Brief #14: LockBit Leak, CloudNordic Ransom, WinRAR 0-Day

Mandos Brief, Week 34 2023: The LockBit 3.0 ransomware leak, CloudNordic's devastating attack, WinRAR's zero-day vulnerability, Tesla's data breach and more.

6 min read
mandos brief #14 - week 34 2023


LockBit 3.0 Ransomware Builder Leak Unleashes New Threat Variants

The cybersecurity community has been shaken by the leak of the LockBit 3.0 ransomware builder. This tool, initially exclusive to the LockBit ransomware-as-a-service (RaaS) program, has now fallen into the hands of various threat actors. The leak has led to the proliferation of new ransomware variants, each with its own set of ransom demand procedures and notes. Kaspersky has detected a total of 396 distinct LockBit samples, 312 of which were created using the leaked builders.

Technically, LockBit 3.0 is a formidable threat. It supports the usage of encrypted executables with randomly generated passwords, hindering automatic analysis. The payload also includes strong protection techniques against reverse engineering, including the use of undocumented kernel-level Windows functions. The ransomware builder itself is devoid of any protection mechanisms, as it was intended for internal use by threat actors. This has allowed cybersecurity researchers to delve into its construction methodology, providing insights into its configuration parameters and encryption techniques.

With the tool now publicly available, the race is on to understand its intricacies and develop countermeasures before it wreaks more havoc.

CloudNordic and AZero Hit Hard by Ransomware Losing All Customer Data

CloudNordic, a Denmark-based cloud hosting service, recently fell victim to a devastating ransomware attack that led to the loss of all customer data. The cybercriminals behind the attack managed to shut down all of CloudNordic's systems, including its website, email, and customer systems. The attackers encrypted all servers and disks, including both primary and secondary backup systems, rendering data recovery impossible.

Interestingly, AZero, another cloud host owned by the same parent company, Certiqa Holding, was also affected by the attack. The company stated that it had no plans to pay the ransom, as it did not have the funds and also because there was no evidence that customer data had been copied or exfiltrated.

The attack's origins are still unclear, but CloudNordic mentioned that the situation worsened when infected systems were moved from one data center to another, which was connected to their internal network. This move potentially allowed the attackers to gain access to central administrative and backup systems.

Both CloudNordic and AZero are currently working to rebuild their web and email systems from scratch, albeit without any customer data. This incident serves as a cautionary tale for cloud hosts and emphasizes the importance of robust cybersecurity measures.

WinRAR 0-day Allows Attackers to Execute Malicious Code

A newly discovered zero-day vulnerability in the popular file-compression program WinRAR has been under active exploitation since April 2023. The exploit allows attackers to execute malicious code when users open specially crafted ZIP archives containing poisoned JPG and TXT files. Security researchers from Group-IB have reported that the attackers are using this vulnerability to install various malware families, including DarkMe, GuLoader, and Remcos RAT. These malware types are then used to siphon money from broker accounts.

The exploit has been primarily distributed on securities trading forums. In some instances, the malicious ZIP files were attached to forum posts, while in others, they were distributed via file storage sites. The total number of victims and financial losses are still unknown, but at least 130 individuals are known to have been compromised. WinRAR has already released a fix for this vulnerability, urging users to update to the latest version to stay protected.

For those using WinRAR, updating to the latest version is crucial to avoid falling victim to this exploit. The vulnerability has been tracked as CVE-2023-38831 and has been patched in the latest update.

Sim-Swapping Attack on Kroll Exposes Crypto Investor Data

Security consulting firm Kroll recently disclosed a SIM-swapping attack against one of its employees, leading to a significant data breach. The attack targeted a T-Mobile phone number belonging to the employee and transferred it to the attacker's phone. As a result, the threat actor gained unauthorized access to files containing personal information of bankruptcy claimants related to cryptocurrency platforms BlockFi, FTX, and Genesis.

The breach has already had real-world consequences, with multiple reports of phishing attacks exploiting the stolen data. These phishing attempts often spoof FTX and claim that the recipient is eligible to begin withdrawing digital assets from their accounts. Kroll has taken immediate actions to secure the affected accounts and has notified the impacted individuals.

Interestingly, the attack bypassed multi-factor authentication (MFA) to gain access to the employee's account and the stored files. This incident serves as a timely reminder of the vulnerabilities associated with relying on mobile phone companies for security. It also raises questions about the effectiveness of MFA when the mobile number itself is compromised.

Kroll, a firm often called in to investigate data breaches, now finds itself in the uncomfortable position of being the breached entity. The company has contained and remediated the incident but the damage to its reputation and the increased risk to its clients remain significant concerns.

Tesla Data Breach Blamed on ‘Insider Wrongdoing’ Impacted 75,000

In a recent cybersecurity incident, Tesla Inc. faced a significant data breach affecting more than 75,000 individuals. The breach was attributed to insider wrongdoing, specifically two former employees of the company. According to reports from Bloomberg and InfoSecurity Magazine, the compromised data includes sensitive employee information such as names, home and email addresses, phone numbers, and social security numbers.

The breach was first reported by the German newspaper Handelsblatt on May 25, 2023. Tesla's internal investigation revealed that the two former employees had misappropriated the information in violation of the company's IT security and data protection policies. They then shared this data with Handelsblatt, although the media outlet has stated it does not intend to publish the personal information.

Tesla has taken legal action against the perpetrators, obtaining court orders that prohibit them from further use, access, or dissemination of the data. The company is also cooperating with law enforcement agencies and external forensics experts to address the situation. This incident underlines the challenges organizations face in enforcing the principle of "least privilege" among employees to mitigate insider threats.

Share This Post

Check out these related posts

Brief #61: Great CrowdStrike Meltdown, NSA AI security guide, dual-title CISOs, AppSec interviews

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #60: Blast-RADIUS Flaw, AI Disinformation Tool, CISO Lawsuits, Interview Tips

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #59: OpenSSH RCE Flaw, AI Jailbreak Technique, Cybersecurity Market Failure, Job Tips

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read