The $10 Million Cyber Bounty and Linux Hacking Chaos, Cyber News Beat

Michael Lopez
12 min readApr 2, 2024

--

(Dall-E 3)

This week has been a doozy! Lots of critical security issues. We have millions being offered for the BlackCat operators. Phones being turned into zombie proxies for the darkweb. AMD being hit with a Spectre type vulnerability, that could end up being unpatchable (maybe). Finland being under cyber attack by China. And at least three major Linux vulnerabilities throwing Linux Admins into Chaos!

$10 Million Bounty: A Bold Move Against BlackCat Ransomware Operators

In a significant escalation of efforts to combat cyber threats, the US Department of State has announced a $10 million bounty for information leading to the capture of members associated with the BlackCat/ALPHV ransomware gang. This bold initiative targets the perpetrators behind cyberattacks on American infrastructure, indicating a robust stance against ransomware operations that jeopardize national security. The BlackCat ransomware, implicated in the notable breach of Change Healthcare, exemplifies the severe impact such cybercriminal activities can have on critical infrastructure and personal data. Despite the challenge of prosecuting Russian-speaking threat actors who often operate from locations beyond the reach of US law enforcement, this bounty represents a crucial strategy in disrupting cybercriminal networks.

The deployment of financial incentives for intelligence on ransomware operators is hopefully that start of a broader trend to take cyber threat more seriously and to see APTs dealt with to a more permanent end. The underlying hope is that private organizations in conjunction with these Governmental bodies will strengthen partnerships further and aggressively pursue these APTs who seem to act with total impunity. Moreover I hope this demonstrates to organizations that not securing your networks comes with a cost, a big cost. The consequences of this latest major breach have been extremely detrimentally to the financial wellbeing of Change Healthcare. This also hopefully means more time and budget will be given to security practitioners to properly secure infrastructure, especially infrastructure as critical as something that underpins healthcare.

MacOS Malware Disguised as Legitimate Ads

Cybersecurity researchers have recently sounded the alarm on a sophisticated campaign aimed at macOS users, wherein cybercriminals deploy malicious advertisements to distribute stealer malware, notably including strains like Atomic Stealer. These deceptive ads lure users to fraudulent websites, which mimic legitimate services, to trick them into downloading malware under the guise of authentic software. This nefarious strategy has seen particular focus on individuals within the cryptocurrency space, exploiting their interest with fake job offers or opportunities for exposure, such as podcast interviews. The use of DMG files, a common format for macOS software, as a delivery mechanism for this malware highlights the attackers’ cunning in blending their malicious payloads with typical user behaviors and expectations. This emerging threat underscores a worrying trend of increased sophistication and targeting precision in cyberattacks against macOS users, challenging the prevailing notion of the platform’s immunity to such threats.

The prevalence of these attacks not only signifies a shift in the landscape of cybersecurity threats but also serves as a critical wake-up call for users and defenders of macOS environments. It brings to light the essential need for heightened vigilance and skepticism towards online advertisements and unsolicited offers, especially those purporting to provide lucrative opportunities. The incidents suggest a broader trend of cybercriminals increasingly setting their sights on macOS, exploiting its growing user base and perceived security advantages. It used to be macOS was considered a safe bastion of cyber crimnicait,y but these incidents hightligh how that this is not the case (nor was it ever the case). MacOS represents a smaller percentage of total computers globally so less effort is typically put into exploiting it, but that doesn’t mean no effort. Instead we need to acknowledge that all systems are vulnerable and we should be striving to keep all of devices safe.

Apps Turn Phones into Cybercriminal Underworld Proxies

In a recent and unsettling revelation, cybersecurity experts from HUMAN’s Satori Threat Intelligence team have exposed a clandestine operation named PROXYLIB, involving several Android applications found on the Google Play Store. These applications, masquerading as benign VPN services, were discovered to covertly convert users’ smartphones into nodes within a residential proxy network, unbeknownst to the device owners. The use of a Golang library to facilitate this transformation underscores the sophistication of this cybercriminal strategy. Google has since removed these compromised apps, but the incident sheds light on the potential for seemingly innocuous applications to serve nefarious purposes. By turning mobile devices into proxy servers, these apps allowed cybercriminals to anonymize their internet traffic, effectively masking illicit activities. This exploitation of residential proxies, which are highly sought after for their legitimacy and difficulty to blacklist, represents a significant security threat. The implicated apps leveraged a software development kit (SDK) from LumiApps, implicating the company in the distribution of these malicious applications and highlighting the challenges of securing app ecosystems.

The PROXYLIB scheme is a reminder that the methods employed by cybercriminals to exploit technology for malicious ends are always growing in sophistication. The incident not only raises concerns about the security of mobile app stores and the efficacy of their vetting processes but also calls attention to the broader implications for internet privacy and security. As residential proxies become a tool in the cybercriminal arsenal, the need for greater transparency and user education on the potential risks associated with proxyware becomes evident. It really can be worrisome how easy it is to end up an unwitting participant in the darkweb. It is also scary because malicious activity could be traced to you or someone you know without that person ever doing anything wrong. Please be very careful about what you download and where it is from, even if it is in an accredited app store.

Linux’s Hidden Passage

A critical security breach has been unveiled, casting a shadow over the Linux community: a covert backdoor within the XZ Utils library, versions 5.6.0 and 5.6.1. This discovery, reported by Red Hat and subsequently given the highest severity score of 10.0, unveils a dire threat to major Linux distributions. The malicious code, capable of granting unauthorized remote access, specifically targets the liblzma code within the library, posing a potential risk of manipulation of crucial system processes such as the sshd daemon. This backdoor was introduced through deceptive commits to the Tukaani Project’s GitHub repository, which has since been disabled. While there are no reported instances of exploitation in the wild, the implications of such a vulnerability are profound, prompting an urgent call to action for users of affected Linux distributions to downgrade to a secure version of XZ Utils.

This incident is a concerning reminder of the vulnerabilities inherent in open-source ecosystems and the complexities of ensuring the security of software supply chains. The exploitation of a widely used utility like XZ Utils underscores the sophistication and audacity of modern cyber threats. It raises critical questions about the oversight and security practices of open-source projects, particularly those that form the backbone of countless computing environments. As the Linux community grapples with the ramifications of this backdoor, the incident highlights the ongoing struggle between maintaining the openness and collaborative spirit of open-source development and the need to safeguard against malicious actors. The broader implications for software security, trust in open-source components, and the mechanisms for vetting contributions to such projects are now under intense scrutiny. It reminds me of this (https://xkcd.com/2347/) XKCD comic. I love open source software so much but it is really hard to maintain the integrity of their security. It also highlights how careful we need to be when building any and all software and how many times we don’t truly know what is in these libraries built on libraries built on libraries.

Linux Security Hits a Wall

The recent discovery of a critical bug in Linux, designated CVE-2024–28085 and nicknamed WallEscape, has cast a new shadow over the security of one of the most widely used operating systems in the tech world. Uncovered by security researcher Skyler Ferrante, this vulnerability lies within the “wall” command of the util-linux package, a tool intended for sending messages to all users in a terminal session. WallEscape allows unprivileged users to execute commands that could potentially reveal other users’ passwords or hijack their clipboard contents, under specific conditions. This flaw, stemming from an inadequate neutralization of escape sequences, hinges on the mesg utility being enabled and the wall command having setgid permissions. Notably impacting major distributions like Ubuntu 22.04 and Debian Bookworm, while sparing CentOS due to its handling of setgid permissions, WallEscape prompts a critical reassessment of user permissions and inter-process communications within Linux environments.

The WallEscape vulnerability is another blow to Linux this week. This bug’s potential for misuse in environments where multiple users have access to shared terminals could lead to significant security breaches, from password leaks to unauthorized access to sensitive information. The prompt response from the Linux community, advising users to update to the patched version of util-linux, reflects the importance of active maintenance and community engagement in open-source projects. As Linux continues to serve as the backbone for countless servers, desktops, and embedded systems worldwide, the discovery of WallEscape really is worrisome given the broad reaching implications and potential impact.

RATs Infesting Linux

We are seeing a growing emergence of a formidable threat with the Linux version of DinodasRAT, also known as XDealer, pinpointed in a series of cyber-attacks across China, Taiwan, Turkey, and Uzbekistan. This C++-based backdoor malware, capable of harvesting sensitive information from compromised systems, marks a significant pivot towards targeting the Linux platform, historically perceived as more secure against such threats. Identified by Kaspersky in October 2023, with its lineage traceable back to July 2021, DinodasRAT has evolved to specifically target Red Hat-based distributions and Ubuntu Linux. Its modus operandi includes establishing persistence on the host and initiating communication with remote servers to receive commands, thereby allowing threat actors complete control over infected machines. This malware’s creation, based on an open-source project, and its ability to perform multitasking for system monitoring and execute shell commands, highlight the increasing sophistication of cyber espionage tactics. The focus on Linux servers underscores a strategic move by threat actors to infiltrate and maintain a prolonged presence within networks, thereby evading detection and enhancing their espionage capabilities.

The issue is yet another blow to Linux this week. It underscores the critical need for heightened vigilance and robust security measures within Linux environments. As cybercriminals diversify their toolkit to exploit various operating systems, the security of Linux servers has come under scrutiny, challenging the community to reinforce defenses against such sophisticated threats. The targeting of Linux systems by DinodasRAT not only signifies the operating system’s growing popularity and its critical role in supporting global infrastructure but also reflects the evolving landscape of cyber threats where no platform is immune. I hope all the Linux woes this week wakes up developers who rely on Linux to dedicate more resources into ensuring security of both the operating system and the supply chain of components going into the OS.

Finland Attacked by Chinese Group APT31

Finland has accused the Chinese hacking group APT31, known by various aliases including Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon, of orchestrating a sophisticated cyber attack on its Parliament between fall 2020 and early 2021. This accusation adds another layer to the intricate tapestry of international relations and cybersecurity, implicating a state-backed entity in espionage activities that transcend national borders. APT31, with a history of cyber operations dating back to at least 2010, has been previously implicated by the U.K. and the U.S. in cyber espionage campaigns, leading to charges against seven operatives and sanctions against two individuals and a company. Despite China’s denial of these accusations and its critique of the U.S. and U.K. for politicizing cybersecurity, the attribution of the Finnish Parliament cyber attack to APT31 highlights the enduring challenge of attributing cyber attacks and the resultant strain on international diplomacy.

The incident involving APT31 and the Finnish Parliament not only brings to the forefront the ongoing concerns regarding state-sponsored cyber activities but also emphasizes the critical need for robust cybersecurity defenses and international cooperation to deter such threats. As nations grapple with the dual challenge of protecting their digital infrastructures and navigating the delicate balance of international relations, the role of cybersecurity in geopolitical strategy becomes increasingly evident. This case serves as a potent reminder the primary domain of warfare for first world nations is predominantly cyber. And as we have seen before those in the crosshair are both government entities and private companies. In the end though, the ones who suffer to most are the people. As cybersecurity practitioners we need to reminder ourselves time to time that cybersecurity is fundamentally the protection of people and their information.

ZenHammer: Challenging AMD’s Fortress with a RowHammer Evolution

More fun CPU architecture vulnerability times with the dawn of ZenHammer marking a significant milestone in the exploration of hardware vulnerabilities. Researchers from ETH Zurich have unveiled this new variant of the RowHammer attack, specifically targeting AMD’s Zen 2 and Zen 3 architectures. ZenHammer not only bypasses existing mitigations like Target Row Refresh (TRR) but also marks the first successful bit flips on DDR5 devices, a feat that could potentially lead to widespread data corruption and system compromise. This breakthrough underscores the vulnerabilities in AMD systems previously thought to be secure against RowHammer attacks, which exploit electrical interference between memory cells to alter data. The revelation of ZenHammer highlights the intricate challenges that DDR5 modules present and the critical need for a deeper understanding of RowHammer mitigations and their effectiveness.

AMD’s response to the findings, focusing on assessing the impact of RowHammer on DDR5 devices, signifies the ongoing arms race between hardware manufacturers and cybersecurity researchers. ZenHammer serves as a good reminder of the inherent vulnerabilities embedded within modern computing architectures, pushing the boundaries of what was previously considered secure. It emphasizes the necessity for continuous research and development in cybersecurity measures to stay ahead of evolving threats. The potential for ZenHammer to compromise systems shows the critical importance of robust security protocols, not just in software but at the hardware level, highlighting an area that often receives less attention in the broader cybersecurity conversation. As mentioned previously these things are fundamentally very difficult to account for when building chips, but it is a worthwhile endeavor. Especially since these issues can be impossible to patch, and if they aren’t they can significantly hamper the performance of these chips.

Darcula Phishing Network

Darcula is a sophisticated Phishing-as-a-Service (PhaaS) platform targeting organizations worldwide. Leveraging over 20,000 counterfeit domains, Darcula utilizes iMessage and RCS protocols to bypass traditional SMS firewall defenses, highlighting a significant evolution in cybercriminal tactics. This platform offers approximately 200 templates mimicking legitimate brands, facilitating the rapid deployment of phishing sites by cybercriminals for a monthly fee. Darcula’s ability to evade detection through advanced cloaking mechanisms and its use of reputable hosting services like Cloudflare and Tencent showcases the complexity and sophistication of modern phishing campaigns. The platform’s focus on automation and ease of use lowers the barrier to entry for less-skilled criminals, amplifying the threat to internet users globally.

The rise of Darcula reflects a broader trend in the cybercriminal ecosystem towards commoditization and sophistication of tools designed to exploit human trust. By targeting users through platforms like iMessage and leveraging advanced evasion techniques,. The proliferation of PhaaS platforms like Darcula require a multifaceted response, integrating advanced technological solutions, user education, and international cooperation to combat the scourge of phishing. We need to be careful yes, but if you are reading this you are likely a careful and knowledgeable person. We need to use this knowledge to help others avoid the perils of the world fraught with cyber attacks at every corner.

The Unwitting Soldiers in TheMoon Botnet’s Army

The resurgence of TheMoon botnet presents a formidable challenge to the cybersecurity landscape, as it exploits end-of-life (EoL) routers and IoT devices to fuel a nefarious criminal proxy service dubbed Faceless. With over 40,000 compromised devices spanning 88 countries, the botnet’s reach in early 2024 is a testament to the pervasive risk of neglected devices. Faceless capitalizes on this botnet to offer anonymity services for cybercriminal activities, effectively masking the origins of malicious traffic. This exploitation of EoL devices, which lack security updates and support, highlights a critical vulnerability in our digital ecosystem. The deliberate targeting of such devices for their weak security postures underscores a broader issue: the digital residue of outdated technology that continues to populate our homes and offices, serving as potential gateways for cybercriminals.

The strategy employed by TheMoon botnet and its utilization by Faceless accentuates the need for comprehensive cybersecurity strategies that extend beyond the lifespan of devices. This situation calls for a reevaluation of the responsibility of manufacturers, consumers, and regulatory bodies in ensuring the security of internet-connected devices throughout their lifecycle and beyond. Fundamentally IoT has always been a security nightmare, as have EoL systems. Put them together and you get this chaos. Please secure you IoT devices, put them on a separate VLAN with strong ACLs, or better yet avoid IoT all together wherever possible.

--

--

Michael Lopez

Cybersecurity Expert and AI Enthusiast--------- Former Work with the NSA, the US Cyber Command, & Silicon Valley Startup