BlackCat Ransomware Raises Ante After FBI Disruption

Read Time:4 Minute, 6 Second

The U.S. Federal Bureau of Investigation (FBI) disclosed today that it infiltrated the world’s second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gang’s darknet website, and released a decryption tool that hundreds of victim companies can use to recover systems. Meanwhile, BlackCat responded by briefly “unseizing” its darknet site with a message promising 90 percent commissions for affiliates who continue to work with the crime group, and open season on everything from hospitals to nuclear power plants.

A slightly modified version of the FBI seizure notice on the BlackCat darknet site (Santa caps added).

Whispers of a possible law enforcement action against BlackCat came in the first week of December, after the ransomware group’s darknet site went offline and remained unavailable for roughly five days. BlackCat eventually managed to bring its site back online, blaming the outage on equipment malfunctions.

But earlier today, the BlackCat website was replaced with an FBI seizure notice, while federal prosecutors in Florida released a search warrant explaining how FBI agents were able to gain access to and disrupt the group’s operations.

A statement on the operation from the U.S. Department of Justice says the FBI developed a decryption tool that allowed agency field offices and partners globally to offer more than 500 affected victims the ability to restore their systems.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” Deputy Attorney General Lisa O. Monaco said. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

The DOJ reports that since BlackCat’s formation roughly 18 months ago, the crime group has targeted the computer networks of more than 1,000 victim organizations. BlackCat attacks usually involve encryption and theft of data; if victims refuse to pay a ransom, the attackers typically publish the stolen data on a BlackCat-linked darknet site.

BlackCat formed by recruiting operators from several competing or disbanded ransomware organizations — including REvilBlackMatter and DarkSide. The latter group was responsible for the Colonial Pipeline attack in May 2021 that caused nationwide fuel shortages and price spikes.

Like many other ransomware operations, BlackCat operates under the “ransomware-as-a-service” model, where teams of developers maintain and update the ransomware code, as well as all of its supporting infrastructure. Affiliates are incentivized to attack high-value targets because they generally reap 60-80 percent of any payouts, with the remainder going to the crooks running the ransomware operation.

BlackCat was able to briefly regain control over their darknet server today. Not long after the FBI’s seizure notice went live the homepage was “unseized” and retrofitted with a statement about the incident from the ransomware group’s perspective.

The message that was briefly on the homepage of the BlackCat ransomware group this morning. Image: @GossiTheDog.

BlackCat claimed that the FBI’s operation only touched a portion of its operations, and that as a result of the FBI’s actions an additional 3,000 victims will no longer have the option of receiving decryption keys. The group also said it was formally removing any restrictions or discouragement against targeting hospitals or other critical infrastructure.

“Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS [a common restriction against attacking organizations in Russia or the Commonwealth of Independent States]. You can now block hospitals, nuclear power plants, anything, anywhere.”

The crime group also said it was setting affiliate commissions at 90 percent, presumably to attract interest from potential affiliates who might otherwise be spooked by the FBI’s recent infiltration. BlackCat also promised that all “advertisers” under this new scheme would manage their affiliate accounts from data centers that are completely isolated from each other.

BlackCat’s darknet site currently displays the FBI seizure notice. But as BleepingComputer founder Lawrence Abrams explained on Mastodon, both the FBI and BlackCat have the private keys associated with the Tor hidden service URL for BlackCat’s victim shaming and data leak site.

“Whoever is the latest to publish the hidden service on Tor (in this case the BlackCat data leak site), will resume control over the URL,” Abrams said. “Expect to see this type of back and forth over the next couple of days.”

The DOJ says anyone with information about BlackCat affiliates or their activities may be eligible for up to a $10 million reward through the State Department’s “Rewards for Justice” program, which accepts submissions through a Tor-based tip line (visiting the site is only possible using the Tor browser).

Further reading: CISA StopRansomware Alert on the tools, techniques and procedures used by ALPHV/BlackCat.

Read More

asterisk release 20.5.1

Read Time:21 Second

Posted by Asterisk Development Team via Fulldisclosure on Dec 19

The Asterisk Development Team would like to announce security release
Asterisk 20.5.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.5.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
– [Path traversal via AMI GetConfig allows access to outside
files](…

Read More

asterisk release 18.20.1

Read Time:21 Second

Posted by Asterisk Development Team via Fulldisclosure on Dec 19

The Asterisk Development Team would like to announce security release
Asterisk 18.20.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.20.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
– [Path traversal via AMI GetConfig allows access to outside
files](…

Read More

CORRECTED asterisk release 21.0.1

Read Time:23 Second

Posted by Asterisk Development Team on Dec 19

The earlier announcement should not have had any User or Upgrade notes.

The Asterisk Development Team would like to announce security release
Asterisk 21.0.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.0.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
– [Path traversal via AMI GetConfig allows…

Read More

CORRECTED asterisk release certified-18.9-cert6

Read Time:22 Second

Posted by Asterisk Development Team on Dec 19

The earlier release announcement should NOT have had any User or Upgrade
notes.

The Asterisk Development Team would like to announce security release
Certified Asterisk 18.9-cert6.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert6
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

The following security advisories were resolved in this release:…

Read More

[ES2023-03] RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation

Read Time:23 Second

Posted by Sandro Gauci on Dec 19

# RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation

– Fixed versions: mr12.1.1.2, mr12.0.1.3, mr11.5.1.16, mr10.5.6.3, mr10.5.6.2
– Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-03-rtpengine-dtls-hello-race
– Vendor Patch: https://github.com/sipwise/rtpengine/commit/e969a79428ac4a15cdf1c0a1c6f266dbdc7e60b6
– Tested vulnerable versions: mr11.5.1.6
– Timeline:…

Read More

[ES2023-01] Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation

Read Time:23 Second

Posted by Sandro Gauci on Dec 19

# Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation

– Fixed versions: 18.20.1, 20.5.1, 21.0.1,18.9-cert6
– Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race
– Vendor Security Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
– Other references: CVE-2023-49786
– Tested vulnerable versions: 20.1.0
-…

Read More

[KIS-2023-14] PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution Vulnerability

Read Time:17 Second

Posted by Egidio Romano on Dec 19

———————————————————————————
PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution
Vulnerability
———————————————————————————

[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib

[-] Affected Versions:

PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-3
and prior versions, as used in Open…

Read More

[SBA-ADV-20220120-01] MOKOSmart MKGW1 Gateway Improper Session Management

Read Time:21 Second

Posted by SBA – Advisory via Fulldisclosure on Dec 19

# MOKOSmart MKGW1 Gateway Improper Session Management #

Link:
https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220120-01_MOKOSmart_MKGW1_Gateway_Improper_Session_Management

## Vulnerability Overview ##

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do
not provide an adequate session management for the administrative web
interface. This allows adjacent attackers with access to the management
network to…

Read More

APPLE-SA-12-19-2023-1 macOS Sonoma 14.2.1

Read Time:24 Second

Posted by Apple Product Security via Fulldisclosure on Dec 19

APPLE-SA-12-19-2023-1 macOS Sonoma 14.2.1

macOS Sonoma 14.2.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214048.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WindowServer
Available for: macOS Sonoma
Impact: A user who shares their screen may unintentionally share the…

Read More