An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WellinTech KingHistorian 35.01.00.05

**PRODUCT URLS**

KingHistorian - https://www.wellintech.com/product/kinghistorian

**CVSSv3 SCORE**

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-195 - Signed to Unsigned Conversion Error

**DETAILS**

KingHistorian is a time-series database used for ingesting and analyzing industrial control system data. KingHistorian is designed to be high performance and highly reliable for process data.

Within the RecvPacket functionality of SORBAx64.dll, an integer conversion issue exists that can lead to a buffer overflow. The assembly related to the conversion issue can be seen below.

    18002e81c  // 0x18002cd50 - SORBA::TcpTransceiver::Recv
    18002e81c  ff5028             call    qword [rax+0x28]
    18002e81f  85c0               test    eax, eax
    18002e821  // Check if recv successfully retrieved data
    18002e821  0f8566010000       jne     0x18002e98d
    18002e827  // Get the first byte of data
    18002e827  440fb69c24409000…movzx   r11d, byte [rsp+0x9040 {stack_recvBuffer}]
    18002e830  // sign extend the packet data size after the header (reported in header)
    18002e830  4863c7             movsxd  rax, edi
    18002e833  ba01000000         mov     edx, 0x1
    18002e838  48014328           add     qword [rbx+0x28 {SORBA::TransceiverInputStream::m_nRecvLength}], rax {SORBA::TransceiverInputStream::m_nRecvLength}
    18002e83c  410fb6c3           movzx   eax, r11b
    18002e840  41b904000000       mov     r9d, 0x4
    18002e846  2402               and     al, 0x2
    18002e848  3c02               cmp     al, 0x2                                                   [1]
    18002e84a  // First byte of recv buffer has 2 bit set
    18002e84a  410f44d1           cmove   edx, r9d  {0x4}                                           [2]
    18002e84e  8d42ff             lea     eax, [rdx-0x1]
    18002e851  83f803             cmp     eax, 0x3
    18002e854  770a               ja      0x18002e860
    18002e856  // offset into packet to find length
    18002e856  448b841441900000   mov     r8d, dword [rsp+rdx+0x9041 {var_fa17}]
    18002e85e  eb03               jmp     0x18002e863
    18002e863  418bc9             mov     ecx, r9d  {0x4}
    18002e866  bfffffffff         mov     edi, 0xffffffff
    18002e86b  2bca               sub     ecx, edx  // rcx = 0
    18002e86d  8bef               mov     ebp, edi  {0xffffffff}
    18002e86f  c1e103             shl     ecx, 0x3  // rcx = 0
    18002e872  d3ed               shr     ebp, cl  // rbp = 0xFFFF_FFFF
    18002e874  // rbp = packet_data & 0xFFFFFFFF (so no change to packet data)
    18002e874  4123e8             and     ebp, r8d
    18002e877  81fdecf90000       cmp     ebp, 0xf9ec                                               [3]
    18002e87d  // signed comparison of extracted length
    18002e87d  // This is an issue because this guard is here to protect lengths too large to 
    18002e87d  // fit in the buffer
    18002e87d  0f8f14ffffff       jg      0x18002e797
    ...
    18002e8b3  442bca             sub     r9d, edx                                                  [4]
    18002e8b6  418bc4             mov     eax, r12d
    18002e8b9  418bc9             mov     ecx, r9d
    18002e8bc  c1e103             shl     ecx, 0x3
    18002e8bf  48d3ef             shr     rdi, cl
    18002e8c2  4823f8             and     rdi, rax
    18002e8c5  41f6c301           test    r11b, 0x1                                                 [5]
    18002e8c9  7422               je      0x18002e8ed
    ...
    18002e8ed  8d441201           lea     eax, [rdx+rdx+0x1]
    18002e8f1  4c8bc7             mov     r8, rdi
    18002e8f4  4863c8             movsxd  rcx, eax
    18002e8f7  488d940c40900000   lea     rdx, [rsp+rcx+0x9040] {var_18a58}
    18002e8ff  498bca             mov     rcx, r10
    18002e902  e82f150000         call    memcpy                                                    [6]
    

At [1] a flag is extracted from the received packet that is used to determine how large the size field is later in the packet: if the second bit is set in the first byte, then the size field is 4 bytes, which is seen at [2]. Using this size field, some shifting is done to properly extract the size field from the packet for all possible values (only 1 or 4 in this code base). The main issue occurs at [3], where the size is extracted by AND’ing the packet data with 0xFFFFFFFF. If the packet data contains a value greater than 0x80000000, then the signed comparison will pass. It is then used to determine if the allocated stack buffer is large enough to hold all the data. The buffer is statically sized at 0xfa00 bytes. At [4] and [5] the same feature extraction is used to grab the size field again, but at [5] a different flag is checked, this one corresponding to if the payload is compressed or not. Regardless of if the packet is compressed, a multitude of bugs will occur. One such instance is at [6], where the extracted value is used directly as the size of memcpy, which can result in a buffer overflow.

**TIMELINE**

2022-12-16 - Initial Vendor Contact  
2022-12-22 - Vendor Disclosure  
2022-12-22 - Initial Vendor Contact  
2023-03-17 - Vendor Patch Release  
2023-03-20 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-43663: TALOS-2022-1674 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**SUMMARY**

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WellinTech KingHistorian 35.01.00.05

**PRODUCT URLS**

KingHistorian - https://www.wellintech.com/product/kinghistorian

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-200 - Information Exposure

**DETAILS**

KingHistorian is a time-series database used for ingesting and analyzing industrial control system data. KingHistorian is designed to be high performance and highly reliable for process data.

The protocol used to communicate with XDBServer uses a mixture of ciphering and compression, which prevents plaintext strings from being sent directly. However, if an attacker captured an authentication packet, all the necessary information is included in the packet to recover the username and password.

Packets contain a 0x14-byte header starting with ‘SORB’ in ASCII as magic bytes. The rest of this header is uninteresting for this attack. Once the 0x14 bytes are skipped over, the packet’s first byte of data contains a flag to display if it is compressed, with the least-significant bit of the first byte representing the compression flag. If the packet is compressed, it is decompressed with quicklz . Once decompressed, the data can be recovered using length and value encoding to recover a structure as follows:

    pub struct BrkConnectionOption {
        username: String,
        ciphered_password: String,
        application_name: String,
        client_name: String,
        callback_proxy: String,
        collector_name: String,
        network_timeout: i32,
        connection_flags: i32,
        reserved_1: i32,
        reserved_2: i32,
        session_id: String,
        reserved_4: String,
        enc_key_1: i32,
        enc_key_2: i32,
        enc_key_3: i32,
        enc_key_4: i32,
        os_version: String,
        protocol_version: i32,
        system_general_1: i32,
        system_general_2: i32,
        system_general_3: i32,
        system_general_4: i32, 
    }
    

By combining the parts of the enc_key, it is possible to decipher the ciphered_password from the packet back into the plaintext form.

**Exploit Proof of Concept**

    Raw packet data : [83, 79, 82, 66, 2, 1, 70, 1, 19, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 82, 0, 0, 0, 0, 0, 71, 247, 1, 0, 0, 92, 2, 0, 0, 0, 0, 0, 128, 0, 86, 0, 0, 0, 8, 75, 0, 82, 0, 84, 0, 68, 0, 66, 0, 65, 0, 80, 0, 73, 0, 16, 66, 0, 114, 0, 107, 0, 83, 0, 10, 8, 130, 128, 101, 113, 32, 118, 99, 80, 67, 0, 111, 0, 110, 0, 110, 97, 80, 99, 0, 116, 0, 7, 226, 99, 119, 0, 85, 0, 115, 97, 80, 114, 0, 80, 50, 0, 55, 0, 4, 64, 85, 145, 53, 0, 34, 52, 48, 0, 48, 0, 57, 0, 54, 0, 49, 0, 56, 65, 32, 51, 49, 144, 49, 65, 16, 69, 49, 128, 67, 49, 96, 65, 49, 96, 51, 0, 67, 49, 128, 68, 0, 130, 85, 181, 210, 51, 65, 32, 54, 0, 52, 0, 70, 65, 48, 50, 60, 70, 65, 32, 57, 65, 48, 65, 49, 16, 57, 49, 112, 57, 49, 0, 56, 49, 48, 82, 60, 55, 49, 96, 68, 65, 96, 51, 0, 82, 60, 51, 51, 0, 106, 85, 75, 197, 48, 65, 96, 50, 65, 80, 54, 65, 16, 130, 65, 68, 65, 16, 66, 65, 64, 67, 49, 0, 49, 49, 96, 52, 49, 80, 34, 64, 55, 65, 64, 15, 75, 65, 64, 66, 81, 48, 121, 113, 48, 77, 0, 103, 113, 64, 130, 84, 69, 145, 83, 113, 64, 117, 0, 100, 0, 105, 97, 240, 11, 77, 81, 48, 69, 65, 64, 71, 65, 80, 87, 65, 144, 78, 49, 16, 48, 0, 78, 184, 86, 67, 65, 32, 75, 0, 45, 49, 64, 98, 0, 170, 90, 85, 145, 102, 49, 96, 53, 49, 96, 98, 49, 16, 45, 49, 80, 48, 97, 64, 97, 35, 208, 50, 58, 51, 33, 208, 97, 49, 64, 49, 49, 32, 45, 97, 64, 98, 49, 144, 54, 49, 32, 97, 0, 97, 49, 112, 54, 0, 40, 168, 168, 234, 99, 0, 98, 49, 128, 58, 113, 64, 99, 0, 112, 0, 32, 33, 208, 104, 33, 0, 49, 49, 144, 50, 0, 46, 49, 16, 54, 49, 128, 46, 49, 0, 46, 49, 112, 49, 33, 0, 45, 115, 0, 82, 53, 214, 6, 0, 160, 55, 49, 144, 2, 47, 116, 33, 0, 48, 1, 0, 1, 0, 2, 1, 0, 8, 0, 46, 1, 79, 64, 6, 0, 58, 92, 90, 127, 4, 12, 117, 19, 28, 39, 51, 77, 97, 144, 99, 69, 20, 85, 237, 113, 32, 111, 113, 48, 111, 0, 102, 113, 64, 32, 0, 87, 97, 144, 110, 97, 64, 111, 0, 119, 113, 48, 32, 81, 80, 110, 97, 176, 110, 97, 240, 119, 97, 224, 32, 65, 80, 66, 111, 116, 97, 144, 242, 104, 160, 170, 2, 134, 44, 0, 32, 0, 40, 49, 96, 46, 49, 96, 32, 97, 32, 117, 97, 144, 108, 97, 64, 32, 49, 144, 50, 49, 0, 48, 0, 41, 0, 0, 80, 3, 8, 0, 5, 0, 0, 0, 0, 0]
    
    BrkConnectionOption {
        username: "newUser",
        ciphered_password: "27527009618B391AE8C6A63C8D3B64FCC8FB9CA1979083E876DF3E83080F2E6A8BDABDC01645BD7D",
        application_name: "KDBSysMgtStudio",
        client_name: "MSEDGEWIN10",
        callback_proxy: "KRTDBCBK-4bf656b1-50da-4393-a412-db962aa76cb8:tcp -h 192.168.0.71 -p 5679 -t 0",
        collector_name: "",
        network_timeout: 0,
        connection_flags: 2,
        reserved_1: 0,
        reserved_2: 0,
        session_id: "",
        reserved_4: "",
        enc_key_1: 1078919470,
        enc_key_2: 1547304966,
        enc_key_3: 201621338,
        enc_key_4: 656151413,
        os_version: "Microsoft Windows Unknown Edition, (6.6 build 9200)",
        protocol_version: 217088,
        system_general_1: 0,
        system_general_2: 0,
        system_general_3: 0,
        system_general_4: 0,
        encryption_key: EncryptionKey {
            enc_1: 1078919470,
            enc_2: 1547304966,
            enc_3: 201621338,
            enc_4: 656151413,
        },
    }
    
    Password is : Thisismypassword
    

**TIMELINE**

2022-12-16 - Initial Vendor Contact  
2022-12-22 - Vendor Disclosure  
2022-12-22 - Initial Vendor Contact  
2023-03-17 - Vendor Patch Release  
2023-03-20 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-45124: TALOS-2022-1683 || Cisco Talos Intelligence Group

Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179.

*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
    *   Cloud Risk Complete
        
        Cloud Security with Unlimited Vulnerability Management
        
        Explore Offer
    *   Managed Threat Complete
        
        MDR with Unlimited Risk Coverage
        
        Explore offer
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH
*    Sign In

*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services
    

*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
    *   Cloud Risk Complete
        
        Cloud Security with Unlimited Vulnerability Management
        
        Explore Offer
    *   Managed Threat Complete
        
        MDR with Unlimited Risk Coverage
        
        Explore offer
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH

*   Sign In

*   Documentation
*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services

CVE-2023-0681: Nexpose Release Notes

By Deeba Ahmed
HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. 
This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks

****The botnet is based on the Mirai botnet, and since it is actively updated, the new versions have additional features like functional improvements and anti-analysis.****

Akamai’s Security Intelligence Response Team (SIRT) cybersecurity researchers have discovered a brand-new botnet, dubbed HinataBot. This botnet can launch DDoS attacks of up to several terabytes in volume. Its distribution started earlier in 2023 and is still ongoing.

**New Botnet can Launch DDoS Attacks of 3.3 TBPS**

Akamai’s research report read that HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. It is a Go-based botnet named after a character from the famous anime series, Naruto. While researching, Akamai’s honeypots detected this botnet as it tried to exploit old vulnerabilities, including CVE-2017-17215 and CVE-2014-8361.

The flaws impact Realtek SDS, Hadoop Yarn servers, and Huawei routers. To exploit these flaws, attackers use brute force, RCE payloads, and infection scripts. HinataBot evidence was found in Akamai’s SSH and HTTP honeypots, but researchers believe malware authors are actively updating it.

**What Makes Hinata Different?**

The researchers imitated the attackers’ C2 server with a range of reverse engineering techniques and simulated attacks to get a deeper understanding of the malware functionalities and its unique attributes. They learned that previously DDoS flooding attacks were launched over multiple protocols.

But, the recently discovered HinataBot uses only HTTP and UDP flooding techniques. Attackers exploit the miniigd SOAP service on Realtek SDK with CVE-2014-8361, exposed Hadoop YARN servers with an unspecified flaw, and Huawei HG532 routers with CVE-2017-17215.

**Attack Volume**

Akami noted that HinataBot’s DDoS attack’s packet size for HTTP reached 484 to 589 bytes whereas, for UDP packets, the size was considerably large at 65,549 bytes. It may seem low but could cause sufficient digital destruction for the targets.

Akamai, however, noted that the malware could generate over 20,000 requests and reach 3.4 MB whereas, with a thousand nodes, the attack data volume may reach 3.3 TBPS.

**Threat Actors Distributing Mirai Binaries**

Further probe revealed that the threat actors operating HinataBot distributed Mirai binaries. There are several nods to the open-source, Go-based botnet.

“HinataBot is the newest in the ever-growing list of emerging Go-based threats that includes botnets such as GoBruteForcer and the recently discovered (by SIRT) kmsdbot,” Akamai researchers noted.

The malware is based on the Mirai botnet, and since it is actively updated, the new versions have additional features like functional improvements and anti-analysis. Its previous versions supported UDP, HTTP, TCP, and ICMP floods, but the new version only supports UDP and HTTP.

1.  Akamai Mitigated Record-Breaking DDoS Attack
2.  RapperBot hits gaming servers with DDoS attacks
3.  Tor Network Hit By a Series of Ongoing DDoS Attacks

Threat Actors Using Go-based HinataBot to launch DDoS Attacks

This article has not been generated by ChatGPT. 
2022 was the year when inflation hit world economies, except in one corner of the global marketplace – stolen data. Ransomware payments fell by over 40% in 2022 compared to 2021. More organisations chose not to pay ransom demands, according to findings by blockchain firm Chainalysis.
Nonetheless, stolen data has value beyond a price tag, and in

_This article has not been generated by ChatGPT._

2022 was the year when inflation hit world economies, except in one corner of the global marketplace – stolen data. Ransomware payments fell by over 40% in 2022 compared to 2021. More organisations chose not to pay ransom demands, according to findings by blockchain firm Chainalysis.

Nonetheless, stolen data has value beyond a price tag, and in risky ways you may not expect. Evaluating stolen records is what Lab 1, a new cyber monitoring platform, believes will make a big difference for long-term cybersecurity resilience.

Think of data value this way:

*   Stolen credentials can become future phishing attacks
*   Logins for adult websites are potential extortion attempts
*   Travel and location data are a risk to VIPs and senior leadership,
*   And so on…

Hackers could retaliate for non-payment by simply posting their loot to forums where the data will be available for further enrichment and exploitation.

****Shining a light on dark places****

Even though your company may not have suffered a direct breach, your data may already be on the Dark Web. That is why Lab 1 gets hold of available data and contextualises it to assess risk.

The Dark Web started off as a closed network to protect dissidents. Now half of it is a popular backwater for criminal activity. According to the IMF, data marketplaces are the second most popular activity after pharma and recreational drugs.

Industry research in 2022 also found more than 24 billion username and password combinations on sale on the dark web, up from 15 billion in 2020. But there can be other records – intellectual property, accountancy documents, employee records and more.

Breaches end up being marketed by hackers with data descriptions and auction demands, often in Bitcoin. By getting hold of these records, no matter their value or half life, Lab 1 builds a picture of risk exposure.

****Chain reaction****

You may not think of your supply chain as a source of cybersecurity risk, but you should. 53% of organisations have had a data breach caused by third party information theft, according to Ponemon Institute.

Data breaches can and do spread outside the perimeter of your business. That's the insight that drives the Lab 1 platform. In an interconnected business, the tools you use, the agencies you hire, and the subcontractors you use to perform everyday business are all potential vectors of attack.

Say you're a client of a software vendor, and _their_ stolen data pack includes code access to the servers of various clients, it's likely to include yours. Or what if trip details of VIP customers get leaked and they're about to show up at an important conference?

****Monitor your supply chain****

Fallouts from cybersecurity breaches don't have to be inevitable. Lab 1 monitors, alerts and analyses data breaches across a company's entire supply chain by finding and contextualising data found on forums, messaging platforms and Dark Web marketplaces.

Using Lab 1, organisations can "follow" the companies they work with and get alerted if any of them have been breached that would pose a risk. This can be particularly useful for breach insurance and other risk-related provisions.

Because Lab 1 is finding new data entities by the second – 24bn to date – and is adding them to CiGraph, its graph database, the monitoring is continuous.

As and when incidents are recorded or data becomes available, Lab 1 systems provide a near-real-time alerting service called _Blast Radius_. It allows security teams to dig deeper on what happened.

****Control the network effect of breaches****

Every incident generates fallout that impacts other companies, sometimes in their thousands. Lab 1's _Fallout_ service details this network effect and how companies you follow (including your own) are impacted.

Lab 1 also details history, risk quantification, and recommended remedies, based on the nature and size of the breach. Helping to prevent attack, manage damage and view live risk quantification across thousands of suppliers, with the intention for businesses to build more robust supply chains.

**_To find out if there's a hidden data breach that involves your company, go to https://www.lab-1.io/, where CiGraph may yet reveal a Dark Web secret you didn't know you had._**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cyber Platform Lab 1 Decodes Dark Web Data to Uncover Hidden Supply Chain Breaches

Open source intelligence researchers are verifying and debunking opaque claims about who ruptured the gas pipelines in the Baltic Sea.

It’s been six months since the Nord Stream gas pipelines were ruptured by a series of explosions, leaking tons of methane into the environment and igniting an international whodunit. Russia, the United States, the United Kingdom, and an unnamed pro-Ukrainian group have all been accused of planting explosives on the Baltic Sea pipelines in recent months. But half a year since the sabotage took place, the mystery remains unsolved.

Digital sleuths are stepping in to help provide clarity around bombshell claims about who was behind the attacks. Open source intelligence (OSINT) researchers are using public sources of data in their efforts to verify or debunk the snippets of information published about the Nord Stream explosions. They’re providing a glimpse of clarity to an incident that’s shrouded by secrecy and international politics.

Since early February, multiple media reports have claimed to provide new information about who could have attacked the Nord Stream 1 and 2 pipelines on September 26. However, the reports have largely been based on anonymous sources, including unnamed intelligence officials and leaks from government investigations into the attacks.

First, American investigative journalist Seymour Hersh published claims that the US was behind attacks in a post on Substack. This was followed by reports in _The New York Times_ and German publication _Die Zeit_ claiming a pro-Ukrainian group was responsible. (European leaders have previously speculated Russia could be behind the attacks, and Russia has blamed the United Kingdom.) No country has claimed responsibility for the blasts so far, and official investigations are ongoing.

Each of the recent reports has provided little hard evidence to show what may actually have happened, while helping to fuel speculation. Jacob Kaarsbo, a senior analyst at Think Tank Europa, who previously worked in Danish intelligence for 15 years, says the claims have been “remarkable” but also “speculative” in nature. “In my mind, they don’t really alter the picture,” Kaarsbo says, adding the attacks look highly complex and would likely be “very hard to pull off without it being a state actor or at least with state sponsorship.”

In the absence of official information, OSINT researchers have been trying to plug the gaps by examining the claims of the new reports with public data. OSINT analysis is a powerful way to determine how an event may have unfolded. For instance, flight- and ship-tracking data can reveal movements around the world, satellite images show Earth in near real-time, while small clues in the backgrounds of photos and videos can reveal where they were taken. The techniques have uncovered Russian assassins, spotted North Korea evading international trading sanctions, identified potential war criminals, and documented pollution.

For the Nord Stream blasts, there was little OSINT available. Researchers identified “dark ships” in the area. But underwater, there are obviously limited data sources that can be tapped into—cameras and sensors don’t monitor every inch of the pipelines. “OSINT probably won’t break this case open, but it can be used to verify or strengthen other hypotheses,” says Oliver Alexander, an analyst who focuses on OSINT and has been closely looking at the Nord Stream blasts. “I do think that it’s more of a verification tool.”

Alexander and others have been examining the claims made so far. _The New York Times_ and _Die Zeit_ both published stories on March 7 claiming a Ukrainian group was behind the sabotage. (Ukraine has denied any involvement.) _Die Zeit_ published more details, claiming German investigators searched a yacht rented from a company based in Poland, knew where the yacht sailed from, and that six people were involved in the operation, including two divers. All of them used forged passports, the publication reported.

The details were enough for OSINT researchers to start tracking down which yacht could have been used. Alexander, as well as contributors to the open-source investigative outlet Bellingcat, started following the breadcrumbs, narrowing down potential vessels. A follow-up report soon named the boat under suspicion as the _Andromeda_, a 15-meter-long yacht. Webcam footage from the harbor where it is believed the _Andromeda_ was docked shows the movement of a boat around the time reported by the publications. (The _Andromeda_ is reportedly too small to be required to use ship-tracking systems.) Years-old videos and photos of the boat have surfaced. The sleuthing adds public details to the reports.

Similarly, OSINT has been used to debunk Hersh’s story claiming the United States was behind the explosions. (Hersh has defended his article, while US officials have said it was false.) Alexander has used, among other things, ship-tracking data to show Norwegian ships were “accounted for” and not in a “position to have placed the explosives on the Nord Stream pipeline, as claimed by Hersh.” Another detailed article from Norwegian journalists has similarly poured cold water on Hersh’s claims, partly using satellite data.

The sabotage was always likely to be controversial and surrounded by rumors: Russia’s full-scale invasion of Ukraine in February 2022 has heated global tensions and put pressure on diplomats around the world. There has been a whirlwind of disinformation around the blasts, further muddying the waters. Mary Blankenship, a disinformation researcher at the University of Nevada, Las Vegas, who has analyzed online conversations around the war, says the “high uncertainty and high stakes” of the incident help to fuel the spread of disinformation. 

“This is an issue that exploits existing worries, tensions, and grievances within European audiences,” Blankenship says. Initially, the earliest disinformation on Twitter about the explosions came from conspiracy theorists, Blankenship says, who shared a pre-war statement from US president Joe Biden, where he said there would be an “end” to Nord Stream 2 if Russia invaded Ukraine. Since then, Russia and China have taken to sharing unproven theories about the sabotage, the researcher says.

“Disinformation actors, but also official representatives of the \[Russian\] regime, stepped up their efforts on every news story that was published on this—however contradictory about the origins of the blast—be it a blog post by Seymour Hersh or a _New York Times_ article,” says Peter Stano, an EU spokesperson, adding most disinformation narratives have circled around the idea that “the US is to blame.” The EU’s disinformation monitoring project, EUvsDisinfo, has flagged more than 150 pieces of disinformation linked to the Nord Stream explosions, including those building on Hersh’s story. “EUvsDisinfo experts also found that Moscow considers the recent materials in German-language media a hoax,” Stano says.

While OSINT is helping to provide bits of extra detail on the claims about the Nord Stream attacks, it is likely that reports debunking dubious claims reach fewer people than disinformation or claims that are hard to verify. “It does not nearly get the same level of engagement,” Blankenship says. “You can have a book’s worth of evidence for it, and they would still find a way to discount it.”

And while OSINT research can answer some questions, it has its limits and can also raise new ones. Kaarsbo, the former Danish intelligence official, and other experts have pointed out that the _Andromeda_ is a relatively small yacht, and it may have been unable to carry the amount of explosives needed to blow the pipelines. “The _Andromeda_ is quite likely a piece of the puzzle, but I don’t think it’s a bigger piece of the puzzle that everyone makes it out to be,” Alexander says. “I think there are a lot of the big pieces missing.” Detailed sonar imagery of the damaged pipes would help people to understand what happened underwater, Alexander adds.

Ultimately, there is still very little hard public evidence—either from governments or publicly available online—about who may have been behind the attacks. Behind closed doors, intelligence agencies likely have more data and theories on the potential culprits. However, investigators in Sweden and Denmark refused to comment on their progress, while Germany’s Office of the Federal Prosecutor confirmed it had searched a yacht and is continuing to examine for explosives. German officials have also said there could be a chance of a “false flag” operation to smear Ukraine. And when the countries complete their investigations, there’s no guarantee they will publish their findings or evidence to back them up. The mystery continues.

Online Sleuths Untangle the Mystery of the Nord Stream Sabotage

Categories: News
Tags: Doxxers

Tags:  doxxing

Tags:  police

Tags:  social media

Tags:  extortion

Tags:  data breach

Two individuals have been charged with being members of ViLE, a group of doxxers that even impersonated police officers to obtain personal information about their victims.



(Read more...)




The post "ViLE" members posed as police officers and extorted victims appeared first on Malwarebytes Labs.

Posted: March 17, 2023 by

In a press release the U.S. Attorney's Office, Eastern District of New York revealed details about the complaint against two individuals that are charged with wire fraud and conspiracy to commit computer intrusions.

More specifically, the defendants are suspected of extortion with the threat of doxxing. Doxxing, also known as doxing, is the act of publishing personal information about an individual without their consent. This information can include addresses, phone numbers, email addresses, and even financial details.

Allegedly, the defendants threatened to publish or otherwise use personal information about the victims unless they paid to have their information removed from or kept off the website.

The defendants, of which one is still at large, belonged to a group called Vile. Members of ViLE sought to collect victims’ personal information, such as names, physical addresses, telephone numbers, social security numbers, and email addresses. ViLE runs its own website which they use to post that information unless the victim complied with their demands.

As stated by United States Attorney Peace. 

“As alleged, the defendants shamed, intimidated and extorted others online. This Office will not tolerate those who impersonate law enforcement officers and misuse the public safety infrastructure that exists to protect our citizens.”

The second sentence of that statement indicates how the defendants were able to get their hands on the personal information. What the defendants are charged with is that they unlawfully used a police officer’s stolen password to access a restricted database maintained by a federal law enforcement agency. They used the police officer’s credentials to access without authorization a nonpublic, password-protected web portal maintained by a U.S. federal law enforcement agency, whose purpose is to share intelligence from government databases with state and local law enforcement agencies. Said database contains (among other data) detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports. 

The two suspects are also charged with accessing without authorization the email account of a foreign law enforcement officer. They abused this access to defraud social media companies by making purported emergency requests for information about the companies’ users. For example, one of the defendants used an official email account to pose as a Bangladeshi police officer in communication with US-based social media platforms.

The same Bangladeshi police account was used to request data about the user of  an online gaming platform. When caught they threatened to sell the platform’s information on the Dark Web. An associate posed as a US local police officer and sent a forged subpoena to one of the platform’s vendors, seeking registration details about their administrators.  The vendor did not provide the information.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim oif a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

"ViLE" members posed as police officers and extorted victims

In the spring of 2022, I was sitting in my college apartment studying for an exam when I received a call from an unfamiliar number. Not thinking anything of it, I answered and was stunned to meet a Secret Service agent asking about an unsavory tweet I’d posted about former president George W. Bush four months earlier. 

“When making that tweet,” asked the federal agent on the line, “were you talking about George Bush Sr. or George Bush Jr.?”

My eyes darted between the Detroit Field Office’s list of contacts on its website and my friend in my room, afraid that I’d be indicted on a federal crime at 20 years old. 

“George Bush Jr.,” I responded. “Cause he’s still alive.”

It was unbelievable to me that a federal agent saw my old drunken tweet and considered it important enough to be investigated, much less to find my contact information and call me to confirm whether or not I was a threat. 

Back then, I had an unhealthy relationship with Twitter. I’d hoped to grow an audience on the social media site so I could sell my Substack like my favorite internet micro-celebrities. But drunk one night, after arguing with my roommates about 9/11 and the unjust war in Iraq, I tweeted that George Bush should be dead, and I went to bed. It wasn’t uncommon for me to throw out inflammatory remarks. My roommates, usually more cautious and forward-thinking than I was, advised me to delete it. Ignoring them, I kept it up for reasons like ego and fallacious integrity. Four months later it came back to bite me. 

While my college classmates and I were worried about the federal government interfering in the lives of everyday citizens, it’s not the only area of surveillance I should have been concerned about. Internet service providers and platforms like Twitter and Facebook all regularly moderate their service in ways that can either thrust users into the eyes of law enforcement or keep them safe from surveillance. That’s a distinction that’s often left up to those in power to make. Whether it’s a stupid tweet or a legitimate complaint depends heavily on who’s in charge of making that call.

“Governments in Iran and China are centralized and control service providers, or have very strict rules on who is operating them and how,” says University of Michigan computer science professor Roya Ensafi, founder of Censored Planet. “In a lot of other countries, though, service providers are commercial entities like Comcast and Verizon, so the government has to rule through policy to figure out how to implement censorship. Although it's different, the government always has a good idea of what the ISPs are doing,” she elaborates. 

The US government isn’t usually inclined to release data on its own surveillance activities, but the American Civil Liberties Union, along with other similar organizations, have a mountain of data about the often racist and invasive activities of American intelligence agencies. Plus, social media companies have a long history of cooperating with intelligence agencies in gathering information on their users.

Unfortunately, my thought process wasn’t that complex when I suddenly had to talk to a federal agent on my phone about what I’d posted to Twitter.

“Can I take a second just to verify that you are, in fact, calling me?” I stammered out, recalling that I had a right to verify the agent’s identity–or perhaps call a lawyer before responding with anything that may be incriminating. An investigation by the Secret Service goes through the federal judicial system, after all. I hoped I didn’t need to pay for a fancy-pants federal defense attorney.

“Sure, but if you don’t call me back,  we would have to show up to your address in Ann Arbor,” he replied. 

I called the Chicago Field Office, as the Detroit Field Office was closed that day. “Hi, I’d like to request some information,” I said to the man on the phone. 

“May I ask you why?” he asked. 

What was I supposed to say to this guy? This wasn’t a FOIA request. I swallowed the lump in my throat and nervously capitulated. “I’m currently being investigated, and I wanted to verify that this agent works at the Detroit Field Office from this number before I give any information.”

The investigator checked. This agent did indeed work for the Secret Service. I called him back and was met with more dejected quasi-threats. He listed my father’s name and occupation, my (deceased) mother’s name and occupation, and my sister’s age. He dropped the first four numbers of my social security number before I told him I understood he was legit. As the debacle continued,  I realized I’d accrued the equivalent of a seditious parking ticket.

“Alright, I’ve got no more questions for you. If you pull anything like that again, though, we will not hesitate to show up armed at your door. Can I call a friend to corroborate the information you’ve given me?” the agent asked. I obliged. I thought to myself that it was probably better not to let this thing escalate.

Returning from my exam later that day, I finally told my roommates what had transpired. _They_ were surprised that all of my posturing and bloviating about the “Feds” actually came to bite me. _I_ was embarrassed that I actually ended up in this situation. 

When I told my father what happened, he was hysterical.“Is this going to cost you a job?” he finally asked. It was a good question. I wasn’t sure of the answer, and even though I hoped the whole thing was over, I had no way to know if I were on some kind of watch list going forward. 

So was there any real way to monitor my digital footprint so I wouldn’t be targeted, or to keep myself safe in the future so this wouldn’t happen again?  When I asked Ensafi, she brought up the General Data Protection Regulation in the EU, and California’s Consumer Privacy Act. However, both laws aim to make individuals aware of what commercial entities can and can’t do with your data, not what they can and can’t hand over to law enforcement or government bodies.

“I don’t know whether the day-to-day lives of Americans are affected by surveillance, but I can assure you that one thing we found in our VPN study was that vast numbers of users in the United States using VPNs think that they’re protecting their privacy and security from service providers,” Ensafi says. The presence of internet influencers advertising VPN software has long made me wary of how effective they actually were. Ensafi agrees. 

“Years ago my students and I decided to look into the ecosystem through systematic investigation on how weak implementations are, how weak VPN services are, if they’re leaking DNS data or implementing a kill switch properly or not, as well as understanding users’ perspective better as to why they use VPN services. Do they know what a VPN actually provides? Where do they find VPNs from? They think VPNs are a tool to save the day, but that isn’t always the case.”

I know for a fact that a VPN probably wouldn’t have helped in my case. I have identifiable information publicly available, and a link to some other stuff in my Twitter profile and bio. But Twitter does hand over user information—usually at the behest of a subpoena, but other times whenever it chooses to. Take for example, the case of @PRGuy17. Twitter was ordered to hand over the user’s personal information by a court in Australia during a defamation case. That’s not even considering any actual data-sharing agreements the platform—or other platforms—may have for their own purposes, and who knows what the third parties do with your information. 

VPNs are helpful, but they aren’t especially useful if you find yourself in my situation. One easy solution, of course, is to simply be careful what you say publicly, regardless of whether you’re identifiable or not. Another simple internet hygiene tip I recommend is to avoid suspicious users. I’m not joking. The FBI spends millions of dollars on user surveillance of social media. If it seems like a user is trying to coerce information out of you, especially that of the illicit kind, don’t comply. Don’t click suspicious links, either. These are viruses most of the time, but it’s not just scammers and con artists that set up fake websites to “honeypot” users and grab their IP addresses and other personal information. I don’t expect any of you to be criminals, but you can’t be too careful. If you absolutely must, use secure and encrypted messaging clients like Signal.

I still post opinionated takes on social media, and I try to use sarcasm and satire to comment on government surveillance and conspiracy theories. But I stopped joking about the demise of presidents. Do I know exactly how to avoid this in the future, or how to put a stop to it entirely? Not entirely. It’s hard to offer tips when your words are stuck between private companies and the global surveillance complex. I think I did the right thing by cooperating and trying to minimize the potential fallout from a drunken tweet. But what if the agent—or anyone who potentially reported my tweet—had more dirt on me, or had some kind of personal or political vendetta? 

What I can say for sure is that it’s always good to be careful. I know now to watch what I say and only say things I truly mean. So, above all else, exercise caution. And remember that when you speak on the internet, you never know who’s listening.

I Got Investigated by the Secret Service. Here's How to Not Be Me

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

CVE-2022-48424

Plus: A SpaceX supplier ransom, critical vulnerabilities in dozens of Android phones, and more.

What’s more controversial than a popular surveillance camera maker that has an uncomfortably cozy relationship with American police? When ransomware hackers claim to have breached that company—Amazon-owned camera maker Ring—stolen its data, and Ring responds by denying the breach.

But we’ll get to that.

Five years ago, police in the Netherlands caught members of Russia’s GRU military intelligence red-handed as they tried to hack the Organization for the Prohibition of Chemical Weapons in The Hague. The team had parked a rental car outside the organization’s building and hid a Wi-Fi snooping antenna in its trunk. Within the GRU group was Evgenii Serebriakov, who was caught with further Wi-Fi hacking tools in his backpack.

Since then, surprisingly, Serebriakov has only risen in status. This week, Western intelligence sources told WIRED that Serebriakov is now the new leader of one of the world’s most aggressive hacking units. Serebriakov took over Sandworm, which is responsible for some of the worst cyberattacks in history, in the spring of 2022. His elevation to the senior role, experts say, shows how small the pool of skilled nation-state hackers is likely to be and demonstrates Serebriakov’s value to Russia.

Nowhere on the internet is free from threats—and that includes LinkedIn. This week we looked at how spies, scammers, and hackers from Iran, North Korea, Russia, and China are using the professional network to scout and approach intelligence targets. In addition, LinkedIn is plagued with thousands of suspicious accounts; it removed hundreds from WIRED’s profile when we reported them.

The Western clampdown on TikTok is continuing—this week the UK joined the US, Belgium, Canada, and the European Union in banning the social media app from being used on government devices. But in the US, Senator Mark Warner is trying to pass legislation, in the guise of the bipartisan Restrict Act, that will allow officials to ban apps and services from six “hostile” nations: China, Russia, North Korea, Iran, Cuba, and Venezuela. We sat down with Warner and asked about the plans.

A WIRED analysis of “cybercrime” cases across the US shows how vague and wide-ranging the term can be. Without a clear and universal definition of cybercrime, human rights and civil liberties issues may expand globally. Speaking of criminals, scammers are getting better at using voice deepfakes to con people. And ransomware gangs are sinking to a new deplorable low. As more and more companies and organizations refuse to pay ransoms, criminal gangs are increasingly using extortion as leverage: they are now releasing photos stolen from cancer patients and sensitive student records. 

But wait, there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

ALPHV, a prolific group of hackers who extort companies with ransomware and leak their stolen data, said earlier this week that it had breached security camera maker Ring and threatened to dump the company’s data online if it doesn’t pay. “There’s always an option to let us leak your data …” the hackers wrote in a message to Ring on their leak site. Ring has so far responded with a denial, telling Vice’s Motherboard, “We currently have no indications of a ransomware event,” but it says it’s aware of a third-party vendor that has experienced one. That vendor, Ring says, doesn’t have access to any customer records. 

Meanwhile, ALPHV, which has previously used its BlackCat ransomware to target companies like Bandai Namco, Swissport, and hospital firm Lehigh Valley Health Network, stands by its claim to have breached Ring itself, not a third-party vendor. A member of the malware research group VX-Underground shared with WIRED screenshots of a conversation with an ALPHV representative who says that it’s still in “negotiations” with Ring.

Amid the ongoing ransomware epidemic, it’s no surprise that Ring isn’t alone in facing extortion problems. So too is Maximum Industries, a supplier of rocket parts for Elon Musk’s SpaceX. The hackers, a well-known ransomware gang known as LockBit, taunted Musk on their website, threatening to sell the stolen information to the highest bidder if Maximum doesn’t pay by their March 20 deadline. “I would say we were lucky if Space-X contractors were more talkative. But I think this material will find its buyer as soon as possible,” the hackers wrote. “Elon Musk we will help you sell your drawings to other manufacturers.”

Google’s Project Zero, its security research team devoted to finding unknown vulnerabilities in widely used tech products, warned Thursday that it had discovered severe hackable flaws in Samsung chips used in dozens of Android devices. In total, the researchers found 18 distinct vulnerabilities in Samsung’s Exynos modems for smartphones, but they say that four of them are particularly critical and would allow a hacker to “remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” Project Zero only rarely publishes information on unpatched vulnerabilities. But it says that it gave Samsung 90 days to fix the flaws, and it hasn’t yet. A bit of public shaming, perhaps, might spur Samsung to move faster to protect Google’s users from an insidious form of attack.

Since 2017, the cryptocurrency “mixer” service ChipMixer quietly grew into a powerhouse of cryptocurrency money laundering, taking in users’ coins, mixing them with others and then sending them back to obscure the money’s trail across blockchains. In the process, the Department of Justice says it laundered $3 billion worth of criminal funds, including ransomware payments, North Korean hackers’ stolen loot, and even profits from the sale of child sexual exploitation materials. Now, in a bust carried out by multiple European law enforcement agencies and coordinated by Europol as well as the FBI and DHS, ChipMixer has been taken offline and its infrastructure seized. The site’s alleged creator, 49-year-old Vietnamese national Minh Quốc Nguyễn, remains out of reach: He’s been charged with money laundering only in absentia. 

But the most intriguing result of the case may have more to do with the meltdown of the now notorious cryptocurrency exchange FTX: A portion of FTX’s funds that were stolen in the midst of its bankruptcy proceedings in November were funneled into ChipMixer. Seizing the servers of that mixing service may well foil the FTX thieves’ attempt to evade tracing and help solve one of the central mysteries of that high-profile heist.

Only in the cryptocurrency world, where thefts of more than half a billion dollars now occur multiple times a year, does the stealing of $200 million merit the lowest spot on a news roundup. Early this week, the distributed trading protocol Euler Finance lost nearly $200 million in cryptocurrency to hackers who found a vulnerability in its code. At first, Euler, the company behind that protocol, offered to let the hackers keep $20 million if they returned the rest of the funds. But after that offer was ignored—in fact, the hackers have sent the funds to the Tornado Cash mixing service in the hopes of covering their tracks—the firm has announced a $1 million bounty on the hackers’ heads.

Tag

#intel