January 2023: LockBit attack on the UK’s Royal Mail

The year kicked off with the LockBit group attacking Royal Mail, the UK’s national postal service. The attack paralyzed international mail delivery, leaving millions of letters and parcels stuck in the company’s system. On top of that, the parcel tracking website, online payment system, and several other services were also crippled; and at the Royal Mail distribution center in Northern Ireland, printers began spewing out copies of the LockBit group’s distinctive orange ransom note.

The LockBit ransom note that printers at the Royal Mail distribution center began printing in earnest. Source

As is commonly the case with modern ransomware attacks, LockBit threatened to post stolen data online unless the ransom was paid. Royal Mail refused to pay up, so the data ended up being published.

February 2023: ESXiArgs attacks VMware ESXi servers worldwide

February saw a massive automated ESXiArgs ransomware attack on organizations through the RCE vulnerability CVE-2021-21974 in VMware ESXi servers. Although VMware released a patch for this vulnerability back in early 2021, the attack left more than 3000 VMware ESXi servers encrypted.

The attack operators demanded just over 2BTC (around $45,000 at the time of the attack). For each individual victim they generated a new Bitcoin wallet and put its address in the ransom note.

Ransom demand from the original version of ESXiArgs ransomware. Source

Just days after the attack began, the cybercriminals unleashed a new strain of the cryptomalware, making it far harder to recover encrypted virtual machines. To make their activities more difficult to trace, they also stopped giving out ransom wallet addresses, prompting victims to make contact through the P2P messenger Tox instead.

March 2023: Clop group widely exploits a zero-day in GoAnywhere MFT

In March 2023, the Clop group began widely exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT (managed file transfer) tool. Clop is well-known for its penchant for exploiting vulnerabilities in such services: in 2020–2021, the group attacked organizations through a hole in Accelon FTA, switching in late 2021 to exploiting a vulnerability in SolarWinds Serv-U.

In total, more than 100 organizations suffered attacks on vulnerable GoAnywhere MFT servers, including Procter & Gamble, the City of Toronto, and Community Health Systems — one of the largest healthcare providers in the U.S.

Map of GoAnywhere MFT servers connected to the internet. Source

April 2023: NCR Aloha POS terminals disabled by BlackCat attack

In April, the ALPHV group (aka BlackCat —  after the ransomware it uses) attacked NCR, a U.S. manufacturer and servicer of ATMs, barcode readers, payment terminals, and other retail and banking equipment.

The ransomware attack shut down the data centers handling the Aloha POS platform — which is used in restaurants, primarily fast food — for several days.

NCR Aloha POS platform disabled by the ALPHV/BlackCat group. Source

Essentially, the platform is a one-stop shop for managing catering operations: from processing payments, taking online orders, and operating a loyalty program, to managing the preparation of dishes in the kitchen and payroll accounting. As a result of the ransomware attack on NCR, many catering establishments were forced to revert to pen and paper.

May 2023: Royal ransomware attack on the City of Dallas

Early May saw a ransomware attack on municipal services in Dallas, Texas — the ninth most populous city in the U.S. Most affected were IT systems and communications of the Dallas Police Department, and printers on the City of Dallas network began churning out ransom notes.

The Royal ransom note printed out through City of Dallas network printers. Source

Later that month, there was another ransomware attack on an urban municipality: the target this time was the City of Augusta in the U.S. state of Georgia, and the perpetrators were the BlackByte group.

June 2023: Clop group launches massive attacks through vulnerability in MOVEit Transfer

In June, the same Clop group responsible for the February attacks on Fortra GoAnywhere MFT began exploiting a vulnerability in another managed file transfer tool — Progress Software’s MOVEit Transfer. This vulnerability, CVE-2023-34362, was disclosed and fixed by Progress on the last day of May, but as usual, not all clients managed to apply the patches quickly enough.

This ransomware attack — one of the largest incidents of the year — affected numerous organizations, including the oil company Shell, the New York City Department of Education, the BBC media corporation, the British pharmacy chain Boots, the Irish airline Aer Lingus, the University of Georgia, and the German printing equipment manufacturer Heidelberger Druckmaschinen.

The Clop website instructs affected companies to contact the group for negotiations. Source

July 2023: University of Hawaii pays ransom to the NoEscape group

In July, the University of Hawaii admitted to paying off ransomwarers. The incident itself occurred a month earlier when all eyes were fixed on the attacks on MOVEit. During that time, a relatively new group going by the name of NoEscape infected one of the university departments, Hawaiian Community College, with ransomware.

Having stolen 65GB of data, the attackers threatened the university with publication. The personal information of 28,000 people was apparently at risk of compromise. It was this fact that convinced the university to pay the ransom to the extortionists.

NoEscape announces the hack of the University of Hawaii on its website. Source

Of note is that university staff had to temporarily shut down IT systems to stop the ransomware from spreading. Although the NoEscape group supplied a decryption key upon payment of the ransom, the restoration of the IT infrastructure was expected to take two months.

August 2023: Rhysida targets the healthcare sector

August was marked by a series of attacks by the Rhysida ransomware group on the healthcare sector. Prospect Medical Holdings (PMH), which operates 16 hospitals and 165 clinics across several American states, was the organization that suffered the most.

The hackers claimed to have stolen 1TB of corporate documents and a 1.3 TB SQL database containing 500,000 social security numbers, passports, driver’s licenses, patient medical records, as well as financial and legal documents. The cybercriminals demanded a 50BTC ransom (then around $1.3 million).

Ransom note from the Rhysida group. Source

September 2023: BlackCat attacks Caesars and MGM casinos

In early September, news broke of a ransomware attack on two of the biggest U.S. hotel and casino chains — Caesars and MGM — in one stroke. Behind the attacks was the ALPHV/BlackCat group, mentioned above in connection with the assault on the NCR Aloha POS platform.

The incident shut down the companies’ entire infrastructure — from hotel check-in systems to slot machines. Interestingly, the victims responded in very different ways. Caesars decided to pay the extortionists $15 million, half of the original $30 million demand.

MGM chose not to pay up, but rather to restore the infrastructure on its own. The recovery process took nine days, during which time the company lost $100 million (its own estimate), of which $10 million was direct costs related to restoring the downed IT systems.

Caesars and MGM own more than half of Las Vegas casinos

October 2023: BianLian group extorts Air Canada

A month later, the BianLian group targeted Canada’s flag carrier, Air Canada. The attackers claim they stole more than 210GB of various information, including employee/supplier data and confidential documents. In particular, the attackers managed to steal information on technical violations and security issues of the airline.

The BianLian website demands a ransom from Air Canada Source

November 2023: LockBit group exploits Citrix Bleed vulnerability

November was remembered for a Citrix Bleed vulnerability exploited by the LockBit group, which we also discussed above. Although patches for this vulnerability were published a month earlier, at the time of the large-scale attack more than 10,000 publicly accessible servers remained vulnerable. This is what the LockBit ransomware took advantage of to breach the systems of several major companies, steal data, and encrypt files.

Among the big-name victims was Boeing, whose stolen data the attackers ended up publishing without waiting for the ransom to be paid. The ransomware also hit the Industrial and Commercial Bank of China (ICBC), the largest commercial bank in the world.

The LockBit website demands a ransom from Boeing

The incident badly hurt the Australian arm of DP World, a major UAE-based logistics company that operates dozens of ports and container terminals worldwide. The attack on DP World Australia’s IT systems massively disrupted its logistics operations, leaving some 30,000 containers stranded in Australian ports.

December 2023: ALPHV/BlackCat infrastructure seized by law enforcement

Toward the end of the year, a joint operation by the FBI, the U.S. Department of Justice, Europol, and law enforcement agencies of several European countries deprived the ALPHV/BlackCat ransomware group of control over its infrastructure. Having hacked it, they quietly observed the cybercriminals’ actions for several months, collecting data decryption keys and aiding BlackCat victims.

In this way, the agencies rid more than 500 organizations worldwide of the ransom threat and saved around $68 million in potential payouts. This was followed in December by a final takeover of the servers, putting an end to BlackCat’s operations.

The joint law enforcement operation to seize ALPHV/BlackCat infrastructure. Source

Various statistics about the ransomware group’s operations were also made public. According to the FBI, during the two years of its activity, ALPHV/BlackCat breached more than a thousand organizations, demanded a total of more than $500 million from victims, and received around $300 million in ransom payments.

How to guard against ransomware attacks

Ransomware attacks are becoming more varied and sophisticated with each passing year, so there isn’t (and can’t be) one killer catch-all tip to prevent incidents. Defense measures must be comprehensive. Focus on the following tasks:

• Train employees in cybersecurity awareness.
• Implement and refine data storage and employee access
• Back up important data regularly and isolate it from the network.
• Install robust protection on all corporate devices.
• Monitor suspicious activity on the corporate network using an Endpoint Detection and Response (EDR)
• Outsource threat search and response to a specialist company if your in-house information security lacks the capability.

Vulnerability CVE-2024-0204 in GoAnywhere MFT

Let’s start by briefly recounting the story of this vulnerability in GoAnywhere. In fact, Fortra, the company developing this solution, patched this vulnerability back in early December 2023 with the release of GoAnywhere MFT 7.4.1. However, at that time the company chose not to disclose any information about the vulnerability, limiting itself to sending private recommendations to clients.

The essence of the vulnerability is as follows. After a user completes initial setup of GoAnywhere, the product’s internal logic blocks access to the initial account setup page. Then when they attempt to access this page, they’re redirected either to the admin panel (if they’re authenticated as an administrator) or to the authentication page.

However, researchers discovered that an alternative path to the InitialAccountSetup.xhtml file can be used, which the redirection logic does not take into account. In this scenario, GoAnywhere MFT allows anyone to access this page and create a new user account with administrator privileges.

As proof of the attack’s feasibility, the researchers wrote and published a short script that can create admin accounts in vulnerable versions of GoAnywhere MFT. All an attacker needs is to specify a new account name, a password (the only requirement is that it contains at least eight characters, which is interesting in itself), and the path:

Part of the exploit code for the CVE-2024-0204 vulnerability. Highlighted in red is the alternative path to the initial account setup page that enables the creation of users with administrator privileges

In general, this vulnerability closely resembles that discovered in Atlassian Confluence Data Center and Confluence Server a few months ago; there, too, it was possible to create admin accounts in a few simple steps.

Fortra assigned vulnerability CVE-2024-0204 “critical” status, with a CVSS 3.1 score of 9.8 out of 10.

A little context is necessary here. In 2023, the Clop ransomware group already exploited vulnerabilities in Fortra GoAnywhere MFT and also similar products from other developers — Progress MOVEit, Accellion FTA, and SolarWinds Serv-U — to attack hundreds of organizations worldwide. In particular, companies such as Procter & Gamble, Community Health Systems (CHS, one of the largest hospital networks in the U.S.A.), and the municipality of Toronto suffered from the exploitation of the GoAnywhere MFT vulnerability.

How to defend against CVE-2024-0204 exploitation

The obvious way to protect against exploitation of this vulnerability is to update GoAnywhere MFT to version 7.4.1 immediately, which fixes the logic for denying access to the InitialAccountSetup.xhtml page.

If you can’t install the update for some reason, you can try one of two simple workarounds:

• Delete the InitialAccountSetup.xhtml file in the installation folder and restart the service;

or

• Replace InitialAccountSetup.xhtml with a blank file and restart the service.

You should also use an EDR (Endpoint Detection and Response) solution to monitor suspicious activity in the corporate network. If your internal cybersecurity team lacks the skills or resources for this, you can use an external service to continuously hunt for threats to your organization and swiftly respond to them.

At the same time, Linux has always had a reputation of being a “trouble-free” OS that requires no special maintenance and is of no interest to hackers. Unfortunately, neither of these things is true of Linux anymore. So what are the threats faced by home Linux devices? Let’s consider three practical examples.

Router botnet

By running malware on a router, security camera, or some other device that’s always on and connected to the internet, attackers can exploit it for various cyberattacks. The use of such bots is very popular in DDoS attacks. A textbook case was the Mirai botnet, used to launch the largest DDoS attacks of the past decade.

Another popular use of infected routers is running a proxy server on them. Through such a proxy, criminals can access the internet using the victim’s IP address and cover their tracks.

Both of these services are constantly in demand in the cybercrime world, so botnet operators resell them to other cybercriminals.

NAS ransomware

Major cyberattacks on large companies with subsequent ransom demands — that is, ransomware attacks, have made us almost forget that this underground industry started with very small threats to individual users. Encrypting your computer and demanding a hundred dollars for decryption — remember that? In a slightly modified form, this threat re-emerged in 2021 and evolved in 2022 — but now hackers are targeting not laptops and desktops, but home file servers and NAS. At least twice, malware has attacked owners of QNAP NAS devices (Qlocker, Deadbolt). Devices from Synology, LG, and ZyXEL faced attacks as well. The scenario is the same in all cases: attackers hack publicly accessible network storage via the internet by brute-forcing passwords or exploiting vulnerabilities in its software. Then they run Linux malware that encrypts all the data and presents a ransom demand.

Spying on desktops

Owners of desktop or laptop computers running Ubuntu, Mint, or other Linux distributions should also be wary. “Desktop” malware for Linux has been around for a long time, and now you can even encounter it on official websites. Just recently, we discovered an attack in which some users of the Linux version of Free Download Manager (FDM) were being redirected to a malicious repository, where they downloaded a trojanized version of FDM onto their computers.

To pull off this trick, the attackers hacked into the FDM website and injected a script that randomly redirected some visitors to the official, “clean” version of FDM, and others to the infected one. The trojanized version deployed malware on the computer, stealing passwords and other sensitive information. There have been similar incidents in the past, for example, with Linux Mint images.

It’s important to note that vulnerabilities in Linux and popular Linux applications are regularly discovered (here’s a list just for the Linux kernel). Therefore, even correctly configured OS tools and access roles don’t provide complete protection against such attacks.

Basically, it’s no longer advisable to rely on widespread beliefs such as “Linux is less popular and not targeted”, “I don’t visit suspicious websites”, or “just don’t work as a root user”. Protection for Linux-based workstations must be as thorough as for Windows and MacOS ones.

How to protect Linux systems at home

Set a strong administrator password for your router, NAS, baby monitor, and home computers. The passwords for these devices must be unique. Brute forcing passwords and trying default factory passwords remain popular methods of attacking home Linux. It’s a good idea to store strong (long and complex) passwords in a password manager so you don’t have to type them in manually each time.

Update the firmware of your router, NAS, and other devices regularly. Look for an automatic update feature in the settings — that’s very handy here. These updates will protect against common attacks that exploit vulnerabilities in Linux devices.

Disable Web access to the control panel. Most routers and NAS devices allow you to restrict access to their control panel. Ensure your devices cannot be accessed from the internet and are only available from the home network.

Minimize unnecessary services. NAS devices, routers, and even smart doorbells function as miniature servers. They often include additional features like media hosting, FTP file access, printer connections for any home computer, and command-line control over SSH. Keep only the functions you actually use enabled.

Consider limiting cloud functionality. If you don’t use the cloud functions of your NAS (such as WD My Cloud) or can do without them, it’s best to disable them entirely and access your NAS only over your local home network. Not only will this prevent many cyberattacks, but it will also safeguard you against incidents on the manufacturer’s side.

Use specialized security tools. Depending on the device, the names and functions of available tools may vary. For Linux PCs and laptops, as well as some NAS devices, antivirus solutions are available, including regularly updated open-source options like ClamAV. There are also tools for more specific tasks, such as rootkit detection.

For desktop computers, consider switching to the Qubes operating system. It’s built entirely on the principles of containerization, allowing you to completely isolate applications from each other. Qubes containers are based on Fedora and Debian.

The series of incidents represents a cautionary tale for everyone in charge of information security at an organization.

How MOVEit Transfer was hacked

Without going into every twist and turn of MOVEit users’ turbulent one-and-a-half-months, we’ll cover the key events.

Reports about suspicious activity on the networks of many organizations that used MOVEit Transfer started surfacing on May 27, 2023. According to an investigation, malicious actors were taking advantage of an unknown vulnerability to steal data by running SQL queries.

On May 31, Progress released their first security bulletin, which summarized the fixes that had been released up to that point and recommended remediation steps. The company originally believed the issue was limited to on-premise installations, but it was later found that the cloud version of MOVEit was affected as well. MOVEit Cloud was temporarily shut down for patching and investigations. Rapid7 researchers counted a total of 2500 vulnerable on-premise servers.

On June 2, the vulnerability was assigned the identifier CVE-2023-34362 and a CVSS score of 9.8 (out of 10). Incident researchers attributed the threat to the cl0p ransomware group. Researchers at Kroll reported on June 9 that the MOVEit exploit likely had been in testing since 2021. Investigations made it apparent that the cyberattack chain did not necessarily end in an SQL injection and that it could include code execution.

To their credit, Progress went beyond patching the software. The company initiated a code audit, making it possible for the Huntress company to both reproduce the entire exploit chain and discover another vulnerability, which would be fixed on June 9 as announced in the next bulletin and designated as CVE-2023-35036. Before many admins got the chance to install that patch, Progress itself discovered another issue – CVE-2023-35708 – and announced it in its June 15 bulletin. MOVEit Cloud was shut down again for ten hours for the fixes to be applied.

June 15 was also notable for the hackers publishing the details of some of the victims and starting ransom negotiations. Two days later, the U.S. government promised up to $10 million for information about the group.

On June 26, Progress announced that it would shut down MOVEit Cloud for three hours on July 2 to beef up server security.

On July 6 developers published another update, which fixed three more vulnerabilities – one of them being critical (CVE-2023-36934, CVE-2023-36932 and CVE-2023-36933).

File sharing services as a convenient attack vector

May’s MOVEit Transfer attack is not the first of its kind. A similar series of attacks targeting Fortra GoAnywhere MFT was launched in January, and late 2020 saw massive exploitation of a vulnerability in Accellion FTA.

Many attacks aim to get privileged access to servers or run arbitrary code, which happened in this case too, but hackers’ objective has often been to execute a quick, low-risk attack to gain access to the databases of a file-sharing service. This helps snatch files without penetrating deep into the system so as to remain under the radar. After all, downloading files that are meant to be downloaded isn’t that suspicious.

Meanwhile, file-sharing databases tend to collect lots of truly important information: thus, a MOVEit Transfer attack victim admitted that the leak contained the data of 45 000 college and school students.

What this means for security teams is that apps like these and their configuration require special attention: steps to take here include limiting administrative access as well as taking additional security measures with regard to database management and network protection. Organizations should promote cyberhygiene among employees by teaching them to delete files from the file exchange system as soon as they cease to need them, and share with only a bare minimum of users.

Focus on servers

For cyberattackers looking to steal data, servers are an easy target since they’re not too closely monitored and contain a lot of data. Unsurprisingly, in addition to massively exploiting popular server-side apps with attacks like ProxyShell or ProxyNotShell, hackers take paths less traveled by mastering encryption of ESXi farms and Oracle databases, or trying services like MOVEit Transfer, which are popular in the corporate world but less known to the general public. This is why security teams need to put the focus on servers:

• prioritize server patching
• use an EDR solution
• limit privilege access
• secure containers, virtual machines and so on

If an app seems to have few vulnerabilities, it means no one’s looked for them

The question of priorities always comes up when an organization starts discussing patches. Vulnerabilities number in the hundreds, and they’re impossible to fix everywhere and all at once, in all applications, and on all computers. So, system admins have to focus on the most dangerous vulnerabilities – or the ones that are the most widespread due to affecting popular software. The MOVEit story teaches us that this landscape is dynamic: if you’ve spent the last year fixing holes in Exchange or other Microsoft products, it doesn’t mean you need to stay focused mostly on those. It’s critical to follow Threat Intelligence trends, and not just eliminate specific new threats but also predict their possible impact on your organization.

Boot Guard keys, and how they protect your computer

Even before its operating system boots up, your computer performs many preparatory operations upon instructions from a motherboard chip. In the past, the mechanism was called BIOS, until it was replaced by the expandable UEFI architecture. UEFI code is stored in the firmware, but extra modules can be loaded from a special hard-drive partition. Next, UEFI boots up the operating system itself. If UEFI is maliciously modified, the operating system, user apps and all security systems will start up under the control of the malicious code. The attackers will be able to circumvent all further layers of defense, including BitLocker, Secure Boot and the OS-level security systems, such as anti-viruses and EDR.

Referred to as BIOS-level implants (sometimes also “hardware bootkits“), such threats are very hard to detect — and even harder to get rid of: you can’t purge your PC of them even by replacing your hard drive with a brand new one.

Computer and OS vendors have developed a variety of safeguards to make it as difficult as possible for threat actors to devise such dangerous threats. First, to update firmware and make additions to UEFI one needs an app signed by the vendor: Intel BIOS Guard doesn’t allow updating UEFI from untrusted apps or using unsigned firmware. Second, there’s a hardware verification mechanism called Boot Guard. The technology checks the signature of the opening part of UEFI (IBB — Initial Boot Block) and aborts the computer boot if the firmware has been tampered with. Boot Guard’s cryptographic keys used to verify these protection mechanisms are stored in a special write-once memory, meaning they can’t be deleted or rewritten (in turn meaning they can’t be falsified or replaced), while at the same time they can’t be revoked if compromised!

What’s so dangerous about an MSI key leak?

A firmware-signing keys leak may allow threat actors to create update utilities and rogue firmware capable of successfully passing verifications with the potential to update microprograms on MSI motherboards. Such keys can be revoked, so after a while (actually, we’re talking months if not years!) the problem will become irrelevant — if legitimate updates are applied in a secure way. The situation is much worse with Boot Guard keys, since these can’t be revoked. Moreover, according to Binarly, these keys can be used even in some products manufactured by vendors other than MSI. This disrupts the secure-boot trust chain for all products relying on these keys, leaving device owners with no other option but to ramp up third-party protective measures and keep using them that way until the products cease being used.

Tips for MSI device users

First off, check if your computers are endangered. If you have an MSI computer or laptop, the threat is there, but even computers from other vendors may have MSI motherboards. Here’s how you can check this:

• Type “System Information” into the Windows search line to locate and run it
• Under System summary scroll down to Motherboard manufacturer or BaseBoard manufacturer. If it says MSI or Micro-Star International, the threat is relevant to you.

Please note that MSI makes hundreds of products, and the leaked keys don’t affect them all. The longest list of products affected by the threat is here, but we cannot attest to its completeness or accuracy. Your best bet would be to take extra care and proceed from the assumption that all current MSI boards can be targeted by attackers.

If exposed to the threat, you should be extremely mindful of the risk when updating your proprietary utilities, drivers, and firmware. Download these only from the official website www.msi.com by manually typing the address into the browser — not by following links from e-mails, messenger threads or other websites. We also recommend you to watch out for updates on the MSI website: these shouldn’t be ignored. It’s quite possible that MSI will devise a way to revoke some of the leaked keys or otherwise prevent their use.

In addition, make sure not to use an MSI computer as administrator, and make sure that it’s equipped with reliable protection against phishing and malware .

Tips for IT administrators

The risk of UEFI implants based on the MSI leaks is in a way compensated by the complexity of their installation, which involves having administrative access to a target computer plus a bunch of conspicuous firmware update apps. So the issue could be mitigated by suppressing these apps at group policy level and by making sure that the principle of least privilege is enforced on all the computers within your organization. However, it’s likely that in the future specialized hacker tools will come into play that will use stolen keys and sufficient obfuscation to conceal firmware updates. To reduce this risk, consider experimenting with detection of leaked keys on corporate machines — a recommendation more suited to companies employing threat hunters in their information-security task-force.

Of course, the problem can also be eased through proper general practices: integrated network and endpoint protection, timely updating of business apps, and a system policy for patch management.

Tips for developers

The MSI example highlights how it is unacceptable in terms of information security and DevSecOps to keep secrets (especially ones difficult to rotate) on computers either next to or inside the code that uses them.

There are dedicated solutions for centralized secret management — for example, HashiCorp Vault — but even smaller developers can afford a simple protection system of their own, such as encrypted removable drive storage connected only for as long as it takes to publish an app.

As to companies the size of MSI, they should keep their confidential data — such as app and driver signing keys, let alone firmware signing keys — in specialized signature generation hardware units (HSM) or at least within a special secure perimeter on computers completely isolated from the rest of the network.

Aware of that, some ransomware victims assume that the best strategy is to pay the ransom, regain control over their corporate resources, and then go to law enforcement and simply wait while the investigation proceeds — leading, hopefully, to the funds eventually being returned back to their accounts.

Unfortunately, it’s not that simple. Cybercriminals invented various tools, techniques and services to compensate for the excessive transparency of blockchains. Those methods make it difficult or even impossible to trace cryptocurrency transactions. That’s what we’ll talk about today.

Intermediary crypto wallets

The simplest thing for cybercriminals to do with dirty crypto is spread it to fake wallets. In the case of very large-scale operations, such as the BitFinex hack or the Sky Mavis heist, we could be talking several thousand fake wallets.

But since all transactions are written to the blockchain anyway, using fake wallets doesn’t solve the problem of tracing funds. As such, this technique is usually deployed only in the early stages of laundering in order to, first, muddy the trail, and, second, break up large sums into smaller ones, which can then by laundered more easily in other ways.

Dirty crypto can often lie in those fake wallets for a long time. This is sometimes due to greedy cybercriminals waiting for the exchange rate to improve. In the case of transactions large enough to attract the attention of law enforcement, the reason is caution. Attackers try to keep a low profile until the scrutiny dies down and the funds become easier to withdraw.

Crypto mixers

Crypto mixers were invented with the express aim of solving the abovementioned problems of excessive blockchain transparency and insufficient privacy. They work as follows: incoming cryptocurrency transfers are poured into one “pot” and thoroughly mixed with funds coming in from other users of the service. At the same time, outgoing transfers of random amounts are made according to a random schedule and to completely different wallets, rendering it impossible to match incoming and outgoing amounts and identify transactions.

Clearly, this is a very effective method of dealing with dirty crypto. And although far from all crypto-mixer users are cybercriminals, illegal funds do account for a significant portion of the flows coming into crypto mixers; so significant, in fact, that in 2022 US regulators finally went after them, issuing sanctions on not one but two popular crypto mixers.

Large crypto exchanges

The overwhelming majority of transactions on crypto exchanges take place between internal client accounts, and are recorded in detail exclusively in these exchanges’ own databases. Only the summarized results of a whole bunch of such internal transactions ends up in the blockchain.

Of course, this is done to save both fees and time (blockchain bandwidth is limited, after all). But this means that any crypto exchange is a kind of natural crypto mixer: incoming and outgoing transfers can’t be matched using blockchain analysis alone. The thread by which the movement of funds can be traced is cut when a transaction enters an exchange.

On the one hand, this facilitates illegal activity. On the other, it adds considerable risks: by transferring funds to a major crypto exchange, cybercriminals no longer have full control over them. And since such exchanges generally cooperate with regulators and law enforcement, the chances of losing the spoils are well above zero. In addition, bona fide crypto exchanges always have a Know Your Customer (KYC) verification procedure, which only adds to the risks and difficulties associated with laundering funds.

Small crypto exchanges

An alternative option for cybercriminals is to use small crypto exchanges that are less inclined to meet regulatory requirements and define themselves as anonymous. Oftentimes, such exchanges turn into full-fledged crypto-laundering platforms.

But the more popular an exchange is with cybercriminals, the more likely it is to attract the unwanted gaze of law enforcement. What usually happens in the end is that the authorities’ patience wears thin, and they find a way to take the platform down. For example, earlier this year U.S. authorities arrested the owner of Bitzlato Ltd., an exchange that handled hundreds of millions of dollars of dirty crypto. And a significant part of that dirty crypto came from ransomware operators and crypto scammers. European police also seized and disabled the exchange’s infrastructure, thus putting an end to its activities.

Nested exchanges

Besides full-fledged crypto exchanges, there are also many so-called nested exchanges. These are essentially crypto-exchange intermediaries that allow users to trade cryptocurrency without the need to register exchange accounts.

Such services resemble brokers from the world of traditional finance, only in the crypto universe they’re used to ensure privacy – in particular, by bypassing KYC, which is mandatory for all clients of large crypto exchanges. Theoretically nested exchanges work not only for the benefit of cybercriminals, but the opportunity to elude unwanted questions naturally attracts the attention of those looking to launder ill-gotten gains.

DeFi: decentralized protocols

Lastly, another option for cryptocurrency launderers is to use decentralized finance protocols (DeFi). These lie at the heart of automated decentralized crypto exchanges that operate on the basis of smart contracts. The advantages for cybercriminals are obvious: decentralized exchanges (DEX) perform no client checks and don’t require account registration.

Another plus of DEX is that funds remain under the full control of their owners (unless there’s an error in the smart contract). True, there’s one big minus: all DEX-based transactions are written to the blockchain, so with some effort they can still be traced. As a result, the number of cybercriminals who resort to DeFi is quite low. That said, DeFi can be an effective component of more complex multistage money-laundering schemes.

Dark-web laundering services

In case you’re hoping that not every extortionist knows how to properly cover their financial tracks, we have bad news. Modern cybercrime is highly specialized. And there’s been a growing trend of late for cybercriminals to use underground services dedicated exclusively to laundering dirty crypto. They provide what can be called laundering-as-a-service: variants of the above schemes to obfuscate the movement of cryptocurrency, thus unburdening their clients of this task.

Laundering services advertise themselves on the darkweb and communicate with clients through secure messengers; everything is geared toward complete anonymity. According to even conservative estimates, such services last year raked in US$6 billion.

Cashing out

As you may already know, a paradox of cryptocurrency is that it can buy you an expensive picture of a monkey, but not a loaf of bread. Therefore, the end goal of any illegal cryptocurrency operation is to cash out. This represents the final stage of any laundering scheme: once cryptocurrency has been turned into ordinary fiat money, clearly it can no longer be traced by means of blockchain analysis.

There are many options here, and some of the above schemes provide such an outlet to the real world. When it comes to cashing out, both large and small crypto exchanges, nested exchanges that allow trading without opening an account, and dark-web laundering services that specialize in aiding cybercriminals (without specifying exactly how) can all be used.

What this means for ransomware victims

As you can see, cybercriminals have a wide range of means for laundering dirty crypto. And they’re not limited to using only one of above-mentioned methods at a time. On the contrary, most cybercriminals employ sophisticated, multistage laundering operations that use crypto mixers, intermediary wallets, exchanges and various cash-out methods all at once.

As a result, despite the best efforts of law enforcement, it’s often difficult to recover most of any stolen funds, even if an investigation is successful. So, in brief, don’t hope to see again any money you paid as a ransom. As always, prevention is the best form of defense: install a reliable security solution on all devices — one whose anti-ransomware capabilities have been demonstrated in independent tests.

The motivation behind such attacks is clear: the popularity of open source and virtualization is growing, which means there are more and more servers running Linux or VMWare ESXi. These often store a lot of critical information which, if encrypted, can instantly cripple a company’s operations. And since the security of Windows systems has traditionally been the focus of attention, non-Windows servers are proving to be sitting ducks.

Attacks in 2022–2023

• In February 2023, many owners of VMware ESXi servers were hit by the ESXiArgs ransomware Exploiting the CVE-2021-21974 vulnerability, attackers disabled virtual machines and encrypted .vmxf, .vmx, .vmdk, .vmsd and .nvram files.
• The infamous Clop gang — noted for a large-scale attack on vulnerable Fortra GoAnywhere file-transfer services through CVE-2023-0669 — was spotted in December 2022 using (albeit in a limited way) a Linux version of its ransomware. It differs significantly from its Windows counterpart (lacking some optimizations and defensive tricks), but is adapted to Linux permissions and user types and specifically targets Oracle database folders.
• A new version of the BlackBasta ransomware is designed specially for attacks on ESXi hypervisors. The encryption scheme uses the ChaCha20 algorithm in multi-threaded mode involving multiple processors. Since ESXi farms are typically multiprocessor, this algorithm minimizes the time taken to encrypt the entire environment.
• Shortly before its breakup, the Conti group of hackers also armed itself with ESXi-targeting ransomware. Unfortunately, given that much of Conti’s code was leaked, their developments are now available to a broad range of cybercriminals.
• The BlackCat ransomware, written in Rust, is also capable of disabling and deleting ESXi virtual machines. In other respects, the malicious code differs little from the Windows version.
• The Luna ransomware, which we detected in 2022, was cross-platform to begin with, able to run on Windows, Linux and ESXi systems. And, of course, the LockBit group could hardly fail to ignore the trend: it too began to offer ESXi versions of their malware to affiliates.
• As for older (but, alas, effective) attacks, there were also the RansomEXX and QNAPCrypt campaigns, which hit Linux servers big-time.

Server-attack tactics

Penetrating Linux servers is usually based on exploitation of vulnerabilities. Attackers can weaponize vulnerabilities in the operating system, web servers and other basic applications, as well as in business applications, databases, and virtualization systems. As demonstrated last year by Log4Shell, vulnerabilities in open-source components require special attention. After an initial breach, many ransomware strains use additional tricks or vulnerabilities to elevate privileges and encrypt the system.

Priority safeguards for Linux servers

To minimize the chances of attacks affecting Linux servers, we recommend:

• Promptly patching vulnerabilities
• Minimizing the number of open internet-facing ports and connections
• Deploying specialized security tools on servers to protect both the operating system itself as well as virtual machines and containers hosted on the server. Read more about Linux protection in our dedicated post.

What is the CVE-2023-28252 vulnerability?

CVE-2023-28252 belongs to the class of privilege-elevation vulnerabilities. To exploit it, attackers must manipulate a BLF file to elevate their privileges in the system and be able to continue their attack (so they need initial access with user privileges).

As usual, our Securelist website has the technical info, plus indicators of compromise, but the details aren’t being disclosed just now since they could be used by other cybercriminals to carry out new attacks. However, our experts intend to share them on April 20 (or thereabouts), by which date most users will have installed the patches.

What is the CVE-2023-28252 vulnerability used for?

Unlike most zero-day vulnerabilities, CVE-2023-28252 isn’t being used in APT attacks. In this case, the final payload delivered to victims’ computers was a new variant of the Nokoyawa ransomware. But after examining the exploit, our experts concluded that the attackers behind it were also responsible for creating a number of earlier, similar exploits for vulnerabilities in that same CLFS. In attacks deploying those we’ve seen other tools too, including Cobalt Strike Beacon and the modular backdoor Pipemagic.

How to stay safe

First of all, we recommend installing the April updates for Windows. In general, to secure your infrastructure against attacks using vulnerabilities (both known and zero-day), you need to protect all work computers and servers with reliable security solutions featuring protection against vulnerability exploitation. Our products automatically detect attempts to attack through CVE-2023-28252 as well as all malware used by the cybercriminals who created the exploit.

Teach the team cybersecurity – and start at C-level

Any training requires trust in the teacher, which can be tough if the student happens to be the CEO. Establishing an interpersonal bridge and gaining credibility will be easier if you start not with strategy, but with top management’s personal cybersecurity. This directly affects the security of the entire company, because the personal data and passwords of the CEO are often targeted by attackers.

Take, for instance, the scandal of late 2022 in the U.S. when attackers penetrated the VIP social network Infragard, used by the FBI to confidentially inform CEOs of large enterprises about the most serious cyberthreats. Hackers stole a database with the e-mail addresses and phone numbers of more than 80,000 members and put it up for sale for US$50,000. Armed with this contact information, those who purchased it would be able to gain the trust of the CEOs affected, or use it in BEC attacks. Sometimes CEO become victims of quite dangerous “swatting” attacks.

With the above in mind, it’s critical that management uses two-factor authentication with USB or NFC tokens on all devices, have long and unique passwords for all work accounts, protect all personal and work devices with appropriate software, and keep work and personal digital stuff separate. All in all, the usual tips for the cautious user — but reinforced by an awareness of the potential cost of a mistake. For the same reason, it’s important to double-check all suspicious e-mails and attachments. Some executives might need a hand from someone in information security to deal with particularly suspicious links or files.

Once management has got to grips with the basic security lessons, you might guide them gently toward a strategic decision: regular information security training for all company employees. There are different knowledge requirements for each level of employees. Everyone, including frontline employees, needs to assimilate the aforementioned rules of cyber-hygiene as well as tips on how to respond to suspicious or non-standard situations. Managers — especially those in IT — would benefit from a deeper understanding of how security is integrated into product development and usage lifecycle, what security policies to adopt in their departments, and how all this can affect business performance. Conversely, infosec employees themselves should study the business processes adopted in the company to get a better feel of how to painlessly integrate the necessary safeguards.

Integrate cybersecurity into company’s strategy and processes

As the economy digitizes, the cybercrime landscape… complexifies, and regulation intensifies, cyber-risk management is becoming a full-blown, board-level task. There are technological, human, financial, legal, and organizational aspects to this, so leaders in all these areas need to be involved in adapting the company’s strategy and processes.

How do we minimize the risk of a supplier or contractor being hacked, given that we could become a secondary target in such a scenario? What laws in our industry govern the storage and transfer of sensitive data such as customers’ personal information? What would be the operational impact of a ransomware attack that blocks and wipes all computers, and how long would it take to restore them from backups? Can the reputational damage be measured in money when an attack on us becomes known to partners and the public? What additional security measures will we take to protect employees working remotely? These are the questions that information security services and experts from other departments must address, backed up by organizational and technical measures.

It’s important to remind senior management that “buying this [or that] protection system” isn’t a silver bullet for any of these problems, since, according to various estimates, between 46% and 77% of all incidents are related to the human factor: from non-compliance with regulations and malicious insiders to a lack of IT transparency on the part of contractors.

Despite this, information security issues will always revolve around the budget.

Invest appropriately

Money for information security is always in short supply, while the problems to be solved in this area seem infinite. It’s important to prioritize in line with the requirements of the industry in question and with the threats that are most relevant to your organization and have the potential to cause the most damage. This is possible in virtually all areas — from vulnerability closure to staff training. None can be ignored, and each will have its own priorities and order of precedence. Working within the allotted budget, we eliminate the key risks, then proceed to the less likely ones. It’s a near-impossible task to rank the risk probabilities on your own, so you’ll need to study threat landscape reports for your industry and analyze the typical attack vectors.

Things get really interesting, of course, when the budget needs to be increased. The most mature approach to budgeting is one based on risks and the respective cost of their actualization and minimization, but it’s also the most labor-intensive. Live examples — ideally from the experience of competitors — play an important supporting role in boardroom discussions. That said, they’re not easy to come by, which is why it’s common to resort to various benchmarks that give average budgets for a particular business area and country.

Consider all risk types

Discussions of information security usually focus too much on hackers and software solutions to defeat them. But many organizations’ day-to-day operations face other risks that also pertain to information security.

Without a doubt, one of the most prevalent in recent years has been the risk of violating laws on the storage and use of personal data: GPDR, CCPA, and the like. Current law enforcement practice shows that ignoring them is not an option: sooner or later the regulator will impose a fine, and in many cases — especially in Europe — we’re talking substantial sums. An even more alarming prospect looming for companies is the imposition of turnover-based fines for leaks or improper handling of personal data, so a comprehensive audit of information systems and processes with a view to step-by-step elimination of violations would be very timely indeed.

A number of industries have their own, even stricter criteria, in particular the financial, telecom, and medical sectors, as well as critical infrastructure operators. It must be a regularly monitored task of managers in these areas to improve compliance with regulatory requirements in their departments.

Respond correctly

Sadly, despite best efforts, cybersecurity incidents are pretty much inevitable. If the scale of an attack is large enough to attract boardroom attention, it almost certainly means a disruption of operations or leakage of important data. Not only information security, but business units too must be ready to respond, ideally by having gone through drills. At a minimum, senior management must know and follow the response procedures so as not to reduce the chances of a favorable outcome. There are three fundamental steps for the CEO:

1. Immediately notify key parties about an incident; depending on the context: finance and legal departments, insurers, industry regulators, data protection regulators, law enforcement, affected customers. In many cases, the timeframe for such notification is established by law, but if not, it should be laid out it in the internal regulations. Common sense dictates that the notification be prompt but informative; that is, before notifying, information about the nature of the incident must be gathered, including an initial assessment of the scale and the first-response measures taken.
2. Investigate the incident. It’s important to take diverse measures to be able to correctly assess the scale and ramifications of the attack. Besides purely technical measures, employee surveys are also important, for example. During the investigation, it’s vital not to damage digital evidence of the attack or other artifacts. In many cases it makes sense to bring in outside experts to investigate and clean up the incident.
3. Draw up a communications schedule. A typical mistake that companies make is to try to hide or downplay an incident. Sooner or later, the true scale of the problem will emerge, prolonging and amplifying the damage — from reputational to financial. Therefore, external and internal communications must be regular and systematic, delivering information that’s consistent and of practical use to customers and employees. They must have a clear understanding of what actions to take now and what to expect in the future. It would be a good idea to centralize communications; that is, to appoint internal and external spokespeople and forbid anyone else from performing this role.

Communicating information security matters to senior management is a rather time-consuming and not always rewarding task, so these five messages are unlikely to be conveyed and taken to heart in just one or two meetings. Interaction between business and information security is an ongoing process that requires mutual effort to better understand each other. Only with a systematic, step-by-step approach, carried out on a regular basis and involving practically all executives, can your company gain the upper hand over competitors in navigating today’s cyber-scape.

In the past, we’ve seen some malware strains that became wipers by accident — due to mistakes of their creators who poorly implemented encryption algorithms. However, this time it’s not the case: our experts are confident that the main goal of the attackers is not financial gain, but destroying data. The files are not really encrypted; instead, the Trojan overwrites them with pseudo-randomly generated data.

What CryWiper is hunting for

The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

How the CryWiper Trojan works

In addition to directly overwriting the contents of files with garbage, CryWiper also does the following:

• creates a task that restarts the wiper every five minutes using the Task Scheduler;
• sends the name of the infected computer to the C&C server and waits for a command to start an attack;
• halts processes related to: MySQL and MS SQL database servers, MS Exchange mail servers and MS Active Directory web services (otherwise access to some files would be blocked and it would be impossible to corrupt them);
• deletes shadow copies of files so that they cannot be restored (but for some reason only on the C: drive);
• disables connection to the affected system via RDP remote access protocol.

The purpose of the latter isn’t entirely clear. Perhaps with such disabling the malware authors tried to complicate the work of the incident response team, which would clearly prefer to have remote access to the affected machine — they’d have to get physical access to it instead. You can find technical details of the attack along with indicators of compromise in a post on Securelist (in Russian only).

How to stay safe

To protect your company’s computers from both ransomware and wipers, our experts recommend the following measures:

• carefully control remote access connections to your infrastructure: prohibit connections from public networks, allow RDP access only through a VPN tunnel, and use unique strong passwords and two-factor authentication;
• update critical software in a timely manner, paying special attention to the operating system, security solutions, VPN clients, and remote access tools;
• raise security awareness of your employees, for example, using specialized online tools;
• employ advanced security solutions to protect both work devices and the perimeter of the corporate network.