The reign of digital terror ends.

Operation Cronos leaves LockBit operations on borrowed time. An alleged leak reveals internal operations from the Chinese Ministry of Public Security. An Israeli airline thwarts communications hijacking attempts. The alleged Raccoon Infostealer operator has been extradited to the US. ConnectWise patches critical vulnerabilities. Schneider Electric confirms a Cactus ransomware attack. Alleged Maryland money launderers face indictments. Russian hackers target media outlets in Ukraine. Our guest is Tomislav Pericin, Chief Software Architect at Reversing Labs , on the rise of software supply chain attacks. and Tinder hopes to reel in the catfish.

Today is February 20th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Operation Cronos leaves LockBit operations on borrowed time.

For the past four years, LockBit has been a scourge on the digital landscape, wreaking havoc across businesses, schools, medical facilities, and governments globally. Employing its ransomware-as-a-service model, LockBit has orchestrated a relentless campaign, infiltrating thousands of organizations and amassing substantial profits in the process. From a children's hospital to aviation giant Boeing, the UK's Royal Mail, and even the popular sandwich chain Subway, LockBit's victims have spanned industries and continents.

But the tide has turned for LockBit, as a sweeping law enforcement operation, codenamed Operation Cronos, has brought the group's nefarious activities to a screeching halt. Spearheaded by the UK's National Crime Agency (NCA) and supported by a coalition of international investigators, Operation Cronos has dealt a crippling blow to LockBit's infrastructure, effectively dismantling its operations from the inside out.

Graeme Biggar, director general of the NCA, declared LockBit "effectively redundant" following the operation's success. Operation Cronos achieved unprecedented access, seizing control of LockBit's systems, domains, and servers. Moreover, the operation obtained crucial details about the group's members and affiliates, striking at the heart of LockBit's operations.

It is hard to overstate the significance of Operation Cronos. LockBit is responsible for a quarter of all ransomware attacks in the past year, and has inflicted billions in losses upon its victims. This operation marks one of the most substantial blows against a cybercrime group to date, signaling a concerted effort by law enforcement to combat the growing threat of ransomware.

In addition to technical disruptions, Operation Cronos has led to arrests in multiple countries and sanctions against alleged members of LockBit, further dismantling the group's network. The global reach of LockBit underscores the collaborative nature of the operation, with law enforcement agencies coordinating efforts across borders to bring the perpetrators to justice.

Despite the success of Operation Cronos, the threat of ransomware looms large, with payments reaching record highs. Moreover, the possibility of LockBit's resurgence under a different guise remains a concern. However, the operation sends a clear message to cybercriminals: law enforcement will not tolerate their malicious activities, and perpetrators will be held accountable for their actions.

The takedown of LockBit represents a significant milestone in the ongoing battle against cybercrime. While challenges persist, Operation Cronos demonstrates the effectiveness of international cooperation and the determination of law enforcement to safeguard the digital ecosystem from malicious actors.

An alleged leak reveals internal operations from the Chinese Ministry of Public Security.

We are monitoring early reports of a significant data breach from the Chinese Ministry of Public Security that has been discovered on GitHub. The breach, attributed to a contractor known as  iSoon, includes sensitive information that could potentially impact espionage operations. Leaked data involves spyware, espionage operation details, and mentions of a "Twitter Monitoring Platform." While the documents are unverified, they raise questions about China’s MPS security protocols. The leak's contents range from complaints and financial issues to overseas infiltration discussions. This is a developing story, so stay tuned for more details as they develop. 

An Israeli airline thwarts communications hijacking attempts. 

Two El Al flights from Thailand to Israel faced attempted communications hijackings over the Middle East, with no group claiming responsibility. Suspicions point to Iranian-backed Houthis or a group from Somaliland. Pilots noticed the irregularities and maintained their course, following protocol to thwart the threats. El Al emphasized pilots' training to handle such situations and assured the public of flight safety. The incident underscores the importance of cybersecurity in aviation, with the EU updating regulations to enforce industry-wide security standards.

The alleged Raccoon Infostealer operator has been extradited to the US. 

Mark Sokolovsky, a Ukrainian national, has been extradited to the US from the Netherlands, facing charges related to fraud, money laundering, and identity theft. He's accused of operating the Raccoon Infostealer, a malware-as-a-service, allowing criminals to steal data from victim computers. Sokolovsky faces multiple charges and a potential maximum sentence of 20 years if convicted. Raccoon Infostealer targets credit card data, passwords, and cryptocurrency wallets, with over 50 million credentials stolen globally. The FBI urges potential victims to check their status on raccoon.ic3.gov and report any harm caused by the malware to the FBI’s Crime Complaint Center.

ConnectWise patches critical vulnerabilities. 

ConnectWise has addressed two critical vulnerabilities in their ScreenConnect remote desktop software, which could lead to remote code execution or data compromise. While there's no evidence of exploitation, immediate action is urged. ScreenConnect is used by managed service providers and businesses for tech support, but also has been exploited by scammers and ransomware groups. The vulnerabilities involve authentication bypass and path traversal. ConnectWise advises self-hosted or on-premise users to update promptly. <Selected reading articles only>

Schneider Electric confirms a Cactus ransomware attack. 

Schneider Electric confirms a ransomware attack by the Cactus group on January 17, impacting its Sustainability Business division, including the Resource Advisor system. The attack compromised 1.5TB of data, which the Cactus group threatens to publish if a ransom isn't paid. Schneider Electric says they are working to contain the incident and inform affected customers. The Sustainability Business unit is autonomously managed, and no other parts of Schneider Electric are affected. The Cactus group, active since March 2023, employs a ransomware-as-a-service model and has targeted over 100 victims, exploiting VPN appliances to gain access.

Alleged Maryland money launderers face indictments. 

Three indictments unveiled in Maryland reveal a complex network of shell companies used to launder over $9.5 million from fifteen Business Email Compromise (BEC) cases nationwide. The victims range from environmental trusts to K-12 school districts and private colleges. The alleged perpetrators operated Shell companies that lacked legitimate operations or significant employees, using various bank accounts for money laundering. Multiple federal agencies collaborated on the investigation, including DHS, the EPA, IRS, and DCIS. The whereabouts of the laundered funds remain a key question. Several defendants have been arrested, while others are fugitives.

Russian hackers target media outlets in Ukraine. 

Russian hackers targeted several prominent Ukrainian media outlets over the weekend, spreading fake news about Russia destroying a unit of Ukrainian special forces in Avdiivka. The fake news was swiftly removed, but it still circulated on social media. Ukraine's state cybersecurity agency attributed the attack to a Russian threat actor, part of Russia's "information warfare" against Ukraine. These kinds of attacks are common, aiming to spread disinformation. Notorious groups like Sandworm have targeted Ukrainian media before, and these attacks intensified during Russia's invasion in 2022. The goal is to destabilize Ukraine, spread propaganda, and undermine trust in authorities.

Our guest Tomislav Pericin, ReversingLabs Chief Software Architect, is next. He talks about the rise of software supply chain attacks.

 

Tinder hopes to reel in the catfish.

And finally, our lonely hearts club desk tells us that Tinder is introducing advanced ID verification in the US, UK, Brazil, and Mexico to combat catfishing. Users must upload a video selfie and a valid driver’s license or passport. Previously, only photos or video selfies were required for verification. Tinder will cross-check uploaded IDs with selfies and profile photos, verifying age from the ID. Users reluctant to upload IDs can still verify with a selfie but get a camera icon, not a coveted checkmark. The system was tested in New Zealand and Australia and will roll out to the UK and Brazil in spring and the US and Mexico in summer. 

So, Tinder hopes to cut down on catfishing. Our guess is there will still be plenty of fishing for compliments. Hopefully the dating pool just got a whole lot clearer – no more 'casting' doubts on your matches.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.