Headline
Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web
Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure. “Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,” Cisco Talos researcher Paul Eubanks
Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.
“Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,” Cisco Talos researcher Paul Eubanks said. “They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.”
Also prominent are the use of the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.
But by taking advantage of the threat actors’ operational security missteps and other techniques, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with DarkAngels, Snatch, Quantum, and Nokoyawa ransomware groups.
While ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify “public IP addresses hosting the same threat actor infrastructure as those on the dark web.”
“The methods we used to identify the public internet IPs involved matching threat actors’ [self-signed] TLS certificate serial numbers and page elements with those indexed on the public internet,” Eubanks said.
Besides TLS certificate matching, a second method employed to uncover the adversaries’ clear web infrastructures entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan.
In the case of Nokoyawa, a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the “/var/log/auth.log” file used to capture user logins.
The findings demonstrate that not only are the criminal actors’ leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers.
Further analysis of the successful root user logins showed that they originated from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.
“176.119.0[.]195 however belongs to AS58271 which is listed under the name Tyatkova Oksana Valerievna,” Eubanks noted. “It’s possible the operator forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.”
LockBit adds a bug bounty program to its revamped RaaS operation
The development comes as the operators of the emerging Black Basta ransomware expanded its attack arsenal by using QakBot for initial access and lateral movement, and taking advantage of the PrintNightmare vulnerability (CVE-2021-34527) to conduct privileged file operations.
What’s more, the LockBit ransomware gang last week announced the release of LockBit 3.0 with the message “Make Ransomware Great Again!,” in addition to launching their own Bug Bounty program, offering rewards ranging between $1,000 and $1 million for identifying security flaws and “brilliant ideas” to improve its software.
“The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.
“A key focus of the bug bounty program are defensive measures: Preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as finding bugs within the messaging software used by the group for internal communications and the Tor network itself.”
“The threat of being doxed or identified signals that law enforcement efforts are clearly a great concern for groups like LockBit. Finally, the group is planning to offer Zcash as a payment option, which is significant, as Zcash is harder to trace than Bitcoin, making it harder for researchers to keep tabs on the group’s activity.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.
The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.
Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022.
On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.
Today Microsoft released an Out-of-Band (OOB) security update for CVE-2021-34527, which is being discussed externally as PrintNightmare. This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems. The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections.