The CyberWire Daily Podcast 12.20.24
Ep 2214 | 12.20.24

Ukraine’s fight to restore critical data.

Transcript

Russian hackers attack Ukraine’s state registers. NotLockBit is a new ransomware strain targeting macOS and Windows. Sophos discloses three critical vulnerabilities in its Firewall product. The BadBox botnet infects over 190,000 Android devices. BeyondTrust patches two critical vulnerabilities. Hackers stole $2.2 billion from cryptocurrency platforms in 2024. Officials dismantle a live sports streaming piracy ring. Rockwell Automation patches critical vulnerabilities in a device used for energy control in industrial systems. A new report from Dragos highlights ransomware groups targeting industrial sectors. A Ukrainian national is sentenced to 60 months in prison for distributing the Raccoon Infostealer malware. We bid a fond farewell to our colleague Rick Howard, who’s retiring after years of inspiring leadership, wisdom, and camaraderie. The LockBit gang tease what’s yet to come.

Today is Friday December 20th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Russian hackers attack Ukraine’s state registers. 

Ukraine has experienced one of the largest cyberattacks on its state registers, suspected to be carried out by Russian hackers linked to GRU, such as the Sandworm group. The attack disrupted access to over 60 state databases containing critical information like biometric data, business records, and property ownership. Ukrainian authorities, including the Ministry of Justice, temporarily suspended access while investigating. Pro-Russian group XakNet claimed responsibility, stating it had stolen and deleted data from the registers, including backups. Officials confirmed backups exist and data will be restored, though the process may take weeks. The attack caused nationwide disruptions, affecting government services, business operations, and e-government apps like Diia. Ukraine views this attack as part of Russia’s broader cyber warfare, potentially prosecuting it as a war crime.

NotLockBit is a new ransomware strain targeting macOS and Windows. 

A new ransomware strain, NotLockBit, poses a significant threat with advanced cross-platform capabilities targeting both macOS and Windows. Written in Go, it employs sophisticated tactics, including targeted file encryption, data exfiltration, and self-deletion mechanisms to complicate recovery. NotLockBit closely mirrors the behavior and tactics of the infamous LockBit ransomware, leveraging similar encryption techniques and extortion strategies while expanding its capabilities to target both macOS and Windows systems.

NotLockBit encrypts sensitive files using AES and RSA protocols and exfiltrates stolen data to attacker-controlled cloud storage for double-extortion purposes. It deletes original files, renames encrypted ones with an .abcd extension, and modifies desktop wallpapers to display ransom notes. On macOS, it uses system commands to enhance its attack.

The ransomware is highly evasive, leveraging obfuscation to bypass detection. Variants suggest tailored attacks or ongoing development. Organizations should adopt proactive defenses, including backups, endpoint protection, and user education, as NotLockBit’s emergence highlights the escalating sophistication of ransomware threats.

Sophos discloses three critical vulnerabilities in its Firewall product. 

Sophos has disclosed three critical vulnerabilities in its Firewall product, allowing potential remote code execution. CVE-2024-12727 involves a pre-authentication SQL injection in the email protection feature, exploitable under specific conditions. CVE-2024-12728 relates to reused SSH passphrases during High Availability setup, risking privileged account exposure. CVE-2024-12729 enables authenticated users to execute arbitrary code via the User Portal. Sophos has issued automatic hotfixes and manual updates, urging organizations to apply them promptly and follow mitigation measures to safeguard their networks.

The BadBox botnet infects over 190,000 Android devices. 

The BadBox botnet has infected over 190,000 Android devices, primarily Yandex 4K QLED smart TVs and Hisense T963 smartphones, according to Bitsight. Originating from a supply chain compromise, BadBox malware comes pre-installed on low-cost devices, including TVs and smartphones, and enables activities like residential proxying, ad fraud, and remote code installation. Daily communication with the botnet involves over 160,000 unique IPs, mostly from Russia, China, and Brazil. Bitsight urges caution in choosing trusted device manufacturers to mitigate these risks.

BeyondTrust patches two critical vulnerabilities. 

BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions have two critical vulnerabilities, CVE-2024-12356 and CVE-2024-12686, posing significant security risks. CVE-2024-12356 (CVSS 9.8) enables unauthenticated command injection, while CVE-2024-12686 allows privilege escalation for attackers with administrative access. Both have been actively exploited, with CVE-2024-12356 now in CISA’s Known Exploited Vulnerabilities (KEV) Catalog. BeyondTrust has released urgent patches and worked with third-party experts to investigate and address the breach. Organizations must remediate immediately to avoid further exploitation.

Hackers stole $2.2 billion from cryptocurrency platforms in 2024. 

Hackers stole $2.2 billion from cryptocurrency platforms in 2024, with 61% of the funds attributed to North Korean attackers, according to Chainalysis. The number of incidents rose from 282 in 2023 to 303 in 2024, a 21% year-on-year increase. Notably, the intensity of attacks dropped after a June summit between Vladimir Putin and Kim Jong-un, reducing North Korean thefts by 54%. However, attacks overall have grown more frequent, with larger exploits above $100 million and smaller hacks around $10,000 increasing. Chainalysis urges rigorous employee vetting, improved key hygiene, and stronger industry-law enforcement collaboration to combat these threats.

Officials dismantle a live sports streaming piracy ring. 

The Alliance for Creativity and Entertainment (ACE) has dismantled one of the largest live sports streaming piracy rings, Markkystreams, based in Vietnam, with over 821 million visits in 2023. Targeting U.S. and Canadian audiences, the operation streamed sports events from major U.S. leagues and global competitions, affecting ACE members like DAZN, beIN Sports, and Canal+. ACE seized 138 domains associated with the ring, issuing a warning to piracy operators worldwide. The takedown highlights the unique threat piracy poses to live sports broadcasts. 

Rockwell Automation patches critical vulnerabilities in a device used for energy control in industrial systems. 

Rockwell Automation has patched critical vulnerabilities in its Allen-Bradley PowerMonitor 1000, a device used for energy control in industrial systems. The flaws, including CVE-2024-12371, CVE-2024-12372, and CVE-2024-12373, allow attackers to take over devices, execute remote code, or launch denial-of-service (DoS) attacks. Exploitation requires no authentication and could disrupt production by halting power monitoring or compromising networks. Firmware version 4.020 addresses these issues. Researchers urge immediate updates to protect internet-exposed devices and prevent industrial system breaches.

A new report from Dragos highlights ransomware groups targeting industrial sectors. 

Dragos’ Q3 2024 Industrial Ransomware Analysis identified 23 ransomware groups targeting industrial sectors, including new and rebranded entities like APT73, linked to LockBit remnants. Key attacks included CDK Global paying $25 million to BlackSuit and Halliburton losing $35 million to RansomHub. Groups increasingly exploit VPN vulnerabilities, bypass MFA, and target virtual environments like VMware ESXi. The use of initial access brokers (IABs) in ransomware-as-a-service (RaaS) models has grown, enabling scalable operations. Tactics such as living-off-the-land, advanced persistence, and custom malware highlight evolving threats.

A Ukrainian national is sentenced to 60 months in prison for distributing the Raccoon Infostealer malware. 

Ukrainian national Mark Sokolovsky was sentenced to 60 months in prison for his role in distributing the Raccoon Infostealer malware. Operating under a malware-as-a-service (MaaS) model, Sokolovsky charged $200 per month in cryptocurrency for access to the malware, enabling threat actors to steal credentials, financial data, and personal information via phishing campaigns. The stolen data fueled financial fraud and was sold on cybercrime forums. After dismantling Raccoon’s infrastructure in 2022, the FBI recovered over 50 million stolen credentials. Sokolovsky will also pay $910,000 in restitution.

Elsewhere, Romanian national Daniel Christian Hulea, 30, was sentenced to 20 years in prison for his role in NetWalker ransomware attacks, targeting healthcare, education, law enforcement, and government sectors. Operating under a ransomware-as-a-service (RaaS) model, Hulea extorted victims during the COVID-19 pandemic, collecting $21.5 million in Bitcoin and using proceeds for luxury investments. U.S. and Romanian authorities collaborated to arrest and extradite Hulea in 2023. The case underscores the commitment to combating ransomware, with the DOJ emphasizing the need for strong cybersecurity defenses.

We’ve got a special segment in our guest slot today. Break out your tissues as we share a fond farewell to N2K’s CSO and our CSO Perspectives host, Rick Howard, by our team. And, there are always a lot of product line announcements at this time of year, so why not one from LockBit? We’ll be right back.

Welcome back.

The LockBit gang tease what’s yet to come. 

And finally, after a rough year of takedowns and turmoil, the LockBit ransomware gang seems to be revving its engines for a big comeback with LockBit 4.0. Announced by the group’s spokesperson, LockBitSupp, the new version promises wannabe cybercriminals a “pentester billionaire journey” complete with Lamborghinis and, well, “...girls.” The gang is clearly aiming to recapture its former glory after Operation Cronos in February 2024 dismantled much of their infrastructure and exposed 7,000 decryption keys.

LockBit has a notorious past, evolving through various versions since 2019, including Linux-targeting LockBit Linux and the not-so-new LockBit Green. But even with leaks and arrests—like Israeli developer Rostislav Panev, who allegedly pocketed $230K—the group remains persistent. While LockBit 4.0 is set to debut in February 2025, researchers are already dissecting samples. Whether this relaunch makes LockBit a cybercriminal kingpin again or just a flash in the pan remains to be seen. Either way, buckle up!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Well folks, it’s that time of year. The N2K CyberWire team is getting ready to settle into our long winter’s nap. We will be taking a publishing break starting on Tuesday, December 24th through Wednesday, January 1st. Fret not, while we are out, we’ve got some fun surprises planned for you in your podcast feeds. If you’ve got some downtime or want to pop those airpods in and not engage in any more family togetherness, head over to your favorite podcast app and check out our goodies. We will emerge from our nap on January 2nd! See you then. 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.