Daily Archives: February 14, 2022

News

Wazawaka Goes Waka Waka

Read Time:7 Minute, 56 Second

In January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists.

Wazawaka, a.k.a. Mikhail P. Matveev, a.k.a. “Orange,” a.k.a. “Boriselcin,” showing off his missing ring finger.

In last month’s story, we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate program, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.”

The same day the initial profile on Wazawaka was published here, someone registered the Twitter account “@fuck_maze,” a possible reference to the now-defunct Maze Ransomware gang.

The background photo for the @fuck_maze profile included a logo that read “Waka Waka;” the bio for the account took a swipe at Dmitry Smilyanets, a researcher and blogger for The Record who was once part of a cybercrime group the Justice Department called the “largest known data breach conspiracy ever prosecuted.”

The @fuck_maze account messaged me a few times on Twitter, but largely stayed silent until Jan. 25, when it tweeted three videos of a man who appeared identical to Matveev’s social media profile on Vkontakte (the Russian version of Facebook). The man seemed to be slurring his words quite a bit, and started by hurling obscenities at Smilyanets, journalist Catalin Cimpanu (also at The Record), and a security researcher from Cisco Talos.

At the beginning of the videos, Matveev holds up his left hand to demonstrate that his ring finger is missing. This he smugly presents as evidence that he is indeed Wazawaka.

The story goes that Wazwaka at one point made a bet wherein he wagered his finger, and upon losing the bet severed it himself. It’s unclear if that is the real story about how Wazawaka lost the ring finger on his left hand; his remaining fingers appear oddly crooked.

“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in the video. “By the way, it is my voice in the background, I just love myself a lot.”

In one of his three videos, Wazawaka says he’s going to release exploit code for a security vulnerability. Later that same day, the @fuck_maze account posted a link to a Pastebin-like site that included working exploit code for a recently patched security hole in SonicWall VPN appliances (CVE-2021-20028).

When KrebsOnSecurity first started researching Wazawaka in 2021, it appeared this individual also used two other important nicknames on the Russian-speaking crime forums. One was Boriselcin, a particularly talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.

The other handle that appeared tied to Wazawaka was “Orange,” the founder of the RAMP ransomware forum. I just couldn’t convincingly connect those two identities with Wazawaka using the information available at the time. This post is an attempt to remedy that.

On Aug. 26, 2020, a new user named Biba99 registered on the English language cybercrime forum RaidForums. But the Biba99 account didn’t post to RaidForums until Dec. 31, 2020, when they announced the creation of the Babuk ransomware affiliate program.

On January 1, 2021, a new user “Babuk” registered on the crime forum Verified, using the email address teresacox19963@gmail.com, and the instant message address “admin@babuk.im.” “We run an affiliate program,” Babuk explained in their introductory post on Verified.

A variety of clues suggest Boriselcin was the individual acting as spokesperson for Babuk. Boriselcin talked openly on the forums about working with Babuk, and fought with other members of the ransomware gang about publishing access to data stolen from victim organizations.

According to analysts at cyber intelligence firm Flashpoint, between January and the end of March 2021, Babuk continued to post databases stolen from companies that refused to pay a ransom, but they posted the leaks to both their victim shaming blog and to multiple cybercrime forums, an unusual approach.

This matches the ethos and activity of Wazawaka’s posts on the crime forums over the past two years. As I wrote in January:

“Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder. In thread after thread on the crime forum XSS, Wazawaka’s alias ‘Uhodiransomwar’ can be seen posting download links to databases from companies that have refused to negotiate after five days.”

Around Apr. 27, 2021, Babuk hacked the Washington Metropolitan Police Department, demanding $4 million in virtual currency in exchange for a promise not to publish the police department’s internal data.

Flashpoint says that on April 30, Babuk announced they were shuttering the affiliate program and its encryption services, and that they would now focus on data theft and extortion instead. On May 3, the group posted two additional victims of their data theft enterprise, showing they are still in operation.

On May 11, 2021, Babuk declared negotiations with the MPD had reached an impasse, and leaked 250 gigabytes worth of MPD data.

On May 14, 2021, Boriselcin announced on XSS his intention to post a writeup on how they hacked the DC Police (Boriselcin claims it was via the organization’s VPN).

On May 17, Babuk posted about an upcoming new ransomware leaks site that will serve as a “huge platform for independent leaks,” — i.e., a community that would publish data stolen by no-name ransomware groups that don’t already have their own leaks/victim shaming platforms.

On May 31, 2021, Babuk’s website began redirecting to Payload[.]bin. On June 23, 2021, Biba99 posted to RaidForums saying he’s willing to buy zero-day vulnerabilities in corporate VPN products. Biba99 posts his unique user ID for Tox, a peer-to-peer instant messaging service.

On July 13, 2021, Payload[.]bin was renamed to RAMP, which according to Orange stands for “Ransom Anon Market Place.” Flashpoint says RAMP was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.” [links added]

“Babuk noted that this new platform will not have rules or ‘bosses,’” Flashpoint observed in a report on the group. “This reaction distinguishes Babuk from other ransomware collectives, many of which changed their rules following the attack to attract less attention from law enforcement.”

The RAMP forum opening was announced by the user “TetyaSluha. That nickname soon switched to “Orange,” who appears to have registered on RAMP with the email address “teresacox19963@gmail.com.” Recall that this is the same email address used by the spokesperson for the Babuk ransomware gang — Boriselcin/Biba99.

In a post on RAMP Aug. 18, 2021, in which Orange is attempting to recruit penetration testers, he claimed the same Tox ID that Biba99 used on RaidForums.

On Aug. 22, Orange announced a new ransomware affiliate program called “Groove,” which claimed to be an aggressive, financially motivated criminal organization dealing in industrial espionage for the previous two years.

In November 2021, Groove’s blog disappeared, and Boriselcin posted a long article to the XSS crime forum explaining that Groove was little more than a pet project to mess with the media and security industries.

On Sept. 13, 2021, Boriselcin posted to XSS saying he would pay handsomely for a reliable, working exploit for CVE-2021-20028, the same exploit that @fuck_maze would later release to Twitter on Jan. 25, 2022.

Asked for comment on this research, cyber intelligence firm Intel 471 confirmed that its analysts reached the same conclusion.

“We identified the user as the Russian national Михаил Павлович Матвеев aka Mikhail Pavlovich Matveev, who was widely known in the underground community as the actor using the Wazawaka handle, a.k.a. Alfredpetr, andry1976, arestedByFbi, boriselcin, donaldo, ebanatv2, futurama, gotowork, m0sad, m1x, Ment0s, ment0s, Ment0s, Mixalen, mrbotnet, Orange, posholnarabotu, popalvprosak, TetyaSluha, uhodiransomwar, and 999,” Intel 471 wrote.

As usual, I put together a rough mind map on how all these data points indicate a connection between Wazawaka, Orange, and Boriselcin.

A mind map connecting Wazawaka to the RAMP forum administrator “Orange” and the founder of the Babuk ransomware gang.

As noted in January’s profile, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.

Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since offered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.

Read More

News

Phony Valentines: Online Dating Scams and How to Spot Them

Read Time:6 Minute, 12 Second

For years now, the popularity of online dating has been on the rise—and so have the number of online romance scams that leave people with broken hearts and empty wallets. 

According to the U.S. Federal Trade Commission (FTC), the reported costs of online romance scams jumped 50% from 2019 to 2020, to the tune of $304 million. And that’s not entirely because 2020 was a pandemic year. From 2016 to 2020, the volume of reported cases tripled, while reported losses nearly quadrupled. Over that period, online romance scams are not only becoming more common, but they’re also becoming more costly.

 

How do online dating and romance scams get started? 

Dating and romance scams aren’t limited to online dating apps and sites, they’ll happen on social media and in online games as well. However, the FTC reports that the scam usually starts the same way, typically through an unexpected friend request or a message that comes out of the blue.  

With that initial introduction made, a chat begins, and a friendship (or more) blossoms from there. Along the way, the scammer will often rely on a mix of somewhat exotic yet believable storytelling to lure the victim in, often involving their job and where they’re working. Reports say that scammers will talk of being workers on an offshore oil rig, members of the military stationed overseas, doctors working with an international organization, or working in the sort of jobs that would prevent them from otherwise easily meeting up in person. 

With the phony relationship established, the scammer starts asking for money. The FTC reports that they’ll ask for money for several bogus reasons, usually revolving around some sort of hardship where they need a “little help” so that they can pay: 

For a plane ticket or other travel expenses. 
For medical expenses. 
Customs fees to retrieve something. 
Gambling debts. 
A visa or other official travel documents. 

The list goes on, yet that’s the general gist. Scammers often employ a story with an intriguing complication that seems just reasonable enough, one where the romance scammer makes it sound like they could really use the victim’s financial help. 

Common types of online dating scams 

People who have filed fraud reports say they’ve paid their scammer in a few typical ways.  

One is by wiring money, often through a wire transfer company. The benefit of this route, for the scammer anyway, is that this is as good as forking over cash. Once it’s gone, it’s gone. The victim lacks the protections they have with other payment forms, such as a credit card that allows the holder to cancel or contest a charge. 

Another way is through gift cards. Scammers of all stripes, not just romance scammers, like these because they effectively work like cash, whether it’s a gift card for a major online retailer or a chain of brick-and-mortar stores. Like a wire transfer, once that gift card is handed over, the money on it is highly difficult to recover, if at all. 

One more common payment is through reloadable debit cards. A scammer may make an initial request for such a card and then make several follow-on requests to load it up again.  

In all, a romance scammer will typically look for the easiest payment method that’s the most difficult to contest or reimburse, leaving the victim in a financial lurch once the scam ends. 

How Do You Avoid Getting Tangled Up in an Online Dating or Romance Scam? 

When it comes to meeting new people online, the FTC suggests the following: 

Never send money or gifts to someone you haven’t met in person—even if they send you money first. 
Talk to someone you trust about this new love interest. It can be easy to miss things that don’t add up. So pay attention if your friends or family are concerned. 
Take the relationship slowly. Ask questions and look for inconsistent answers. 
Try a reverse-image search of any profile pictures the person uses. If they’re associated with another name or with details that don’t match up, it’s a scam. 

Scammers, although arguably heartless, are still human. They make mistakes. The stories they concoct are just that. Stories. They may jumble their details, get their times and dates all wrong, or simply get caught in an apparent lie. Also, keep in mind that some scammers may be working with several victims at once, which is yet another opportunity for them to get confused and slip up. 

Protecting Yourself Further From Scams on Your Social Media Accounts 

As mentioned above, some romance scammers troll social media and reach out through a direct message or friend request. With that, there are three things you can do to cut down your chances of getting caught up with a scammer: 

1. Go private

Social media platforms like Facebook, Instagram, and others give you the option of making your profile and posts visible to friends only. Choosing this setting keeps the broader internet from seeing what you’re doing, saying, and posting, which can help protect your privacy and give a romance scammer less information to exploit. 

2. Say “no” to strangers bearing friend requests

Be critical of the invitations you receive. Out-and-out strangers could be more than a romance scammer, they could be a fake account designed to gather information on users for purposes of cybercrime, or they can be an account designed to spread false information. There are plenty of them too. In fact, in Q3 of 2021 alone, Facebook took action on 1.8 billion fake accounts. Reject such requests. 

3. Protect yourself and your devices

Security software can protect you from clicking on malicious links that a scammer may send you online, while also steering you clear of other threats like viruses, ransomware, and phishing attacks in general. It can look out for your personal information as well, by protecting your privacy and monitoring your email, SSN, bank accounts, credit cards, and other info that a scammer or identity thief may put to use. With identity theft a rather commonplace occurrence today, security software is really a must. 

Put an End to it 

If you suspect that you’re being scammed, put an end to the relationship and report it, as difficult as that may feel. 

Notify the FTC at ReportFraud.ftc.gov for support and next steps to help you recover financially as much as possible. Likewise, notify the social media site, app, or service where the scam occurred as well. In some cases, you may want to file a police report, which we cover in our broader article on identity theft and fraud 

If you sent funds via a gift card, the FTC suggests filing a claim with the company as soon as possible. They offer further advice on filing a claim here, along with a list of contact numbers for gift card brands that scammers commonly use.  

Lastly, go easy on yourself. If you find yourself a victim of online dating or romance fraud, know that you won’t be the first or last person to be taken advantage of this way. By reporting your case, you in fact may help others from falling victim too. 

The post Phony Valentines: Online Dating Scams and How to Spot Them appeared first on McAfee Blog.

Read More

News

Software supply chain attacks hit three out of five companies in 2021

Read Time:42 Second

More than three in five companies were targeted by software supply chain attacks in 2021, according to a recent survey by Anchore. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.

The survey bracketed the discovery of the vulnerability found in the Apache Log4 utility. Researchers conducted the survey from December 3 to December 30, 2021. Log4j was revealed December 9. Before that date, 55% of respondents said they had suffered a software supply chain attack. After that date, that number jumped to 65%.

To read this article in full, please click here

Read More

News

XDR: Native vs. Open explained

Read Time:6 Minute, 31 Second

With the advent of extended detection and response (XDR), the security analyst’s need for one complete, contextualized view into threats across the enterprise is becoming less fantasy and more reality.

XDR promises a faster and more efficient way to bring together data from a range of security tools, spot sophisticated attacks, and automate response actions to protect a growing number of assets within the traditional network perimeter and beyond.

And vendors are working to bolster their threat detection and response offerings to deliver on this promise. They’re doing so either by acquiring other vendors or technologies to add capabilities and drive toward single-vendor, or native, XDR platforms, or by offering open platforms and partnering for their integrations.

We’ve seen—and likely will continue to see—considerable M&A activity as vendors work to create native XDR solutions. In 2021, multiple mergers and acquisitions were driven by XDR. Notable deals include Cybereason’s July purchase of security analytics firm empow; Logpoint’s third-quarter acquisition of SecBI for its security orchestration and automated response (SOAR) and XDR technologies; and most recently, IBM’s announcement of its plans to acquire endpoint security vendor ReaQta.

However, as I mentioned earlier, not all vendors are opting to acquire their XDR capabilities. Many are choosing a vendor-agnostic approach and relying on integrations with security tools from different vendors to deliver their solutions. Let’s take a look at both approaches.

Native XDR

Native XDR solutions offer a unified suite of security tools from one vendor on a centralized management platform, which, in theory, means security teams don’t have to implement and manage integrations with technologies from other vendors. This vendor-specific approach has its advantages:

One centralized management platform to handle all threat detection and analytics processes
No need to purchase, integrate, and update technology from other providers
Redundant tools can be removed
Turnkey platform with off-the-shelf integration for faster deployment and security results

But some gotchas accompany these advantages; most notably, the requirement for significant dependence on one vendor. The customer that chooses to go with a native XDR solution will have to replace their existing tools with tools from the provider’s suite, typically a costly and complex undertaking. Additionally, the customer that favors the simplicity of an all-in-one approach may experience gaps in their threat detection and response since a single provider is unlikely to have deep security capabilities across all areas. Choosing this approach may require sacrificing efficacy if not all products in the vendor’s suite are best-of-breed. Note also that any acquisition for XDR capabilities requires that platforms be fully integrated, which takes time, and in some cases may never happen.

The downside

Vendor lock-in
The need to rip-and-replace existing security tools
Lack of third-party integration capabilities
Non-customizable solution
Incomplete integrations
Potential for gaps in protection

Open XDR

Whereas native XDR solutions require customers to purchase all components of their XDR offering from them, open solutions are designed to work with security products from other vendors. The core XDR platform provides a central management console that leverages third-party integrations, which means customers can keep the tools they have in place, and they have the flexibility to add or remove tools as their future needs dictate.

Advantages of this vendor-agnostic approach include:

Avoid vendor lock-in
Integrations with best-of-breed tools
No need to rip and replace
Flexibility to swap in or out technologies

Customers considering an open XDR solution should bear in mind that some solutions will offer more third-party integrations than others, and even the most comprehensive open solutions cannot integrate all the tools available in the market. Additionally, integration can be complex.

The downside

Vendor may not have large ecosystem for integration
Integrations can be complex to build
Integrations are not always smooth

The best approach for your business

Which approach will work best for your business? If you deploy tools from multiple vendors, you’re probably better off choosing an open platform or working with a managed security service provider to leverage those investments. If you’re leaning toward the native approach, are you willing to rip and replace what you have in your technology stack in order to lock in with a single preferred security provider? While the simplicity of this approach is attractive, it may preclude you from deploying more innovative solutions as they emerge in the market.

Understanding how an XDR vendor’s background can help you meet your organizational objectives is also important. If, for example, your organization is in a highly regulated industry with strict reporting and compliance requirements, such as healthcare or financial services, then an XDR vendor with a security information and event management (SIEM) platform will have the deep analytics capabilities and better data log collection and long-term data retention capabilities you require.

On the other hand, XDR vendors coming from the endpoint detection and response (EDR) space are likely to be weaker on analytics but stronger at providing actionable response on the endpoint. Organizations with large numbers of endpoints that need to be monitored—and potentially restored in the event of an attack—will want to partner with these vendors.

Take care to review vendor roadmaps for integration, including scale and scope. Whether a vendor is making its XDR play through acquisition or through partnerships, integration is key. If integrations are being planned, how does the vendor intend to achieve them? As I noted earlier, even if a vendor has acquired other technologies and is now positioning its platform as native, the platform will not be truly native until the vendor’s engineers have fully integrated the new technology into the platform—and stitching together different technologies is not a trivial task.

Managing a complex solution

Gartner has identified XDR as a leading security trend, noting in its 2021 Market Guide for Extended Detection and Response that by the end of 2027, the technology will be used by up to 40% of end-user organizations. And a 2021 researchandmarkets.com report predicts that by 2028, the global XDR market size will reach USD 2.06 billion, expanding at a CAGR of 19.9% from 2021 to 2028.

XDR is the future of threat detection and response, but these solutions are also complex and can be challenging to roll out. Whether you choose to go with a single vendor solution or an open platform, you will need security professionals with training, knowledge, and experience to deploy and manage the solution. If these are not in-house capabilities, you may need a partner to help you.

As you evaluate the different approaches, consider whether there is value for your organization in working with a managed security services provider (MSSP) or managed detection and response (MDR) provider. An MSSP can help you ask the right questions, identify your security gaps, and work through how you’re going to roadmap from your existing technology stack to an XDR implementation.

If your organization has the capabilities to handle day-to-day management of the solution in-house, and therefore does not plan to work with an MSSP or MDR provider, consider leveraging the expertise of a consultant or investing in a product support services retainer, so your security team has access to on-call support when troubleshooting issues, such as for example, deployment or tuning.

World-class managed services

As one of the world’s top providers of security services, including professional services, consulting, and managed services, AT&T Cybersecurity employs highly experienced and industry-certified individuals to deliver high-touch service that includes platform onboarding, initial policy tuning, training, and troubleshooting as needed. AT&T Managed XDR leverages these services to help organizations detect and respond to threats faster.

Read More