Risky Biz News: REvil returns; Ransomware gangs start adopting Monero

In other news: iOS apps are still tracking users despite Apple's ATT privacy mechanism; Russia says the US has stopped collaborating on cyber investigations after its invasion of Ukraine.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary.

The original REvil ransomware cartel has returned and is carrying out new intrusions. The group has already hit and claimed attacks on Oil India, the second-largest oil and gas producer in India, and French marketing firm Visotec.

Initial reporting on the attacks attributed the intrusions to a group using a modified version of the REvil ransomware code. However, earlier today, the original “Happy Blog,” a dark web blog where the REvil gang posted the names of the companies they attacked, came back to life and started redirecting visitors to a new URL listing the two companies listed above.

The REvil gang’s return comes after Russian authorities detained several of its members in mid-January. The Russian FSB said it made the arrests at the request of US authorities.

But two weeks ago, Oleg Khramov, deputy secretary of Russia’s Security Council, said the US stopped collaborating with Russian authorities on cyber investigations after its military action in Ukraine. In a series of wild claims, Khramov said that the US only provided Russia with one name and IP address and that Russian law enforcement did all the heavy-duty work of tracking and arresting 14 REvil suspects. The Russian official also accused the US of being “rude.” All of Khramov’s claims contradict all previous reporting and first-hand experience of joint US law enforcement investigations.

In other ransomware-related news, a CipherTrace report has found that ransomware gangs are increasingly adopting Monero for ransomware payments. The company said that last year, in 2021, at least 22 ransomware strains accepted payments only in Monero, and at least seven groups accepted payments in both Bitcoin and Monero at the same time. In addition, CipherTrace also said that 23 other ransomware gangs provided Monero addresses to victims when the attacked organizations asked about making the payment in Monero.

In previous discussions this reporter had on this topic with subject-matter experts, Monero was not viewed as a stable payment option for ransomware gangs, primarily due to problems associated with gathering large sums in the short time needed to pay the attackers.

This liquidity problem—and not necesarily for ransomware payments—has been well-known since last year. Coincidentally, this same issue was center-stage in the crypto-world on Monday when cryptocurrency enthusiasts organized Monerorun, a coordinated action to withdraw large sums of Monero from public exchanges in an attempt to highlight the coin’s liquidity problems and the fact that exchanges are often trading in more Monero that they actually don’t have on hand.

It also appears that a major privacy scandal is brewing in the Apple ecosystem as well. A recently-published academic paper found that many iOS apps are bypassing the Apple App Tracking Transparency mechanism. Added in September 2020, this is a system that requires iOS app developers to use Privacy Nutrition Labels to notify users about what data they collect and then ask permission from users using a popup if they agree with this collection.

The study, summarized in this ArsTechnica piece, found that many apps contained incorrect information in their Privacy Nutrition Labels, iOS apps also loaded tracking code even if they stated they do not track users, and apps tracked users even after the researchers declined to be tracked in the ATT mechanism.

Breaches and hacks

Ecuador got hit bad: The BlackCat ransomware gang has hit the municipality of Quito, Ecuador’s capital.

So did Costa Rica: The Conti ransomware gang has hit several Costa Rican government systems, including servers for the Ministry of Finance, the Ministry of Science, Innovation, Technology, and Telecommunications. The government responded by shutting down affected servers, which are still down days later.

Meanwhile, in Puerto Rico: A cyber attack has crippled Puerto Rico’s highway toll collection system, per the AP.

Tailored attack: Italian fashion house Armani was hit by a mysterious cyber-attack at the end of March. The company said it isolated systems before the attack could spread. Sounds like ransomware, although not confirmed yet.

Another crypto heist: The Beanstalk DeFi platform lost $182 million in a recent attack that exploited some of its protocols.

FOX data exposure: More than 58GB of data from FOX Broadcasting was found exposed online, including CMS details and 701 internal “@fox.com” email addresses.

Big wet fart: Okta concluded its investigation into the Lapsus$ breach and found the intruders had very limited access, despite their claims and the subsequent social media drama.

General tech and privacy

Google caught snooping: A paper [PDF] authored by a professor from Trinity College Dublin, in Ireland, has gone into the nitty-gritty of what type of telemetry data the Google Dialer and Messages apps are collecting from Android users. The behavior has been known, but the research details what exactly is being collected.

Bye-bye, SMBv1: Microsoft has disabled the SMBv1 protocol by default for Windows 11 Home Insiders, with the move expected to trickle down to all Windows 11 later this year.

Government, politics, and policy

Pegasus spyware in the UK: The NSO Group’s Pegasus spyware has been identified on phones of the UK government’s Prime Minister cabinet. Citizen Lab researchers, who uncovered the attack, told the New Yorker and the Guardian that they suspected the United Arab Emirates of orchestrating the attacks.

Pegasus spyware in Catalonia: A different Citizen Lab report published on Monday has also identified a years-long campaign where the NSO Group’s spyware has been used to spy on political figures, journalists, and activists in Catalonia, in events related to the region’s attempt to obtain independence from Spain.

EU refuses to intervene in spyware investigations: Responding on Monday to both reports, the European Commission said it would not investigate the use of the Pegasus spyware, leaving such investigations to state authorities. The response is disappointing because it’s usually the local governments deploying Pegasus in the first place. It’s like leaving Saudi Arabia to investigate itself for Jamal Khashoggi’s assassination.

Surveillance in South Africa: An MIT Technology report has also found a sprawling surveillance ecosystem developing in South Africa. Vumacam, the company building South Africa’s nationwide CCTV network, has over 6,600 cameras deployed in the field. Per the report, Vumacam has partnered with Chinese company Hikvision and Swedish company Axis Communications to provide the hardware, while the software is being provided by iSentry and Milestone.

Police hacking accusations: A media rights watchdog accused Malawi Police of hacking the website of the Platform for Investigative Journalism after it published a report on government corruption.

NATO cyber exercise: More than 2,000 participants from over 32 countries took place in this year’s NATO Locked Shields exercise. Participants had to defend Berylia, a fictional island country, from a series of cyber attacks that aimed to cripple large swaths of its critical infrastructure and military networks.

Cybercrime and threat intel

Americans are drowning in spam: With the perfect headline, Axios reported on Monday that SMS and call spam reached an all-time high in the US last month, with Americans receiving 42 spam texts in March, on average.

Scammers go after Ukrainians: Ukraine’s CERT team warned on Monday that scammers are trying to trick Ukrainians into sharing their card details on shady sites using lures of unclaimed EU help funds. Sounds like a terrible scam, but we’ve seen scammers go even lower.

Conti subgroup: Three reports published by InfinitumIT, AdvIntel, and ArcticWolf have linked the Karakurt extortion group to the Conti ransomware cartel. According to the reports, whenever a Conti ransomware attack was blocked before the victim’s data could be encrypted, the organization would be extorted using the Karakurt “identity” and threatened with the release of its data. If the file encryption process were successful, the extortion would continue under the Conti “brand.”

ATM attacks: ATM malware and logical attacks went down 74% across Europe last year, according to EAST [PDF], a financial sector organization tracking ATM attack trends.

Hacktivism in Israel: Hacktivist group DragonForce Malaysia has launched a campaign against Israeli targets. The operation is called OpsBedil and is replacing the now-defunct Anonymous operations known as OpIsrael.

Malware technical reports

Lazarus crypto attacks: CISA has published on Monday an alert on TraderTraiter, a series of malicious Electron applications used by the Lazarus Group North Korean APT.

Free decrypter: Kaspersky has released a free decrypter for the Yanlouwang ransomware after its researchers identified a flaw in the malware’s encryption routine. The ransomware was first spotted in October 2021 and was used primarily in targeted attacks against enterprises.

BotenaGo evolves: Nozomi Networks said it identified a new version of the BotenaGo botnet that can also target DVR devices. Spotted last year, the botnet already included exploits for more than 30 routers and IoT devices.

New homework: Security firms Prodaft and SentinelOne have published reports on the PYSA (Mespinoza) ransomware group. Similar reports on this ransomware group are also available from Cybereason, Palo Alto Networks, DFIR Report, and CERT-FR.

Conti goes FOSS… kinda: The Trellix team has published a report today on Conti’s Linux variant, used to encrypt VMWare ESXi hypervisors usually deployed inside larger corporate networks.

APT vagueness

Ukraine: Broadcom’s Symantec team has published a report on new campaigns carried out by the Shuckworm (Armageddon/Gamaredon) APT in Ukraine.

Vulnerabilities and bug bounty

New attacks, part 1: VMWare reports active exploitation of CVE-2022-22960. This comes after the company also confirmed active exploitation of CVE-2022-22954 last week.

New attacks, part 2: CISA warned that attackers are now exploiting a Windows Print Spooler bug tracked as CVE-2022-22718 in the wild.

Google’s zero-day stats: Google Project Zero has published a report on zero-days used last year in the wild. The team said it observed 58 zero-days last year, but the report only covered attacks and zero-days used on the major operating systems and did not include data about attacks on enterprise or networking devices, which would bring the number of actively exploited zero-days last year way higher.

Pwn2Own: The Pwn2Own ICS hacking contest, which took place at the S4x22 Miami ICS security conference, has concluded. The results are here.

You gotta be kidding me: Palo Alto Network found that AWS patches for the Log4Shell vulnerability were themselves vulnerable and allowed attackers to escape containers and escalate access. TL;DR: “If you installed the hot patch to a Kubernetes cluster, every container in your cluster can now escape until you either disable the hot patch or upgrade to the fixed version.

Get patchin’: The Oracle quarterly security updates (for April 2022) are out. Enjoy your 520 security fixes, including a bunch of 9.8 CVSS-score no-auth RCEs.

Sucks for you, Lenovo owner: More than 100 Lenovo consumer laptop models contain firmware-level vulnerabilities that allow attackers to install malware that can persist OS reinstalls, per a report. The affected models are listed here.