So, YES, we moved to SubStack. It will be way easier. I hope you like it. Feel free to provide feedback! (AND YES, IT WILL STAY FREE!)
So, TomCyberDaily, #16! New SubStack edition, LETS GO,
1)LockBit's Main Man Revealed: Dmitry Khoroshev, the Russian Ransomware Ringleader!
The U.K. NCA has finally unmasked the brains behind LockBit, and it's none other than 31-year-old Russian national Dmitry Khoroshev, aka LockBitSupp and putinkrab. It's like a cybercrime episode of "Scooby-Doo," but instead of a rubber mask, it's a digital one!
Khoroshev is now facing a smorgasbord of sanctions and criminal charges from the U.K., U.S., and Australia, with a $10 million bounty on his head. It's like being the star of his own international manhunt, but without the glitz and glamour!
The U.S. DOJ has also thrown the book at Khoroshev, charging him with 26 counts that could put him behind bars for a mind-boggling 185 years. That's like getting a prison sentence longer than most people's lifespans!
Khoroshev, the mastermind behind LockBit since 2019, allegedly pocketed $100 million from the RaaS scheme. That's enough to buy a small country, or at least a lifetime supply of vodka and caviar!
But plot twist: LockBit even targeted Russian victims, proving that no one is safe from their digital extortion racket, not even their own countrymen!
As LockBit crumbles under the weight of the Cronos operation, it's clear that the ransomware world has been shaken to its core. With Khoroshev's unmasking and a hefty price on his head, it's like a real-life game of "Wanted: Dead or Alive," but with more computers and less cowboys!
2)Russian BTC-e Operator Pleads Guilty to Money Laundering: A Crypto Crime Caper!
Alexander Vinnik, a 44-year-old Russian operator of the now-defunct BTC-e cryptocurrency exchange, has finally admitted to his money laundering misdeeds from 2011 to 2017. It's like a digital version of "Catch Me If You Can," but with more bitcoins and fewer charming Leonardo DiCaprio smiles!
Vinnik and his gang of crypto conspirators were accused of running BTC-e, a virtual haven for cybercriminals looking to trade their ill-gotten bitcoins with the anonymity of a masked ball. It's like a digital speakeasy, but instead of bootleg alcohol, they were dealing in dirty digital cash!
BTC-e was the go-to spot for all sorts of online ne'er-do-wells, from ransomware racketeers to identity thieves, corrupt politicians to drug dealers. It's like a who's who of the digital underworld, all gathered under one virtual roof!
The exchange allegedly processed over $9 billion in transactions and served more than a million users worldwide, all while thumbing its nose at pesky things like anti-money laundering laws and know-your-customer guidelines. It's like a financial wild west, but with more keyboards and fewer tumbleweeds!
Vinnik's guilty plea comes after a lengthy legal odyssey that saw him arrested in Greece, extradited to the U.S., and charged with a laundry list of financial crimes. It's like a global game of "hot potato," but with a Russian money launderer instead of a spud!
The U.S. government has also gone after another BTC-e operator, Aliaksandr Klimenka, in a separate case, proving that there's no honor among crypto thieves!
As for BTC-e, it was slapped with a whopping $110 million civil penalty by the U.S. Treasury Department for its AML violations, while Vinnik himself was hit with an additional $12 million penalty. It's like a financial double whammy, but without the game show prizes!
So, let this be a lesson to all you would-be crypto criminals out there: the long arm of the law may move slowly, but it eventually catches up to you, even in the digital wild west of cryptocurrency!
3)LiteSpeed Cache Bug Exploited: Hackers Take the WordPress Wheel!
Attention all WordPress website owners: there's a new high-severity flaw in town, and it's causing quite a stir in the cybersecurity world! The culprit? A vulnerability in the LiteSpeed Cache plugin (CVE-2023-40000) that's allowing hackers to create bogus admin accounts and wreak havoc on unsuspecting websites. It's like a digital version of "The Sorcerer's Apprentice," but instead of enchanted brooms, we've got rogue admins!
Threat actors have been spotted exploiting this flaw to set up fake admin users with names like "wpsupp‑user" and "wp‑configuser." It's like a hacker's idea of a practical joke, but instead of whoopee cushions, they're using cross-site scripting (XSS) vulnerabilities!
The flaw, which was disclosed by Patchstack back in February 2024 (because apparently, we're living in the future now), could allow an unauthenticated user to level up their privileges with some cleverly crafted HTTP requests. It's like a cheat code for hackers, but instead of extra lives, they get full control of your website!
Now, you might be thinking, "But I updated my LiteSpeed Cache plugin ages ago!" Well, it turns out that 16.8% of all websites are still running outdated versions, making them prime targets for these digital ne'er-do-wells. It's like leaving your front door unlocked and then being surprised when someone waltzes in and rearranges your furniture!
But wait, there's more! These hacked websites are being injected with malicious JavaScript hosted on domains that sound like they were created by a random word generator. It's like a bad game of "Mad Libs," but instead of silly stories, you get malware!
To add insult to injury, Sucuri has also uncovered a redirect scam campaign called Mal.Metrica, which uses fake CAPTCHA prompts to lure unsuspecting users to malicious websites. It's like a digital version of "Simon Says," but instead of touching your toes, you're clicking on links that could steal your personal info!
So, what's a website owner to do? First, update your LiteSpeed Cache plugin ASAP! Then, review your installed plugins, delete any suspicious files, and maybe say a prayer to the cybersecurity gods for good measure. And if you're a regular user, be wary of clicking on links that seem fishy – no matter how tempting that "You've Won a Free Cruise!" popup might be!
4)MITRE Shares Juicy Details on China-Linked Hack: A Cybersecurity Whodunit!
Gather 'round, folks, because MITRE has just dropped some tasty morsels about their recent security breach, and it's like a digital version of Clue, but with more malware and fewer candlesticks!
First off, MITRE has pointed the finger at a nation-state actor (cough, China, cough) who managed to breach their systems back in January 2024 by chaining together two Ivanti Connect Secure zero-day vulnerabilities. It's like a cybersecurity version of a Rube Goldberg machine, but instead of a wacky contraption, we've got a foreign adversary poking around in MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE). Try saying that five times fast!
The investigation is still ongoing, but MITRE has already uncovered some juicy details, like the fact that the attackers used a web shell called ROOTROT to gain a foothold in their systems. It's like a digital version of a secret passageway, but instead of leading to a hidden room, it leads to a world of cybersecurity headaches!
From there, the attackers went on a reconnaissance mission, accessing vCenter, communicating with ESXi hosts, and even logging into accounts via RDP. It's like they were on a virtual tour of MITRE's network, but instead of taking photos, they were snooping around for sensitive data!
But wait, there's more! The attackers also deployed a whole slew of malicious payloads, including the BRICKSTORM backdoor, the BEEFLUSH web shell, and the WIREFIRE and BUSHWALK web shells. It's like a cybercriminal's version of a Swiss Army knife, but instead of a corkscrew and a tiny pair of scissors, it's got persistence and data exfiltration capabilities!
MITRE has even provided some handy indicators of compromise for these payloads, so if you see any suspicious files with names like "BRICKSTORM" or "BEEFLUSH" on your network, it might be time to call in the cybersecurity cavalry!
Now, here's where things get really interesting: MITRE has attributed this attack to a China-linked APT group called UNC5221. It's like a real-life game of "Guess Who?" but instead of asking if the suspect has glasses or a mustache, you're looking for indicators of Chinese cyber-espionage!
So, there you have it, folks: a tale of zero-days, web shells, and international intrigue, all courtesy of MITRE's recent security breach. It just goes to show that even the most diligent organizations can fall victim to a determined adversary with a few clever tricks up their sleeve. But hey, at least we got a good story out of it, right?
5)FBI vs. Scattered Spider: The Cyber Cops' Conundrum!
The FBI is facing a formidable foe in the hacking collective known as Scattered Spider, and it's like a high-stakes game of cat and mouse, but with more keyboards and fewer whiskers!
Brett Leatherman, the FBI's deputy assistant director of the cyber division, sat down with Recorded Future News at the RSA Conference in San Francisco to dish on the bureau's battle against these pesky arachnids. And let me tell you, it's not your average spider-squashing operation!
Scattered Spider, also known by a slew of other monikers (because apparently, one cool name just isn't enough for these hackers), has been wreaking havoc on some of the biggest companies in the U.S. They use social engineering to trick users into handing over their login credentials, like a cybercriminal version of "hey, can I borrow your keys?"
Once they've wormed their way in, these hackers make themselves at home in the victim's network, living off the land like a bunch of digital survivalists. Then, they unleash their payload: ransomware, data theft, and good old-fashioned extortion. It's like a cybercrime buffet, and these guys are going back for seconds!
But here's the thing: Scattered Spider isn't your run-of-the-mill hacking group. They're a splinter cell of a larger online criminal network called "the Community" (or "the Com" for short, because even cybercriminals love a good abbreviation). And with their size, expertise, and alleged ties to Russian ransomware gangs, they're giving the FBI a run for its money.
Leatherman admits that not all disruptions are created equal. Sure, the U.S. and its allies managed to wipe out a global network of Russian-infected computers last year, but Scattered Spider is a different beast altogether. It's like trying to eradicate a street gang in a major city – you might arrest a few members, but there's always someone waiting in the wings to take their place.
The FBI has been catching some flak for its seeming lack of action against Scattered Spider, save for the arrest of a 19-year-old Floridian who allegedly stole $800,000 in cryptocurrency. But Leatherman assures us that there's more going on behind the scenes than meets the eye. It's like a cybersecurity version of "The Prestige" – you might not see the trick, but trust us, it's happening!
So, while the public might be clamoring for more visible action against Scattered Spider, Leatherman urges patience. The FBI is putting its best and brightest on the case, even if we don't always hear about it. It's like a digital version of "The Untouchables," but instead of taking down Al Capone, they're going after a bunch of keyboard warriors with a penchant for extortion.
In the end, the battle against Scattered Spider is far from over. But with the FBI on the case, these hackers might just find themselves tangled up in a web of their own making. And who knows, maybe one day we'll see a movie about it – "The Spider-Man of Cybercrime" has a nice ring to it, don't you think?
6)Tinyproxy Users, Beware: Over 50,000 Servers Vulnerable to RCE Flaw!
Attention all Tinyproxy users: there's a new critical vulnerability in town, and it's not tiny at all! CVE-2023-49606, a recently disclosed remote code execution (RCE) flaw, is affecting nearly 52,000 internet-exposed Tinyproxy instances. It's like a digital version of "Honey, I Blew Up the Kid," but instead of a giant toddler, we've got a giant security hole!
For those who don't know, Tinyproxy is an open-source HTTP and HTTPS proxy server that's designed to be fast, small, and lightweight. It's like the sports car of proxy servers, but instead of burning rubber, it's burning through your security!
Cisco Talos discovered this critical flaw back in December 2023, but apparently, the Tinyproxy developers were too busy sipping eggnog to respond. So, Cisco did what any responsible cybersecurity company would do: they shared detailed information about the vulnerability, including proof-of-concept exploits that could crash the server and potentially lead to remote code execution. It's like giving a toddler a box of matches and a can of gasoline – what could possibly go wrong?
The flaw occurs in the 'remove_connection_headers()' function, where specific HTTP headers are not correctly managed, leading to memory being freed and then incorrectly accessed again. It's like a digital version of "The Walking Dead," but instead of zombies, we've got memory corruption!
And get this: the vulnerability can be easily exploited with a simple malformed HTTP request, without requiring authentication. It's like leaving your front door wide open and then being surprised when someone walks in and steals your TV!
Censys, the internet scanning company, found a whopping 90,000 internet-exposed Tinyproxy services online, with about 57% of them vulnerable to CVE-2023-49606. Most of these instances are located in the United States, South Korea, China, France, and Germany. It's like a global game of "Where's Waldo?" but instead of finding a bespectacled man in a striped shirt, you're finding vulnerable proxy servers!
But wait, there's a plot twist! Five days after Cisco disclosed the bug, the Tinyproxy maintainers released a fix for CVE-2023-49606. However, they disputed that Cisco properly disclosed the bug, claiming they never received the report via the project's requested disclosure channels. It's like a cybersecurity version of "He Said, She Said," but with more code and fewer romantic misunderstandings!
The security fix is in the upcoming version 1.11.2, but if you're in a hurry, you can pull the change from the master branch or manually apply the fix. It's like a digital version of "DIY Home Repair," but instead of fixing a leaky faucet, you're patching a critical RCE vulnerability!
So, if you're a Tinyproxy user, it's time to update your software faster than you can say "CVE-2023-49606." And if you're not sure if you're affected, maybe it's time to have a chat with your IT department. After all, when it comes to cybersecurity, it's better to be safe than sorry!
That is all for today! hope you liked the new SubStack way, feel free as always to leave feedback at my LinkedIn: https://www.linkedin.com/in/opsec1337/