-width: 750px) 100vw, 750px" />
Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud.
Customers can use Gitlab either as a solution that is hosted in the cloud at Gitlab.com, or as a self-managed deployment. KrebsOnSecurity understands that Sisense was using the self-managed version of Gitlab.
Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.
It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.
The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time — sometimes indefinitely. And depending on which service we’re talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials.
Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they’ve previously entrusted to Sisense.
Earlier today, a public relations firm working with Sisense reached out to learn if KrebsOnSecurity planned to publish any further updates on their breach (KrebsOnSecurity posted a screenshot of the CISO’s customer email to both <a href="https://www.linkedin.com/posts/bkrebs_there-is-something-potentially-huge-popping-activity-7183982303784620033-T3wd?utm_source=share&utm_medium=member_desktop" target="_blank" rel="noopener">LinkedIn</a> and <a href="https://infosec.exchange/@briankrebs/112249710611213991" target="_blank" rel="noopener">Mastodon</a> on Wednesday evening). The PR rep said Sisense wanted to make sure they had an opportunity to comment before the story ran.
But when confronted with the details shared by my sources, Sisense apparently changed its mind.
“After consulting with Sisense, they have told me that they don’t wish to respond,” the PR rep said in an emailed reply.
Update, 6:49 p.m., ET: Added clarification that Sisense is using a self-hosted version of Gitlab, not the cloud version managed by Gitlab.com. 
Also, Sisense’s CISO Dash just sent an update to customers directly. The latest advice from the company is far more detailed, and involves resetting a potentially large number of access tokens across multiple technologies, including Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens. 
The full message from Dash to customers is below:
“Good Afternoon,
We are following up on our prior communication of April 10, 2024, regarding reports that certain Sisense company information may have been made available on a restricted access server. As noted, we are taking this matter seriously and our investigation remains ongoing.
Our customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application.
Specifically, you should: 
– Change Your Password: Change all Sisense-related passwords on http://my.sisense.com 
– Non-SSO: 
– Replace the Secret in the Base Configuration Security section with your GUID/UUID. 
– Reset passwords for all users in the Sisense application. 
– Logout all users by running GET /api/v1/authentication/logout_all under Admin user. 
– Single Sign-On (SSO): 
– If you use SSO JWT for the user’s authentication in Sisense, you will need to update sso.shared_secret in Sisense and then use the newly generated value on the side of the SSO handler. 
– We strongly recommend rotating the x.509 certificate for your SSO SAML identity provider. 
– If you utilize OpenID, it’s imperative to rotate the client secret as well. 
– Following these adjustments, update the SSO settings in Sisense with the revised values. 
– Logout all users by running GET /api/v1/authentication/logout_all under Admin user. 
– Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of connection between the systems. 
– Data Models: Change all usernames and passwords in the database connection string in the data models. 
– User Params: If you are using the User Params feature, reset them. 
– Active Directory/LDAP: Change the username and user password of users whose authorization is used for AD synchronization. 
– HTTP Authentication for GIT: Rotate the credentials in every GIT project. 
– B2D Customers: Use the following API PATCH api/v2/b2d-connection in the admin section to update the B2D connection. 
– Infusion Apps: Rotate the associated keys. 
– Web Access Token: Rotate all tokens. 
– Custom Email Server: Rotate associated credentials. 
– Custom Code: Reset any secrets that appear in custom code Notebooks.
If you need any assistance, please submit a customer support ticket at https://community.sisense.com/t5/support-portal/bd-p/SupportPortal and mark it as critical. We have a dedicated response team on standby to assist with your requests.
At Sisense, we give paramount importance to security and are committed to our customers’ success. Thank you for your partnership and commitment to our mutual security.
Regards,
Sangram Dash 
Chief Information Security Officer”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/feed/</wfw:commentRss>
<slash:comments>33</slash:comments>
</item>
</channel>
</rss>
<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/
Object Caching 209/209 objects using memcached
Page Caching using memcached
Database Caching using memcached
Served from: krebsonsecurity.com @ 2024-05-17 22:48:13 by W3 Total Cache
-->

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/krebsonsecurity/TEjH"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/krebsonsecurity/TEjH

Home · About · News · Docs · Terms