FortiGuard Labs is aware that enterprises in Ukraine were targeted by another wiper malware. Dubbed “DoubleZero,” the malware was distributed in a zip archive and destroys the compromised machine by overwriting files and deleting registry keys.Why is this Significant?This is significant because DoubleZero is the latest wiper malware used in the current Russia-Ukraine war and aims to destroy machines belonging to enterprises in Ukraine.FortiGuard Labs previous published multiple Threat Signals on other wiper malware that targeted Ukraine. See the Appendix for links to “Additional Wiper Malware Deployed in Ukraine #CaddyWiper,” “New Wiper Malware Discovered Targeting Ukrainian Interests” and “Wiper Malware Hit Ukrainian Organizations.”How Widespread is the Malware?At this time, there is no report that DoubleZero affected organizations outside of Ukraine.How does DoubleZero Work?DoubleZero was distributed in several ZIP archives, one of which is called “Virus … extremely dangerous !!!. Zip.” Once DoubleZero runs, it overwrites or uses API calls to zero out non-system files system files before moving on to overwrite critical system files and registry keys.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in the attack:MSIL/DZeroWiper.CK!tr
Monthly Archives: March 2022
Friday Squid Blogging: Unexpectedly Low Squid Population in the Arctic
Abstract: The retreating ice cover of the Central Arctic Ocean (CAO) fuels speculations on future fisheries. However, very little is known about the existence of harvestable fish stocks in this 3.3 million–square kilometer ecosystem around the North Pole. Crossing the Eurasian Basin, we documented an uninterrupted 3170-kilometer-long deep scattering layer (DSL) with zooplankton and small fish in the Atlantic water layer at 100- to 500-meter depth. Diel vertical migration of this central Arctic DSL was lacking most of the year when daily light variation was absent. Unexpectedly, the DSL also contained low abundances of Atlantic cod, along with lanternfish, armhook squid, and Arctic endemic ice cod. The Atlantic cod originated from Norwegian spawning grounds and had lived in Arctic water temperature for up to 6 years. The potential fish abundance was far below commercially sustainable levels and is expected to remain so because of the low productivity of the CAO.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
CVE-2021-22100
In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker that (accidentally or maliciously) causes CC instances to timeout and fail is possible. An attacker can leverage this vulnerability to cause an inability for anyone to push or manage apps.
CVE-2021-20323
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.
CVE-2021-20290
An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.
Optimistic father of LAPSUS$ hacking suspect says he’s going to try to stop him using computers
British police arrested seven people earlier this week in relation to a wave of attacks launched by the LAPSUS$ hacking group, against firms such as Microsoft, NVIDIA, Ubisoft, Samsung, and Okta.
The hacking group’s alleged mastermind? A 16-year-old boy from Oxford, UK.
Senate Committee Questions Pentagon’s Information Restrictions
Panel queries whether Pentagon is abusing new data protection designation to keep info from public
Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison
An Estonian man was sentenced today to more than five years in a U.S. prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. Prosecutors say the accused also enjoyed a lengthy career of “cashing out” access to hacked bank accounts worldwide.
Maksim Berezan, 37, is an Estonian national who was arrested nearly two years ago in Latvia. U.S. authorities alleged Berezan was a longtime member of DirectConnection, a closely-guarded Russian cybercriminal forum that existed until 2015. Berezan’s indictment (PDF) says he used his status at DirectConnection to secure cashout jobs from other vetted crooks on the exclusive crime forum.
Berezan specialized in cashouts and “drops.” Cashouts refer to using stolen payment card data to make fraudulent purchases or to withdraw money from bank accounts without authorization. A drop is a location or individual able to securely receive and forward funds or goods obtained through cashouts or other types of fraud. Drops typically are used to make it harder for law enforcement to trace fraudulent transactions and to circumvent fraud detection measures used by banks and credit card companies.
Acting on information from U.S. authorities, in November 2020 Latvian police searched Berezan’s residence there and found a red Porsche Carrera 911, a black Porsche Cayenne, a Ducati motorcycle, and an assortment of jewelry. They also seized $200,000 in currency, and $1.7 million in bitcoin.
After Berezan was extradited to the United States in December 2020, investigators searching his electronic devices said they found “significant evidence of his involvement in ransomware activity.”
“The post-extradition investigation determined that Berezan had participated in at least 13 ransomware attacks, 7 of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled,” reads a statement from the U.S. Department of Justice.
Berezan pleaded guilty in April 2021 to conspiracy to commit wire fraud.
For many years on DirectConnection and other crime forums, Berezan went by the hacker alias “Albanec.” Investigators close to the case told KrebsOnSecurity that Albanec was involved in multiple so-called “unlimited” cashouts, a highly choreographed, global fraud scheme in which crooks hack a bank or payment card processor and used cloned payment cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.
Berezan joins a growing list of top cybercriminals from DirectConnection who’ve been arrested and convicted of cybercrimes since the forum disappeared years ago. One of Albanec’s business partners on the forum was Sergey “Flycracker” Vovnenko, a Ukrainian man who once ran his own cybercrime forum and who in 2013 executed a plot to have heroin delivered to our home in a bid to get Yours Truly arrested for drug possession. Vovnenko was later arrested, extradited to the United States, pleaded guilty and spent more than three years in prison on botnet-related charges (Vovnenko is now back in Ukraine, trying to fight the Russian invasion with his hacking abilities).
Perhaps the most famous DirectConnection member was its administrator Aleksei Burkov, a Russian hacker thought to be so connected to the Russian cybercriminal scene that he was described as an “asset of extreme importance to Moscow.” Burkov was arrested in Israel in 2015, and the Kremlin arrested an Israeli woman on trumped-up drug charges to force a prisoner swap.
That effort failed. Burkov was extradited to the U.S. in 2019, soon pleaded guilty, and was sentenced to nine years. However, he was recently deported back to Russia prior to serving his full sentence, which has prompted Republican leaders in the House to question why.
Other notable cybercrooks from DirectConnection who’ve been arrested, extradited to the U.S. and sentenced to prison include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.
At his sentencing today, Berezan was sentenced to 66 months in prison and ordered to pay $36 million in restitution to his victims.
Florida Sheriff’s Officer Charged with Cyber-Flashing Minor
Law man was the subject of 28 complaints before his arrest over obscene Snapchat images
CVE-2020-21554
A File Deletion vulnerability exists in TinyShop 3.1.1 in the back_list parameter in controllersadmin.php, which could let a malicious user delete any file such as install.lock to reinstall cms.