Feb 21 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that wants to honour those on the frontlines of the cyberwar who are forever patching and updating. They’ve taken a leaf out of the UK’s nuclear program: if at first you don’t succeed, Tri, Tri, again ????????????
Today’s hottest cybersecurity news stories:
???? Rule Britannia! UK’s FBI (NSA) throws a spanner in Lockbit’s works ????
⛏️ Mine how you go! Migo malware targets Redis servers for crypto mining
???? More than 28,500 Exchange servers vulnerable to actively exploited bug
giphy.com
The UK has spearheaded an operation targeting Lockbit, believed to be the world’s largest criminal ransomware group. Led by the National Crime Agency (NCA), the operation marks a significant disruption to the cybercriminal landscape. ????????????
Lockbit, suspected to operate out of Russia, is notorious for its ransomware activities, offering services to other criminal entities. The NCA successfully infiltrated Lockbit’s systems, seizing crucial data and taking control of the group’s operations. ????️♂️????️
The impact of the operation is profound, with law enforcement agencies from around the world, including the FBI and Europol, joining forces to combat this cyber threat. This coordinated effort signals a new era in combating cybercrime, with the UK taking a leading role. ????????
Lockbit’s modus operandi involves hacking into the systems of companies and organisations, encrypting data, and demanding ransom payments. The group’s targets include high-profile entities such as Royal Mail, Industrial & Commercial Bank of China (ICBC), and suppliers to the NHS. ????????
The operation, which had been underway covertly, culminated in a public phase, where law enforcement agencies took control of Lockbit’s dark web site. Instead of criminal activities, visitors were greeted with messages indicating law enforcement control and collaboration. ????????
The disruption not only impacts Lockbit’s operations but also exposes the inner workings of the group. Law enforcement agencies obtained critical data, shedding light on the true scale of Lockbit’s activities. ????????
Lockbit operates by providing criminal services to affiliates, offering hacking tools and guidance. However, following the operation, affiliates attempting to access Lockbit’s site were met with warnings that their details were now in the hands of law enforcement. ????????
The operation aims not only to disrupt Lockbit’s activities but also to undermine its credibility and reputation. By exposing the group’s operations and targeting its affiliates, law enforcement hopes to deter future criminal collaboration. ????️❌
While Lockbit’s operators remain beyond the reach of law enforcement, this operation represents a significant step forward in combating cyber threats and safeguarding digital ecosystems. The collaborative effort sends a clear message: cybercrime will not go unchecked. ????????
Signup for Free
Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
A fresh malware campaign has surfaced, taking aim at Redis servers to kickstart cryptocurrency mining on compromised Linux systems.
Dubbed Migo, this Golang ELF binary boasts compile-time obfuscation and persistence capabilities, making it a formidable threat to Linux hosts.
Cado security researcher Matt Muir shed light on the campaign, highlighting the attackers’ use of innovative tactics to weaken system defences and exploit Redis vulnerabilities. ????️♂️????
The attack begins with a series of commands aimed at disabling key Redis configuration options, paving the way for subsequent exploitation without raising suspicion. ????️????
Once inside, threat actors set up Redis keys to establish persistence and fetch the primary payload from Transfer.sh, a file transfer service. This method, previously spotted in early 2023, remains a favoured technique among cybercriminals. ????????
Migo, the core malware, then springs into action, downloading an XMRig installer from GitHub and executing steps to maintain persistence, terminate rival miners, and launch the cryptocurrency mining operation. ????⛏️
To evade detection, Migo takes measures to disable SELinux, hide processes, and eliminate monitoring agents. These tactics bear resemblance to those employed by notorious cryptojacking groups such as TeamTNT and Rocke. ????️????
Migo’s recursive scanning of system files under /etc presents a unique challenge for analysis, potentially aimed at confusing sandbox environments or tailoring attacks to specific targets. ????????
In essence, Migo underscores the evolving sophistication of cloud-focused attackers, highlighting the need for robust security measures to protect web-facing services. ????????
???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)
???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)
???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ⚾???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)
A critical severity privilege escalation flaw, CVE-2024-21410, poses a significant threat to up to 97,000 Microsoft Exchange servers worldwide. ????????
Initially exploited as a zero-day, this vulnerability enables remote unauthenticated actors to execute NTLM relay attacks, potentially granting them elevated privileges on affected systems. ????️????
Although Microsoft released a patch on February 13 to address the issue, a substantial number of servers remain vulnerable, with approximately 28,500 confirmed cases. ????????
Shadowserver’s threat monitoring service identified Germany, the United States, and the United Kingdom as the most impacted countries, emphasising the global reach of this security concern.
While there’s currently no publicly available exploit for CVE-2024-21410, the potential consequences of exploitation underscore the urgency for system administrators to apply the necessary updates and mitigations. ⚠️????
To safeguard against this threat, organisations are advised to deploy Exchange Server 2019 Cumulative Update 14 (CU14), which includes NTLM credentials Relay Protections. ????️????
Furthermore, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has listed CVE-2024-21410 as a ‘Known Exploited Vulnerability,’ urging federal agencies to take action by March 7, 2024. ????????????
Failure to address this vulnerability could result in severe consequences, including unauthorised access to confidential data and the potential for further network exploitation. ????????
In summary, swift action is essential to mitigate the risk posed by CVE-2024-21410 and protect organisations from potential exploitation. ????️????
It’s a jungle out there, folks! ????
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.
Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ???????? with his stick and banana approach ????????
Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)
Let us know what you think!
So long and thanks for reading all the phish!
