Tech giants also follow Meta in cracking down on Kremlin propaganda
ZDI-22-429: Adobe FrameMaker TIF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe FrameMaker. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
ZDI-22-430: Adobe Photoshop TIF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Photoshop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
A Vulnerability in Mitel MiCollab and MiVoice Business Express Could Allow for Unauthorized Disclosure of Data
A vulnerability has been discovered in Mitel MiCollab and MiVoice Business Express, which could allow for the unauthorized disclosure of data as well as result in denial of service.
Mitel MiCollab is an enterprise collaboration software and tools platform solution that securely provides communications.
MiVoice Business Express provides a complete communications solution for small to mid-range businesses.
Successful exploitation of this vulnerability could allow for unauthorized disclosure of data as well as result in denial of service. Depending on the goal of the attacker they could view sensitive information that should not be accessible, or create denial of service conditions within impacted the system.
Conti Ransomware Group Diaries, Part I: Evasion
A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.
Conti makes international news headlines each week when it publishes to its dark web blog new information stolen from ransomware victims who refuse to pay an extortion demand. In response to Russia’s invasion of Ukraine, Conti published a statement announcing its “full support.”
“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” the Conti blog post read.
On Sunday, Feb. 27, a new Twitter account “Contileaks” posted links to an archive of chat messages taken from Conti’s private communications infrastructure, dating from January 29, 2021 to the present day. Shouting “Glory for Ukraine,” the Contileaks account has since published additional Conti employee conversations from June 22, 2020 to Nov. 16, 2020.
The Contileaks account did not respond to requests for comment. But Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security, said the person who leaked the information is not a former Conti affiliate — as many on Twitter have assumed. Rather, he said, the leaker is a Ukrainian security researcher who has chosen to stay in his country and fight.
“The person releasing this is a Ukrainian and a patriot,” Holden said. “He’s seeing that Conti is supporting Russia in its invasion of Ukraine, and this is his way to stop them in his mind at least.”
GAP #1
The temporal gaps in these chat records roughly correspond to times when Conti’s IT infrastructure was dismantled and/or infiltrated by security researchers, private companies, law enforcement, and national intelligence agencies. The holes in the chat logs also match up with periods of relative quiescence from the group, as it sought to re-establish its network of infected systems and dismiss its low-level staff as a security precaution.
On Sept. 22, 2020, the U.S. National Security Agency (NSA) began a weeks-long operation in which it seized control over the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. Conti is one of several cybercrime groups that has regularly used Trickbot to deploy malware.
Once in control over Trickbot, the NSA’s hackers sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers. On top of that, the NSA stuffed millions of bogus records about new victims into the Trickbot database.
News of the Trickbot compromise was first published here on Oct. 2, 2020, but the leaked Conti chats show that the group’s core leadership detected something was seriously wrong with their crime machine just a few hours after the initial compromise of Trickbot’s infrastructure on Sept. 22.
“The one who made this garbage did it very well,” wrote “Hof,” the handle chosen by a top Conti leader, commenting on the Trickbot malware implant that was supplied by the NSA and quickly spread to the rest of the botnet. “He knew how the bot works, i.e. he probably saw the source code, or reversed it. Plus, he somehow encrypted the config, i.e. he had an encoder and a private key, plus uploaded it all to the admin panel. It’s just some kind of sabotage.”
“Moreover, the bots have been flooded with such a config that they will simply work idle,” Hof explained to his team on Sept. 23, 2020. Hof noted that the intruder even kneecapped Trickbot’s built-in failsafe recovery mechanism. Trickbot was configured so that if none of the botnet’s control servers were reachable, the bots could still be recaptured and controlled by registering a pre-computed domain name on EmerDNS, a decentralized domain name system based on the Emercoin virtual currency.
“After a while they will download a new config via emercoin, but they will not be able to apply this config, because this saboteur has uploaded the config with the maximum number, and the bot is checking that the new config should be larger than the old one,” Hof wrote. “Sorry, but this is fucked up. I don’t know how to get them back.”
It would take the Conti gang several weeks to rebuild its malware infrastructure, and infect tens of thousands of new Microsoft Windows systems. By late October 2020, Conti’s network of infected systems had grown to include 428 medical facilities throughout the United States. The gang’s leaders saw an opportunity to create widespread panic — if not also chaos — by deploying their ransomware simultaneously to hundreds of American healthcare organizations already struggling amid a worldwide pandemic.
“Fuck the clinics in the USA this week,” wrote Conti manager “Target” on Oct. 26, 2020. “There will be panic. 428 hospitals.”
On October 28, the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”
Follow-up reporting confirmed that at least a dozen healthcare organizations were hit with ransomware that week, but the carnage apparently was not much worse than a typical week in the healthcare sector. One information security leader in the healthcare industry told KrebsOnSecurity at the time that it wasn’t uncommon for the industry to see at least one hospital or health care facility hit with ransomware each day.
GAP #2
The more recent gap in the Conti chat logs corresponds to a Jan. 26, 2021 international law enforcement operation to seize control of Emotet, a prolific malware strain and cybercrime-as-a-service platform that was used heavily by Conti. Following the Emotet takedown, the Conti group once again reorganized, with everyone forced to pick new nicknames and passwords.
The logs show Conti made a special effort to help one of its older members — All Witte — a 55-year-old Latvian woman arrested last year on suspicion of working as a programmer for the Trickbot group. The chat records indicate Witte became something of a maternal figure for many of Conti’s younger personnel, and after her arrest Conti’s leadership began scheming a way to pay for her legal defense.
“They gave me a lawyer, they said the best one, plus excellent connections, he knows the investigator, he knows the judge, he is a federal lawyer there, licensed, etc., etc.,” wrote Mango” — a mid-level manager within Conti — to “Stern,” a much higher-up Conti manager and taskmaster who frequently asked various units of the gang for updates on their daily assignments.
Stern agreed that this was the best course of action, but it’s unclear if it was successfully carried out. Also, the entire scheme may not have been as altruistic as it seemed: Mango suggested that paying Witte’s attorney fees might also give the group inside access to information about the government’s ongoing investigation of Trickbot.
“Let’s try to find a way to her lawyer right now and offer him to directly sell the data bypassing her,” Mango suggests to Stern on June 23, 2021.
The FBI has been investigating Trickbot for years, and it is clear that at some point the U.S. government shared information with the Russians about the hackers they suspected were behind Trickbot. It is also clear from reading these logs that the Russians did little with this information until October 2021, when Conti’s top generals began receiving tips from their Russian law enforcement sources that the investigation was being rekindled.
“Our old case was resumed,” wrote the Conti member “Kagas” in a message to Stern on Oct. 6, 2021. “The investigator said why it was resumed: The Americans officially requested information about Russian hackers, not only about us, but in general who was caught around the country. Actually, they are interested in the Trickbot, and some other viruses. Next Tuesday, the investigator called us for a conversation, but for now, it’s like [we’re being called on as] witnesses. That way if the case is suspended, they can’t interrogate us in any way, and, in fact, because of this, they resumed it. We have already contacted our lawyers.”
Incredibly, another Conti member pipes into the discussion and says the group has been assured that the investigation will go nowhere from the Russian side, and that the entire inquiry from local investigators would be closed by mid-November 2021.
It appears Russian investigators were more interested in going after a top Conti competitor — REvil, an equally ruthless Russian ransomware group that likewise mainly targeted large organizations that could pay large ransom demands.
On Jan. 14, 2022, the Russian government announced the arrest of 14 people accused of working for REvil. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown was part of a cynical ploy to assuage (or distract) public concerns over Russian President Vladimir Putin’s bellicose actions in the weeks before his invasion of Ukraine.
The leaked Conti messages show that TrickBot was effectively shut down earlier this month. As Catalin Cimpanu at The Record points out, the messages also contain copious ransom negotiations and payments from companies that had not disclosed a breach or ransomware incident (and indeed had paid Conti to ensure their silence). In addition, there are hundreds of bitcoin addresses in these chats that will no doubt prove useful to law enforcement organizations seeking to track the group’s profits.
This is the first of several stories about the inner workings of Conti, based on the leaked chat records. Part II will be told through the private messages exchanged by Conti employees working in different operational units, and it explores some of the more unique and persistent challenges facing large-scale cybercriminal organizations today.
CVE-2020-15936
A improper input validation in Fortinet FortiGate version 6.4.3 and below, version 6.2.5 and below, version 6.0.11 and below, version 5.6.13 and below allows attacker to disclose sensitive information via SNI Client Hello TLS packets.
NIST Seeks Cybersecurity Framework Feedback
Institute wants to know how it can improve critical infrastructure cybersecurity framework
Viasat Attributes Outage to “Cyber Event”
Disruption of satellite internet service in Ukraine and Europe began on day one of Russian invasion
Remote Utilities Software Distributed in Ukraine via Fake Evacuation Plan Email
FortiGuard Labs is aware that a copy of Remote Manipulator System (RMS) was submitted from Ukraine to VirusTotal on February 28th, 2022. The RMS is a legitimate remote administration tool that allows a user to remotely control another computer. The file name is in Ukrainian and is “Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe” in translation to English. The SSU likely stands for the Security Service of Ukraine. Why is this Significant?This is significant because given its file name, the country where the file was submitted to VirusTotal and the current situation in Ukraine, the file may have been distributed to Ukrainians.What does the File Do?The file silently installs a copy of legitimate Remote Utilities software to the compromised machine. The software allows a remote user to control the compromised machine.Based on the telemetry FortiGuard Labs collected, there is one IP address in Ukraine that connected to the remote IP that likely belongs to the attacker. How was the File Distributed to the Targets?Most likely via links in email.CERT-UA published a warning today that “the representatives of the Center for Combating Disinformation began to receive requests for information from the mail of the Ukrainian Security Service. Such notifications are fake and are a cyberattack”. The email below is reported have been used in the attack.Machine translation:Email subject: Evacuation plan from: SBU (Urgent) -28.02.2022 day off: 534161WARNING! This is an external sheet: do not click on the links or open a tab if you do not trust the editor.Report a suspicious list to ib@gng.com.ua.Security Service of UkraineGood afternoon, you need to have acquainted with the electronic evacuation plan until 01.03.2022, to give data on the number of employees, fill in the document in accordance with Form 1980-22SBU-98.To ensure confidentiality of the transferred data, the password: 2267903645 is set on the deposit.See the document on:hxxps://mega.nz/file/[reducted]Mirror 2: hxxps://files.dp.ua/en/[reducted]Mirror 3: hxxps://dropmefiles.com/[reducted]While the remote files were not available at the time of the investigation, the email and “Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe” are likely connected based on the email content and the file name. Can the File Attributed to a Particular Threat Actor?It’s possible that a threat actor distributed the file to target Ukraine. However, while the Remote Utilities software is silently installed on the compromised machine, it displays an icon in Windows’s taskbar. Since most threat actors aim to hide their activities, this is potentially an act of novice attacker who tries to take advantage of the current situation in Ukraine.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in this attack:Riskware/RemoteAdmin_RemoteUtilities