Brief #14: LockBit 3.0 Leak, CloudNordic Ransomware, WinRAR 0-Day

Mandos Brief, Week 34 2023: The LockBit 3.0 ransomware leak, CloudNordic's devastating attack, WinRAR's zero-day vulnerability, Tesla's data breach and more.

Brief #14: LockBit 3.0 Leak, CloudNordic Ransomware, WinRAR 0-Day


LockBit 3.0 Ransomware Builder Leak Unleashes New Threat Variants

  • LockBit 3.0 ransomware builder leaked, enabling the creation of custom ransomware variants.
  • The leak has led to the emergence of new ransomware groups with different ransom demand procedures.
  • Kaspersky detected 396 distinct LockBit samples, 312 of which were created using the leaked builders.
  • The ransomware supports encrypted executables and strong protection techniques against reverse engineering.

The cybersecurity community has been shaken by the leak of the LockBit 3.0 ransomware builder. This tool, initially exclusive to the LockBit ransomware-as-a-service (RaaS) program, has now fallen into the hands of various threat actors. The leak has led to the proliferation of new ransomware variants, each with its own set of ransom demand procedures and notes. Kaspersky has detected a total of 396 distinct LockBit samples, 312 of which were created using the leaked builders.

Technically, LockBit 3.0 is a formidable threat. It supports the usage of encrypted executables with randomly generated passwords, hindering automatic analysis. The payload also includes strong protection techniques against reverse engineering, including the use of undocumented kernel-level Windows functions. The ransomware builder itself is devoid of any protection mechanisms, as it was intended for internal use by threat actors. This has allowed cybersecurity researchers to delve into its construction methodology, providing insights into its configuration parameters and encryption techniques.

With the tool now publicly available, the race is on to understand its intricacies and develop countermeasures before it wreaks more havoc.

CloudNordic and AZero Hit Hard by Ransomware Losing All Customer Data

  • CloudNordic, a Danish cloud hosting company, suffered a severe ransomware attack, losing all customer data.
  • The attack also affected AZero, another cloud host owned by the same parent company, Certiqa Holding.
  • The ransomware encrypted all servers, disks, and both primary and secondary backup systems.
  • There is no evidence of data exfiltration, but the company has lost access to all data and will not pay the ransom.

CloudNordic, a Denmark-based cloud hosting service, recently fell victim to a devastating ransomware attack that led to the loss of all customer data. The cybercriminals behind the attack managed to shut down all of CloudNordic's systems, including its website, email, and customer systems. The attackers encrypted all servers and disks, including both primary and secondary backup systems, rendering data recovery impossible.

Interestingly, AZero, another cloud host owned by the same parent company, Certiqa Holding, was also affected by the attack. The company stated that it had no plans to pay the ransom, as it did not have the funds and also because there was no evidence that customer data had been copied or exfiltrated.

The attack's origins are still unclear, but CloudNordic mentioned that the situation worsened when infected systems were moved from one data center to another, which was connected to their internal network. This move potentially allowed the attackers to gain access to central administrative and backup systems.

Both CloudNordic and AZero are currently working to rebuild their web and email systems from scratch, albeit without any customer data. This incident serves as a cautionary tale for cloud hosts and emphasizes the importance of robust cybersecurity measures.

WinRAR 0-day Allows Attackers to Execute Malicious Code

  • A new zero-day vulnerability in WinRAR allows attackers to execute malicious code via poisoned JPG and TXT files.
  • The exploit has been active since April and is being used to install malware such as DarkMe, GuLoader, and Remcos RAT.
  • The vulnerability, tracked as CVE-2023-38831, has been fixed by WinRAR developers earlier this month.
  • The exploit has been primarily distributed on trading forums, affecting at least 130 known individuals.

A newly discovered zero-day vulnerability in the popular file-compression program WinRAR has been under active exploitation since April 2023. The exploit allows attackers to execute malicious code when users open specially crafted ZIP archives containing poisoned JPG and TXT files. Security researchers from Group-IB have reported that the attackers are using this vulnerability to install various malware families, including DarkMe, GuLoader, and Remcos RAT. These malware types are then used to siphon money from broker accounts.

The exploit has been primarily distributed on securities trading forums. In some instances, the malicious ZIP files were attached to forum posts, while in others, they were distributed via file storage sites. The total number of victims and financial losses are still unknown, but at least 130 individuals are known to have been compromised. WinRAR has already released a fix for this vulnerability, urging users to update to the latest version to stay protected.

For those using WinRAR, updating to the latest version is crucial to avoid falling victim to this exploit. The vulnerability has been tracked as CVE-2023-38831 and has been patched in the latest update.

Sim-Swapping Attack on Kroll Exposes Crypto Investor Data

  • A Kroll employee fell victim to a SIM-swapping attack, compromising user information for multiple cryptocurrency platforms.
  • The attack led to the theft of personal information of bankruptcy claimants related to BlockFi, FTX, and Genesis.
  • The incident has already been exploited in phishing attacks targeting the compromised accounts.
  • Neither FTX's nor BlockFi's systems were directly breached, and Kroll has contained and remediated the incident.

Security consulting firm Kroll recently disclosed a SIM-swapping attack against one of its employees, leading to a significant data breach. The attack targeted a T-Mobile phone number belonging to the employee and transferred it to the attacker's phone. As a result, the threat actor gained unauthorized access to files containing personal information of bankruptcy claimants related to cryptocurrency platforms BlockFi, FTX, and Genesis.

The breach has already had real-world consequences, with multiple reports of phishing attacks exploiting the stolen data. These phishing attempts often spoof FTX and claim that the recipient is eligible to begin withdrawing digital assets from their accounts. Kroll has taken immediate actions to secure the affected accounts and has notified the impacted individuals.

Interestingly, the attack bypassed multi-factor authentication (MFA) to gain access to the employee's account and the stored files. This incident serves as a timely reminder of the vulnerabilities associated with relying on mobile phone companies for security. It also raises questions about the effectiveness of MFA when the mobile number itself is compromised.

Kroll, a firm often called in to investigate data breaches, now finds itself in the uncomfortable position of being the breached entity. The company has contained and remediated the incident but the damage to its reputation and the increased risk to its clients remain significant concerns.

Tesla Data Breach Blamed on ‘Insider Wrongdoing’ Impacted 75,000

  • Over 75,000 individuals impacted, primarily employees.
  • Breach attributed to two former Tesla employees.
  • Employee records, names, email addresses, phone numbers, and sensitive corporate information.
  • Tesla obtained court orders against the former employees and is cooperating with law enforcement.

In a recent cybersecurity incident, Tesla Inc. faced a significant data breach affecting more than 75,000 individuals. The breach was attributed to insider wrongdoing, specifically two former employees of the company. According to reports from Bloomberg and InfoSecurity Magazine, the compromised data includes sensitive employee information such as names, home and email addresses, phone numbers, and social security numbers.

The breach was first reported by the German newspaper Handelsblatt on May 25, 2023. Tesla's internal investigation revealed that the two former employees had misappropriated the information in violation of the company's IT security and data protection policies. They then shared this data with Handelsblatt, although the media outlet has stated it does not intend to publish the personal information.

Tesla has taken legal action against the perpetrators, obtaining court orders that prohibit them from further use, access, or dissemination of the data. The company is also cooperating with law enforcement agencies and external forensics experts to address the situation. This incident underlines the challenges organizations face in enforcing the principle of "least privilege" among employees to mitigate insider threats.