Mikhail Pavlovich Matveev (aka Wazawaka) has been wanted by the FBI since 2023.

****SUMMARY****

*   **FBI-Wanted Hacker Arrested**: Russian authorities have reportedly detained Mikhail Pavlovich Matveev, known by aliases like Wazawaka and Boriselcin.

*   **Cybercrime Connections**: Matveev is linked to major ransomware groups such as Hive, LockBit, and Babuk, responsible for high-profile attacks on critical infrastructure and government agencies.

*   **Significant Ransom Demand**: The Department of Justice alleges Matveev extorted at least $75 million in ransom payments from global victims.

*   **Notable Attacks**: He is suspected of involvement in the 2021 Babuk attack on Washington D.C.’s police and a 2022 Hive attack on a New Jersey healthcare NGO.

*   **Potential Global Impact**: His arrest could disrupt several ransomware groups, but extradition to the U.S. remains uncertain due to geopolitical tensions.

Mikhail Pavlovich Matveev, known by his online aliases Wazawaka, Uhodiransomwar, m1x, and Boriselcin, is believed to have been arrested in Russia, which could be a potential turning point in the fight against cybercrime since the hacker is wanted by the FBI (Federal Bureau of Investigation).

Matveev is a big deal in the dark web underworld. He’s been linked to some of the most damaging ransomware attacks in recent years that have targeted critical infrastructure, government agencies, and businesses worldwide. His alleged involvement with groups like Hive, LockBit, and Babuk has made him a powerful cybersecurity threat worldwide.

Reports suggest that he was involved in a lockout attack on the Washington D.C. Metropolitan Police Department from Babuk in April 2021 and a ransomware attack from Hive, targeting a healthcare NGO in New Jersey in 2022.

It is worth noting that in early 2023, the Hive ransomware gang was disrupted by the FBI, Europol, German, and Dutch agencies, seizing their dark web website, The Hive Leak site, preventing the gang from attacking and extorting victims

Also, in 2022, LockBit infected the computer systems of 1,400 victims, including a Holiday Inn hotel in Turkey, likely involving Matveev. The Department of Justice (DoJ) suspects he extracted at least $75 million in ransom payments.

Investigators allege that in January, the accused developed specialized malicious software to encrypt files and data without user consent, intending to use it to encrypt data of commercial organizations and receive ransoms for decryption.

The US government has been on the hunt for Matveev, offering a $10 million reward for information leading to his arrest. The DoJ had previously filed criminal charges against him, accusing him of launching attacks on US law enforcement and healthcare organizations.

While Russian authorities have not officially confirmed the arrest, Russian state news agency PИA Hoвocти reported that the Kaliningrad Interior Ministry and Russian prosecutors have sent a case against “a programmer accused of creating a malicious program to court,” with an anonymous source confirming Matveev as the detained programmer. The charges against him include creating malicious software designed to encrypt files and data, with the intent of extorting ransom payments from victims.

The arrest of Matveev, if confirmed, could have significant implications. It could potentially disrupt the activities of several ransomware groups and deter future attacks. However, the question of whether the US will be able to extradite him remains uncertain, given the complex geopolitical tensions between the two countries.

1.  Russia ”neutralizes” REvil ransomware gang, arrests 14
2.  Infraud Organization Group Members Arrested by Russian
3.  50 hackers Who Stole $25M Arrested by Russian Authorities
4.  Russian Authorities Arrest Nine for Stealing $17M from Banks
5.  FBI Kills Kelihos Botnet Amid Russian Hacker’s Arrest in Spain

FBI-Wanted Hacker Behind Global Ransomware Attacks Arrested in Russia

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in script. The need for authentication and admin access could limit this vulnerability’s impact, but here we […]

**About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability.** An attacker with _PAN-OS administrator access_ to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in script.

The need for authentication and admin access could limit this vulnerability’s impact, but here we have the previous vulnerability **Authentication Bypass** – PAN-OS (CVE-2024-0012). 😏 Exploitation of this vulnerability chain was noted by Palo Alto on November 17. After November 19, when the watchTowr Labs article was published and exploits appeared, mass attacks began.

On November 21, Shadowserver reported that ~2000 hosts were compromised, mostly in the US and India. According to Wiz, attackers deployed web shells, Sliver implants and cryptominers.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability

Printer issues are very common, but searching Google for help may get you into more trouble than you'd expect.

Anyone who has ever used a printer likely has had a frustrating experience at some point. There always seems to be some kind of issue with the software not responding, paper getting jammed or one of many other possible failures.

When people need help, they often turn to Google (and now AI) to look for an answer. This is where scammers come in, preying on unsuspecting and irate users ready to throw their printer out the window.

After clicking on a malicious Google ad, victims are redirected to a fraudulent site often using official brand names and logos. The crooks’ end goal is to get people to call them, and they achieve that by tricking them with fake printer drivers that always fail to install.

In this blog post, we review how this scam works and how to stay away from it.

**Malicious Search Ads**

Two of the most popular printer brands are HP and Canon. If you were to Google for help related to either of those brands right now, you would likely see sponsored results at the top of the search results page.

Unfortunately, in the majority of cases these ads are not from trusted providers but instead from tech support scammers. In the image below, you can see 4 ads shown for the query ‘_hp printer help_‘. It’s only after those that the official HP website appears.

If you were to say that consumers stand no chance, you’d be right. Unless you clicked on the official (organic search results), you’d end up getting scammed.

The list of sites includes:

megadrive\[.\]solutions  
geeksprosoftwareprints\[.\]org  
select-easy123print\[.\]com  
printcaretech\[.\]com

**The driver scam**

A driver is a software program that your computer uses to talk to physical hardware (i.e. your printer). In the early Microsoft Windows days, drivers were very important to get printers, monitors and other peripherals working. Today, the operating system is usually good at detecting new hardware and installing the required drivers automatically. There are some exceptions, not to mention that some manufacturers like to package additional software with their drivers.

After clicking on a malicious ad, the website instructs you to enter your printer’s model number in order to download the required driver, which it proceeds to “install”. This is entirely fake, and the only thing the website displays is a recorded animation that will always end up with the same error message.

This type of error is very similar to those seen in the “Microsoft tech support scam”, typically done via a browser hijack. Scammers want to scare and then get their victims to contact them directly, via phone or live chat.

**Remote access and extortion**

There are many people that fall for these types of scams and entire armies of tech support agents working in poor conditions ready to defraud them. The script is usually standard across scams, with the support agent impersonating a popular brand and requesting personal information from the victim.

It is quite common for scammers to request and be granted remote access to the user’s computer. This gives them leverage to do a number of things, such as stealing data, locking the machine or even using it to log into the victim’s bank account.

This is why it is so important to be extremely cautious with online search ads, and search results in general. Browser extensions such as Malwarebytes Browser Guard will block ads but also the scam or malware sites associated with these schemes.

This won’t help with your printer issues, but at least it’ll save you the trouble of being defrauded. When it comes to such questions, online forums are usually a good place to start, and if you’re lucky to count a computer person in your family, that’s always a good favor to ask for.

 Printer problems? Beware the bogus help 

Ant-Media-Server v2.8.2 is affected by Improper Output Neutralization for Logs. The vulnerability stems from insufficient input sanitization in the logging mechanism. Without proper filtering or validation, user-controllable data, such as identifiers or other sensitive information, can be included in log entries without restrictions.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-2gx6-qrpp-c4p3: Ant-Media-Server vulnerable to Improper Output Neutralization for Logs

A deserialization vulnerability exists in the Stub class of the VarDumper module in Symfony. The vulnerability stems from deficiencies in the original implementation when handling properties with null or uninitialized values. An attacker could construct specific serialized data and use this vulnerability to execute unauthorized code.

GHSA-cg28-v4wq-whv5: Symfony's VarDumper vulnerable to unsafe deserialization

In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.

GHSA-7q22-x757-cmgc: Symfony http-security has authentication bypass

moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.

GHSA-2mj3-vfvx-fc43: Moby Race Condition vulnerability

moby v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.

GHSA-gh5c-3h97-2f3q: Moby Race Condition vulnerability

Check Point Research has discovered cybercriminals exploiting the popular Godot Game Engine to deliver malicious software. Discover the techniques used by attackers and how to protect yourself from these threats.

****SUMMARY****

*   **Cybercriminals are exploiting the Godot game engine to deliver malware called GodLoader, targeting multiple platforms like Windows, macOS, and Linux.**

*   **GodLoader hides malicious code in game files, bypassing antivirus detection and compromising over 17,000 devices since June 2024.**

*   **The malware uses sandbox evasion, Microsoft Defender exclusions, and GitHub-hosted repositories to distribute attacks.**

*   **GodLoader’s payloads include RedLine Stealer and cryptocurrency miners, affecting 1.2 million Godot game users.**

*   **The Godot team advises downloading software from trusted sources and avoiding cracked files to stay safe.**

Check Point Research (CPR) has published its latest research on a novel multi-platform technique employed by cybercriminals to exploit the popular open-source game engine, Godot to deliver a newly discovered malicious payload dubbed GodLoader after bypassing traditional security measures.

The concerning aspect is GodLoader’s cross-platform functionality, making it effective on macOS, Windows, Linux, iOS, and Android. Although designed to target Windows, it can be used on Linux and macOS with minimal adjustments.  The malware is, reportedly, distributed via the Stargazers Ghost Network on GitHub, using over 200 repositories and 225 accounts between September and October 2024. 

“The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines,” and an attack can put 1.2 million users of Godot-developed games at risk, researchers noted in the blog post.

According to CPR’s research, cybercriminals exploit the flexibility of Godot’s scripting language, GDScript and embed malicious code within game assets, executing it when the game is launched. This is a stealthy approach, which enables attackers to bypass antivirus detection and compromise systems without raising alarms.

Further probing revealed that it uses sandbox and virtual machine detection, as well as Microsoft Defender exclusions, to avoid detection. The malware was hosted on Bitbucket.org and distributed across four attack waves, with initial payloads including RedLine Stealer and XMRig cryptocurrency miners.

For your information, Godot is a powerful tool for game development that allows developers to bundle game assets and scripts into .pck files, which contain the game’s resources, including images, sounds, and scripts. By injecting malicious GDScript code into these .pck files, attackers can trick the game engine into executing harmful commands.

As soon as the game loads the infected .pck file, the hidden script springs into action, downloading and deploying additional malware payloads onto the victim’s device.

The attack flow (Via CPR)

****Godot Engine’s Statement****

The Godot Engine development team, in response, has issued a statement, explaining that GodLoader doesn’t exploit a specific weakness in Godot itself because like any programming language (e.g. Python or Ruby) Godot also allows the creation of both good and bad programs. Though the malware exploits Godot’s scripting language (GDScript) to deliver its payload, this doesn’t make Godot inherently unsafe.

The team also noted that it isn’t a one-click exploit because the GodLoader malware tricks users into downloading/executing a seemingly harmless file (typically a .pck file disguised as a software crack). This file wouldn’t work on its own and the attackers also must provide the Godot runtime (.exe file) separately to make it successful. This means users have to take multiple steps to install the malware, making it less likely to be a one-click exploit.

Nonetheless, team Godot emphasizes the importance of good security habits and downloading from trusted sources like official websites, established distribution platforms, or trusted individuals. Windows and macOS users should check for signed executables and notarization by a trusted party and avoid using cracked software as it is a common target for malicious actors.

1.  **Gcore Thwarts 500M PPS DDoS Attack on Gaming Firm**
2.  **What is Blockchain Gaming and its Play-to-Earn Model?**
3.  **Exploring Data Privacy and Security in B2B Gaming Data**
4.  **Winos4.0 Malware Hits Windows via Fake Gaming Apps**
5.  **Gaming Firms, Community Members Hit by Dark Frost Botnet**

Godot Engine Exploited to Spread Malware on Windows, macOS, Linux

Group-IB has discovered that cybercriminals are using fake betting apps and ads with AI-generated voices to steal personal information and money. Discover the tactics used by scammers and how to avoid falling victim to these fraudulent schemes.

**SUMMARY**

*   **Scammers Use Fake Ads**: Cybercriminals are creating fake betting app ads to lure users and steal money and personal information.

*   **AI-Generated Voices**: Scammers use AI-generated voices in multiple languages to make their schemes seem more credible.

*   **Massive Reach**: Over 500 fake ads and 1,377 malicious sites have been identified, targeting users in regions like Egypt, the Middle East, Europe, and Asia.

*   **Serious Losses**: Victims have reported losing significant amounts, with some losing over $10,000 to these scams.

*   **Stay Safe**: Avoid downloading apps from unofficial sources, be wary of too-good-to-be-true offers, and always use strong security measures.

Cybersecurity firm Group-IB has observed a surge in **fake betting** game advertisements across various social media platforms. In its detailed investigation, shared with Hackread.com, Group-IB’s CERT team discovered deceptive ads designed to lure unsuspecting users by promising easy money, ultimately leading to financial loss and personal data compromise. The ads typically target users in regions like Egypt, the Middle East, Europe, and Asia.

One of the fake apps used in the scam (Source: Group-IB)

Researchers, reportedly, discovered over 500 deceptive ads and 1,377 malicious websites targeting users to download fraudulent applications. Further probing revealed that cybercriminals are employing advanced techniques to make these fraudulent ads appear legitimate.

This, according to Group-IB’s **blog post**, includes using AI-generated voices in multiple languages to create a sense of authenticity, even when the scam originates from a different country. Victims have suffered significant financial losses, with some reporting losses exceeding US$10,000.

As soon as a user clicks on a deceptive ad, they are directed to download a fraudulent app. These apps are typically distributed through third-party websites or APK files and are capable of bypassing security measures on official app stores. Upon installation, the app requests various personal and financial information, which is then harvested by the scammers.

> _“Group-IB CERT discovered these scams across multiple regions, with more than 200 ads targeting Egypt, 160 ads in the GCC, and another 140 in Europe and Asia. The momentum of such scams has rapidly increased, with scammers continually expanding into new markets.”_
> 
> Group-IB

Fake reviews and testimonials are a key facilitating factor in these scams, as these enhance the legitimacy of the fake apps. These reviews feature detailed narratives, screenshots, and photos of “successful” players, creating the illusion of a highly profitable and trustworthy game, and generating attraction for the scam.

Fake reviews on one of the fraud apps (Source: Group-IB)

Fake betting apps can lead to severe consequences for users, such as financial loss through “bait and switch” tactics, identity theft due to the collection of personal information, and device compromise. Malicious apps can compromise device security, allowing attackers to access sensitive data and install additional malware, posing a significant risk to users’ personal information.

We have been witnessing a gradual rise in fake gaming apps compromising users’ devices. Recently, Hackread **reported** Fortinet’s FortiGuard Labs discovery of a new malicious campaign targeting Microsoft Windows users using game-related applications to deliver Winos4.0, an advanced malware framework similar to Cobalt Strike and Sliver. Earlier this week, Indian authorities **busted** an international gang of cybercriminals who used fake gaming apps to mint over 190cr from unsuspecting users.

Hence, it is essential to be cautious of quick money offers to avoid falling victim to such scams. Always download apps from official stores, avoid suspicious links, use strong security measures like passwords and two-factor authentication, and stay updated on the latest online scams and **phishing techniques** to stay safe.

1.  **Crooks Exploit Satellite Live Feed Delay for Betting Advantage**
2.  **Fake GlobalProtect VPN Downloads Spread WikiLoader Malware**
3.  **Chinese Scammers Exploit Cloned Sites in Vast Gambling Network**
4.  **Facebook Malvertising Campaign Drops Malware via Fake Bitwarden**
5.  **Dude Finds Flaw in World’s Biggest Gambling Site, Steals $1M in BTC**

Tag

#web