Episode 42: January 23 2023

Bullet points of key topics + chapter markers

[00:36] New CrySIS/

Links

https://cyware.com/news/new-crysisdharma-ransomware-variants-budding-like-mushrooms-c7fc5e9c

https://www.rollingstone.com/politics/politics-news/no-fly-list-leaked-unsecured-airline-server-1234665941/

https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/

https://www.bleepingcomputer.com/news/security/riot-games-hacked-delays-game-patches-after-security-breach/

https://www.bleepingcomputer.com/news/security/mailchimp-discloses-new-breach-after-employees-got-hacked/

New CrySIS/Dharma Ransomware Variants

  • Dharma ransomware
    • February 2016
      • ESET Researchers
      • Named it Crysis
        • Spotted in Russia, Japan, North and South Korea and Brazil
      • November 2016
        • V2 and V3 master decryption keys for Crysis were released online
          • BleepingComputer Forum
            • file containing the actual master decryption keys and information on how to utilize them
            • Suspected member of the development team.
          • January 2017
            • CrySIS RaaS was relaunched as Dharma
          • March 2017
            • Master Key released
              • BleepingComputer
            • 2019
              • Phobos
                • Was similar in design to Dharma (a little too similar)
              • Now that leaked code is being used by several attackers
              • New Variants appearing frequently.
            • Attack
              • abuse exposed RDP servers
              • phishing techniques
                • installation files for genuine software
              • Post-encryption, the ransomware executes the Microsoft HTML Application (MSHTA) to display a file, Info[.]hta, that contains the ransom details.
              • a separate file named info[.]txt is dropped. It includes a shortened set of instructions to reach the attacker
            • What’s Different
              • set the console to codepage 1251, which has the ability to use Cyrillic languages
              • delete the shadow copies
              • copy of the ransomware is copied to the host’s startup folder
              • file extensions are made to the attacker

No Fly List Uncovered

  • maia arson crimew
    • Swiss Hacker/Hacktivist
    • Searching Shodan found it
  • Unsecured Server
    • Airline: CommuteAir
    • csv
      • appeared to have more than 1.5 million entries in total
      • names as well as birth dates
      • aliases
    • contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.”
    • private information on almost 1,000 CommuteAir employees.
    • The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir
  • TSA
    • “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”
  • CommuteAir
    • regional airline based out of Ohio
    • the exposed infrastructure, (development server), was used for testing purposes.
      • taken offline
    • confirmed the legitimacy of the data
      • 4 years earlier
    • “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”

Riot Games Hacked

  • Riot Games
    • video game developer and publisher
    • League of Legends and Valorant
    • Delay game patches
  • Hacked
    • development environment was compromised last week.
      • Twitter thread on Friday night
    • “Earlier this week, systems in our development environment were compromised via a social engineering attack.”
    • breach directly impacted its ability to publish patches for its games

MailChimp discloses new breach

  • MailChimp
    • gained access to employee credentials
    • support tool access to 133 accounts
      • social engineering attack on Mailchimp employees and contractors.
    • first detected on January 11th
      • detected the unauthorized person accessing their support tools.
      • no credit card or password information was compromised
    • January 12
      • notified the primary contacts for all affected accounts
    • WooCommerce eCommerce plugin for WordPress
      • Extremely Popular
      • One of the customers impacted
      • emailed customers warning them that the MailChimp breach exposed their names, store URLs, addresses, and email addresses.
    • Not the First time
      • April 2022
        • Trezor hardware wallet owners
          • Email fake data breach
          • Download fake Trenzor Suite to steal recovery seeds
        • that the mailing list used in this phishing campaign was a Trezor mailing list stolen in a breach on MailChimp
        • employees falling for a social engineering attack that allowed threat actors to access 319 MailChimp accounts and export the data from 102 customers.
      • August 2022
        • Okta phishing attack
        • threat actors accessed 214 MailChimp accounts
          • focused on cryptocurrency-related customers.
            • included Edge Wallet, Cointelegraph, NFT creators, Ethereum FESP, and Messari and Decrypt.