Feb 21 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that wants to honour those on the frontlines of the cyberwar who are forever patching and updating. Theyโve taken a leaf out of the UKโs nuclear program: if at first you donโt succeed, Tri, Tri, again ๐ฌ๐๐คฃ
Todayโs hottest cybersecurity news stories:
๐ Rule Britannia! UKโs FBI (NSA) throws a spanner in Lockbitโs works ๐ง
โ๏ธ Mine how you go! Migo malware targets Redis servers for crypto mining
๐พ More than 28,500 Exchange servers vulnerable to actively exploited bug
giphy.com
The UK has spearheaded an operation targeting Lockbit, believed to be the world’s largest criminal ransomware group. Led by the National Crime Agency (NCA), the operation marks a significant disruption to the cybercriminal landscape. ๐ฌ๐ง๐ป
Lockbit, suspected to operate out of Russia, is notorious for its ransomware activities, offering services to other criminal entities. The NCA successfully infiltrated Lockbit’s systems, seizing crucial data and taking control of the group’s operations. ๐ต๏ธโโ๏ธ๐ก๏ธ
The impact of the operation is profound, with law enforcement agencies from around the world, including the FBI and Europol, joining forces to combat this cyber threat. This coordinated effort signals a new era in combating cybercrime, with the UK taking a leading role. ๐๐
Lockbit’s modus operandi involves hacking into the systems of companies and organisations, encrypting data, and demanding ransom payments. The group’s targets include high-profile entities such as Royal Mail, Industrial & Commercial Bank of China (ICBC), and suppliers to the NHS. ๐ผ๐ฐ
The operation, which had been underway covertly, culminated in a public phase, where law enforcement agencies took control of Lockbit’s dark web site. Instead of criminal activities, visitors were greeted with messages indicating law enforcement control and collaboration. ๐จ๐จ
The disruption not only impacts Lockbit’s operations but also exposes the inner workings of the group. Law enforcement agencies obtained critical data, shedding light on the true scale of Lockbit’s activities. ๐ก๐
Lockbit operates by providing criminal services to affiliates, offering hacking tools and guidance. However, following the operation, affiliates attempting to access Lockbit’s site were met with warnings that their details were now in the hands of law enforcement. ๐๐ป
The operation aims not only to disrupt Lockbit’s activities but also to undermine its credibility and reputation. By exposing the group’s operations and targeting its affiliates, law enforcement hopes to deter future criminal collaboration. ๐ก๏ธโ
While Lockbit’s operators remain beyond the reach of law enforcement, this operation represents a significant step forward in combating cyber threats and safeguarding digital ecosystems. The collaborative effort sends a clear message: cybercrime will not go unchecked. ๐ค๐ซ
Signup for Free
Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
A fresh malware campaign has surfaced, taking aim at Redis servers to kickstart cryptocurrency mining on compromised Linux systems.
Dubbed Migo, this Golang ELF binary boasts compile-time obfuscation and persistence capabilities, making it a formidable threat to Linux hosts.
Cado security researcher Matt Muir shed light on the campaign, highlighting the attackers’ use of innovative tactics to weaken system defences and exploit Redis vulnerabilities. ๐ต๏ธโโ๏ธ๐ป
The attack begins with a series of commands aimed at disabling key Redis configuration options, paving the way for subsequent exploitation without raising suspicion. ๐ ๏ธ๐
Once inside, threat actors set up Redis keys to establish persistence and fetch the primary payload from Transfer.sh, a file transfer service. This method, previously spotted in early 2023, remains a favoured technique among cybercriminals. ๐๐
Migo, the core malware, then springs into action, downloading an XMRig installer from GitHub and executing steps to maintain persistence, terminate rival miners, and launch the cryptocurrency mining operation. ๐ฐโ๏ธ
To evade detection, Migo takes measures to disable SELinux, hide processes, and eliminate monitoring agents. These tactics bear resemblance to those employed by notorious cryptojacking groups such as TeamTNT and Rocke. ๐ก๏ธ๐
Migo’s recursive scanning of system files under /etc presents a unique challenge for analysis, potentially aimed at confusing sandbox environments or tailoring attacks to specific targets. ๐๐
In essence, Migo underscores the evolving sophistication of cloud-focused attackers, highlighting the need for robust security measures to protect web-facing services. ๐ก๐
๐ย The Motley Fool: โFool me once, shame on โ shame on you. Fool me โ you can’t get fooled again.โ Good olโ George Dubya ๐ Let us tell whoโs not fooling around though; thatโs the Crรผe ๐ at Motley Fool. Youโd be a fool (alright, enough already! ๐) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐ Kidding aside, if you check out their website theyโve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐คย (LINK)
๐ตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐๏ธโณ๐๐๏ธ Mmmm Happy Placeโฆ ๐ So, weโve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโs easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐๏ธ๐ย (LINK)
๐ย Digital Ocean: If you build it they will come. Nope, weโre not talking about a baseball field for ghosts โพ๐ป๐ฟ (Great movie, to be fair ๐). This is the Digital Ocean whoโve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโll find yourself catching the buzz even if you canโt code (guilty ๐). But if you can and youโre looking for somewhere to test things out or launch something new or simply enhance what youโve got, weโd recommend checking out their services foโ sho ๐ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ฟย (LINK)
A critical severity privilege escalation flaw, CVE-2024-21410, poses a significant threat to up to 97,000 Microsoft Exchange servers worldwide. ๐๐ผ
Initially exploited as a zero-day, this vulnerability enables remote unauthenticated actors to execute NTLM relay attacks, potentially granting them elevated privileges on affected systems. ๐ก๏ธ๐
Although Microsoft released a patch on February 13 to address the issue, a substantial number of servers remain vulnerable, with approximately 28,500 confirmed cases. ๐๐
Shadowserver’s threat monitoring service identified Germany, the United States, and the United Kingdom as the most impacted countries, emphasising the global reach of this security concern.
While there’s currently no publicly available exploit for CVE-2024-21410, the potential consequences of exploitation underscore the urgency for system administrators to apply the necessary updates and mitigations. โ ๏ธ๐ป
To safeguard against this threat, organisations are advised to deploy Exchange Server 2019 Cumulative Update 14 (CU14), which includes NTLM credentials Relay Protections. ๐ก๏ธ๐
Furthermore, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has listed CVE-2024-21410 as a ‘Known Exploited Vulnerability,’ urging federal agencies to take action by March 7, 2024. ๐บ๐ธ๐
Failure to address this vulnerability could result in severe consequences, including unauthorised access to confidential data and the potential for further network exploitation. ๐๐
In summary, swift action is essential to mitigate the risk posed by CVE-2024-21410 and protect organisations from potential exploitation. ๐ก๏ธ๐ผ
Itโs a jungle out there, folks! ๐ฆ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.
Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ๐๐ด with his stick and banana approach ๐๐
Techspresso:ย Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)
Let us know what you think!
So long and thanks for reading all the phish!