REvil's disappearance early yesterday morning from its usual online haunts (including the HappyBlog) remains unexplained. The New York Times and others note that the vanishing followed a US request that Russia do something about ransomware gangs operating from its territory, but it's unclear what connection that had with the American démarche. The Washington Post summarizes three likely alternative explanations:
- "The Kremlin bent under U.S. pressure and forced REvil to close up shop."
- "U.S. officials tired of waiting for Kremlin cooperation and launched a cyber operation that took REvil offline."
- "REvil’s operators were feeling the heat and decided to lay low for awhile."
REvil's operators may simply be rebranding, as they are generally believed to have done in 2019 when REvil appeared shortly after GandCrab announced that it was disbanding.
Imperva reports that the Euro 2021 tournament (which concluded on the 11th when Italy took the cup home) was accompanied by a flood of bot traffic across European sports and gambling sites.
SolarWinds yesterday patched a vulnerability in its Serv-U FTP server that Microsoft discovered. BleepingComputer reports that groups based in China were using the vulnerability to prospect US defense contractors and software companies. Update: BleepingComputer has clarified their story to note that the threat group has in the past been associated with operations against the US Defense Industrial Base. It's unclear what the current incident's victimology has been.
Yesterday was Patch Tuesday. Microsoft's fixes included patches for three zero-days exploited in the wild: two Windows kernel privilege escalation issues (CVE-2021-31979 and CVE-2021-33771) and one scripting engine memory corruption flaw (CVE-2021-34448). CISA released advisories on twenty-one industrial control system products. A CISA emergency directive also required Federal agencies to apply mitigations to Windows Print Spooler vulnerabilities.