UK Leads Operation Against Ransomware Giant ๐Ÿ”๐ŸŒ

Feb 21 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wants to honour those on the frontlines of the cyberwar who are forever patching and updating. Theyโ€™ve taken a leaf out of the UKโ€™s nuclear program: if at first you donโ€™t succeed, Tri, Tri, again ๐Ÿ˜ฌ๐Ÿ™ˆ๐Ÿคฃ

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ’‚ Rule Britannia! UKโ€™s FBI (NSA) throws a spanner in Lockbitโ€™s works ๐Ÿ”ง

  • โ›๏ธ Mine how you go! Migo malware targets Redis servers for crypto mining

  • ๐Ÿ‘พ More than 28,500 Exchange servers vulnerable to actively exploited bug

UK: We wonโ€™t rest until we have them under Lockbit and key ๐Ÿ”๐Ÿ‘€๐Ÿ‘ฎ


๐Ÿ”’ Major Blow to Cybercrime: UK Leads Operation Against Ransomware Giant ๐Ÿ”๐ŸŒ

The UK has spearheaded an operation targeting Lockbit, believed to be the world’s largest criminal ransomware group. Led by the National Crime Agency (NCA), the operation marks a significant disruption to the cybercriminal landscape. ๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ’ป

Lockbit, suspected to operate out of Russia, is notorious for its ransomware activities, offering services to other criminal entities. The NCA successfully infiltrated Lockbit’s systems, seizing crucial data and taking control of the group’s operations. ๐Ÿ•ต๏ธโ€โ™‚๏ธ๐Ÿ›ก๏ธ

The impact of the operation is profound, with law enforcement agencies from around the world, including the FBI and Europol, joining forces to combat this cyber threat. This coordinated effort signals a new era in combating cybercrime, with the UK taking a leading role. ๐ŸŒ๐Ÿ”“

Lockbit’s modus operandi involves hacking into the systems of companies and organisations, encrypting data, and demanding ransom payments. The group’s targets include high-profile entities such as Royal Mail, Industrial & Commercial Bank of China (ICBC), and suppliers to the NHS. ๐Ÿ’ผ๐Ÿ’ฐ

The operation, which had been underway covertly, culminated in a public phase, where law enforcement agencies took control of Lockbit’s dark web site. Instead of criminal activities, visitors were greeted with messages indicating law enforcement control and collaboration. ๐Ÿšจ๐Ÿ”จ

The disruption not only impacts Lockbit’s operations but also exposes the inner workings of the group. Law enforcement agencies obtained critical data, shedding light on the true scale of Lockbit’s activities. ๐Ÿ’ก๐Ÿ”

Lockbit operates by providing criminal services to affiliates, offering hacking tools and guidance. However, following the operation, affiliates attempting to access Lockbit’s site were met with warnings that their details were now in the hands of law enforcement. ๐Ÿ›‘๐Ÿ’ป

The operation aims not only to disrupt Lockbit’s activities but also to undermine its credibility and reputation. By exposing the group’s operations and targeting its affiliates, law enforcement hopes to deter future criminal collaboration. ๐Ÿ›ก๏ธโŒ

While Lockbit’s operators remain beyond the reach of law enforcement, this operation represents a significant step forward in combating cyber threats and safeguarding digital ecosystems. The collaborative effort sends a clear message: cybercrime will not go unchecked. ๐Ÿค๐Ÿšซ


Signup for Free


Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Hackers be like hola, aMigo ๐Ÿ’ƒ

๐Ÿ”’ New Cryptojacking Campaign Targets Redis Servers ๐Ÿ”๐Ÿ–ฅ๏ธ

A fresh malware campaign has surfaced, taking aim at Redis servers to kickstart cryptocurrency mining on compromised Linux systems.

Dubbed Migo, this Golang ELF binary boasts compile-time obfuscation and persistence capabilities, making it a formidable threat to Linux hosts.

Cado security researcher Matt Muir shed light on the campaign, highlighting the attackers’ use of innovative tactics to weaken system defences and exploit Redis vulnerabilities. ๐Ÿ•ต๏ธโ€โ™‚๏ธ๐Ÿ’ป

The attack begins with a series of commands aimed at disabling key Redis configuration options, paving the way for subsequent exploitation without raising suspicion. ๐Ÿ› ๏ธ๐Ÿ”“

Once inside, threat actors set up Redis keys to establish persistence and fetch the primary payload from, a file transfer service. This method, previously spotted in early 2023, remains a favoured technique among cybercriminals. ๐Ÿ“‚๐Ÿ”—

Migo, the core malware, then springs into action, downloading an XMRig installer from GitHub and executing steps to maintain persistence, terminate rival miners, and launch the cryptocurrency mining operation. ๐Ÿ’ฐโ›๏ธ

To evade detection, Migo takes measures to disable SELinux, hide processes, and eliminate monitoring agents. These tactics bear resemblance to those employed by notorious cryptojacking groups such as TeamTNT and Rocke. ๐Ÿ›ก๏ธ๐Ÿ”

Migo’s recursive scanning of system files under /etc presents a unique challenge for analysis, potentially aimed at confusing sandbox environments or tailoring attacks to specific targets. ๐Ÿ”„๐Ÿ”

In essence, Migo underscores the evolving sophistication of cloud-focused attackers, highlighting the need for robust security measures to protect web-facing services. ๐Ÿ’ก๐ŸŒ

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

๐Ÿƒย The Motley Fool: โ€œFool me once, shame on โ€” shame on you. Fool me โ€” you can’t get fooled again.โ€ Good olโ€™ George Dubya ๐Ÿ˜‚ Let us tell whoโ€™s not fooling around though; thatโ€™s the Crรผe ๐Ÿ‘€ at Motley Fool. Youโ€™d be a fool (alright, enough already! ๐Ÿ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐Ÿ› Kidding aside, if you check out their website theyโ€™ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐Ÿค‘ย (LINK)

๐Ÿšตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐ŸŒ๏ธโ›ณ๐ŸŒˆ๐Ÿ•Š๏ธ Mmmm Happy Placeโ€ฆ ๐Ÿ˜‡ So, weโ€™ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโ€™s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐Ÿž๏ธ๐Ÿ˜ย (LINK)

๐ŸŒŠย Digital Ocean: If you build it they will come. Nope, weโ€™re not talking about a baseball field for ghosts โšพ๐Ÿ‘ป๐Ÿฟ (Great movie, to be fair ๐Ÿ™ˆ). This is the Digital Ocean whoโ€™ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโ€™ll find yourself catching the buzz even if you canโ€™t code (guilty ๐Ÿ˜‘). But if you can and youโ€™re looking for somewhere to test things out or launch something new or simply enhance what youโ€™ve got, weโ€™d recommend checking out their services foโ€™ sho ๐Ÿ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ŸŒฟย (LINK)

This is really bugging us ๐ŸฆŸ๐Ÿ™ƒ๐Ÿ’€ Itโ€™s a bug in the wild ๐Ÿ’๐Ÿฆง๐Ÿ๐Ÿฆœ๐ŸŒด

๐Ÿšจ Critical Vulnerability in Microsoft Exchange Servers ๐Ÿšจ

A critical severity privilege escalation flaw, CVE-2024-21410, poses a significant threat to up to 97,000 Microsoft Exchange servers worldwide. ๐ŸŒ๐Ÿ’ผ

Initially exploited as a zero-day, this vulnerability enables remote unauthenticated actors to execute NTLM relay attacks, potentially granting them elevated privileges on affected systems. ๐Ÿ›ก๏ธ๐Ÿ”“

Although Microsoft released a patch on February 13 to address the issue, a substantial number of servers remain vulnerable, with approximately 28,500 confirmed cases. ๐Ÿ”’๐Ÿ“‰

Shadowserver’s threat monitoring service identified Germany, the United States, and the United Kingdom as the most impacted countries, emphasising the global reach of this security concern.

While there’s currently no publicly available exploit for CVE-2024-21410, the potential consequences of exploitation underscore the urgency for system administrators to apply the necessary updates and mitigations. โš ๏ธ๐Ÿ’ป

To safeguard against this threat, organisations are advised to deploy Exchange Server 2019 Cumulative Update 14 (CU14), which includes NTLM credentials Relay Protections. ๐Ÿ›ก๏ธ๐Ÿ”’

Furthermore, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has listed CVE-2024-21410 as a ‘Known Exploited Vulnerability,’ urging federal agencies to take action by March 7, 2024. ๐Ÿ‡บ๐Ÿ‡ธ๐Ÿ”

Failure to address this vulnerability could result in severe consequences, including unauthorised access to confidential data and the potential for further network exploitation. ๐Ÿ›‘๐Ÿ”

In summary, swift action is essential to mitigate the risk posed by CVE-2024-21410 and protect organisations from potential exploitation. ๐Ÿ›ก๏ธ๐Ÿ’ผ

Itโ€™s a jungle out there, folks! ๐Ÿฆ

๐Ÿ—ž๏ธ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ๐Ÿ’๐ŸŒด with his stick and banana approach ๐ŸŒ๐Ÿ˜

  • Techspresso:ย Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles