IT NEWS

Someone with a gift for technology but a nasty habit of using it for very bad things has been spared from going to jail with a suspended sentence. Peter Foy, 18 at the time of his antics, racked up a remarkable, and slightly peculiar, list of compromises before being brought before the court.

A strange combination

According to Brighton and Hove news, his spree began in 2019 with the initial purchase of a laptop from Amazon, bought with “fake Honey gift vouchers”. I would love to know more about how this initial foray into system compromise worked, as one would imagine purchasing anything with fake vouchers would be a bit of a tall order. Nevertheless, he did it, and from here a somewhat short life of crime beckoned.

From the South East Regional Organised Crime Unit:

The court heard that on 13 October, 2019, Foy committed fraud in that he made a false representation to Amazon—that he was entitled to use gift vouchers to buy an Acer laptop. It was using this laptop that Foy committed further offences.

From this report, it’s hard to tell if the vouchers were indeed fake, or obtained without permission. His compromise modus operandi was a combination of breaking into networks run by food retailers, and breaking into networks containing confidential patient records. That’s quite a peculiar mixture.

On the one hand, he was “arranging food deliveries” at a cost of thousands to the affected businesses. On the other, he was accessing patient records of a third party company providing services to the National Health Service. As the release notes, this is during the COVID-19 pandemic, where the last thing we needed was people potentially breaking health record services. Food delivery services also played an important role during lockdown, so any disruption here would also be potentially very disruptive for those most at risk. A strange combination, then, but not a very pleasant one.

Not quite Robin Hood

Eventually, he was grabbed by the long arm of the law. None of the available information explains how this happened, but it’s likely that a trail was left across the compromised businesses. Even a pro can slip up! One last roll of the dice for the defendant remained in the form of claiming that he was notifying and helping the organisations he compromised.

However, he “demanded financial rewards” from the victims, which isn’t how legitimate help works. If this was his version of a bug bounty program, it isn’t a very good one.

The attempt to downplay the crimes didn’t impress the judge much, and he was sentenced to 18 months’ custody, suspended for two years. In addition to this, he’ll also have to perform 300 hours of unpaid work. There’s no word if any sort of ban from using digital technology is included in any of this.

A hopefully short-lived impact

The details released on this set of attacks are unfortunately sparse, and perhaps not as specific as you’d expect. Detective Inspector Rob Bryant had this to say:

This case also serves as a timely reminder to anyone using their financial details online to check the security of the data. Foy was able to gain access to many victims’ accounts as they often used the same passwords across more than one account.

The Detective Inspector also went on to suggest making use of two-factor authentication (2FA), which is great advice.

If you’re notified in the near future that you’ve been impacted, or indeed have been contacted already, here’s what you can do:

• Take the advice on 2FA. Options include SMS, various apps, or even a physical hardware key. A FIDO2 hardware key is the best option.
• Grab yourself a password manager. They create and remember strong passwords to prevent reuse, and many will refuse to sign in to bogus websites.
• The various attacks outlined above likely resulted in the attacker seeing personal data he shouldn’t. This could put those people at an increased risk of social engineering or identity theft.

The FBI believes that scammers may be after people applying for the One-Time Federal Student Loan Debt Relief, a program announced by the Biden-Harris Administration in August 2022 that provides up to $20,000 in student loan debt relief. In a recent public service announcement, the agency warned of fraudulent websites, emails, texts, or phone scams aiming to defraud applicants.

Debt relief is open to people with an income of less than $125,000. Qualified Pell Grant recipients can get up to $20,000, while non-recipients can get up to $10,000.

That’s huge money, so scammers are likely to be paying attention. The FBI wants people to be on their guard for scammers pretending to be working on behalf of the program:

Cybercriminals and fraudsters may purport to offer entrance into the Federal Student Loan Forgiveness program, contacting potential victims via phone, email, mail, text, websites, or other online chat services

It warns that fraudsters may attempt to charge users for services that are free (entrance into the student loan relief program is free and never requires payment), or use the program as an excuse for collecting personal information from victims.

Keeping away from scammers

Here are some to-dos to remain vigilant against scammers who are after student loan relief applicants:

• Only use official US government websites.
• Remember that the US government doesn’t charge processing fees.
• Use your common sense: Think twice before clicking links in emails, downloading attachments, or entering data into webites.
• Be wary of emails, texts, or phone calls from individuals claiming to be from the government and offering assistance on how to qualify or apply for student loan relief.
• When you have questions about loan repayments, talk directly with the financial institution or company providing the loan.

If you think you’ve been defrauded, file a report with the FBI’s Internet Crime Complaint Center (IC3), the Department of Education, and the Consumer Financial Protection Bureau (CFPB); call your financial institution to stop or reverse the transaction; and monitor your accounts and credit reports for fraud activity.

Stay safe!

When Bryan Wilson, a former Louisville Metropolitan Police Department (LMPD) officer in Kentucky, pleaded guilty to cyberstalking charges in June, details of his crime weren’t revealed. Now they have.

A new court document discloses facts about how he stole sexually explicit photos and videos from private Snapchat accounts, and what he did with them.

Wilson used his privileged access to Accurint, a powerful data-combining software, to retrieve information about his potential targets. He then shared this information with a criminal hacker, who broke into the womens’ accounts to get their nude photos and videos. After acquiring explicit photos and videos, he then attempted to involve their owners in a sextortion scheme.

The FBI defines sextortion as “a serious crime that occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money”.

An example of how Wilson did this is provided by the court document:

The document doesn’t reveal if any of Wilson’s victims complied, but it said he posted the explicit content online and bragged about his exploits. In one case, Wilson sent a victim’s photos to her employer, which almost resulted in her termination.

Furthermore, Wilson conspired with others to engage in cyberstalking and extorting young women online. They would give Wilson a target by reaching out to him via his Kik account. Once he had successfully hacked the victim’s account, Wilson shared the stolen media with them.

“Wilson caused his victims untold psychological trauma, not only by extorting them and publishing their explicit photographs and videos online, but also by demeaning and insulting them during his text exchanges, calling them sluts, whores, and bitches,” the document states.

What wasn’t included in the court document but Courier Journal touched on was the fact that Wilson was no longer an LMPD officer when he stalked and extorted his victims. Two months after his resignation in July 2020, Wilson still had access to the Accurint system until it was disabled sometime in October 2020, when his crime spree officially ended.

“Upon discovering this, LMPD immediately disabled the Accurint access,” a statement from the department said. “A review was performed, and procedures have been put in place to ensure all access is suspended once a member separates from LMPD.”

Wilson faces a maximum penalty of 15 years in prison. This includes the sentence for a separate case wherein he violated the civil rights of Louisville pedestrians by throwing beverages at them while in uniform.

A new social network is currently in the news, billed as a positive space for teens to enjoy themselves. I’m all for positive spaces online, but what is it, and will teens really be happier there than (say) Instagram, or even just hanging out in WhatsApp groups?

Pump the gas

Launched in August of this year, Gas is an iPhone app aimed at teens. When you sign up, you use location services to allow the app to figure out which schools are nearby. During sign-up you add friends, and according to this review, it requests access to your contacts.

Once all of this is done, it allows users to share polls (with four options for each, based on what I’ve seen so far) and these happy, friendly polls let you “see who secretly likes you”, or feel a dopamine rush as you find out you’re most likely to do a really cool thing at band practice.

That seems to pretty much be it. The Gas app team refer to it as “The only wholesome place left on the internet” on their TikTok profile. In fact, with the app being very region restricted, it’s one of the first times I’ve had to figure out what something actually does by trawling through TikToks in the first place.

How restricted? We’re not talking about countries. We’re talking about individual states in the US, with Michigan being the initial launchpad, with several more added since.

A little too exclusive

This is the very definition of a super exclusive Internet club, but often to the app’s detriment if you’re trying to find out what it does and does not do. For example, I had to find out about location tracking and messaging policies through a TikTok video.

For reference, the TikTok clip states that messaging is not allowed; all that you can do is “answer polls about friends”. It also says that Gas “only uses your rough location to join a school and never saves it”. Even so, it’s not unreasonable to think that even if rough locations are never saved, having a user associated with a physical object (the school) means an association to location as far as the users are concerned, even if the app has no interest in such things. Generally speaking, school buildings don’t move around very much!

On the flip slide, this is something very unlikely to cause an issue given how limited the app is in terms of functionality. There isn’t much scope for social engineering when there’s no messaging allowed and only polls to click on.

A neutered net?

There don’t appear to have been any major complaints in relation to the app so far, and as far as we can tell, users’ experiences have been consistent with the developers’ claims. Even so, there are still a lot of unknowns here. Are you able to create custom polls, or is everything done via pre-selected polls which you can lightly customise? We don’t know, and poll creation isn’t touched on in the news.

Is there a possibility of Fear of Missing Out (FOMO) if children aren’t selected in polls? Perhaps, but as the developers mention, children who haven’t been picked “recently” will find themselves automatically dropped into other polls more frequently to give them a chance. How online can we consider these teens to be if all of their possible routes for interaction with other people is clicking one of four options in a poll? And how online will they feel, if their peers are using Instagram, SnapChat, WhatsApp, and TikTok?

Perhaps they’ll grow bored of Gas, or use it alongside their usual haunts. There isn’t enough data available yet, so we’re just going to have to see where it goes. Cyberbullying is an awful thing to have happen to your child, and the increasingly long list of things you need to do in these situations is always a cause for concern.

If the app is doing what it claims and kids are getting a positive buzz from interactions from a fairly closed circle, who am I to argue?

Patch management that is consistent and efficient has never been more critical in keeping your security infrastructure up to date and secure. Although today’s endpoint management solutions include patch management functionalities, third-party patching is an area that shouldn’t be forgotten.

In this post, we will cover the importance of third-party application patching and the challenges it can address for your organization.

What is a third-party application?

A third-party application is a type of software designed by an independent vendor other than the initial manufacturer of the device. Common examples of third-party app vendors, include Google Chrome, Adobe Acrobat Reader, TeamViewer, and others.

What is third-party patching and why is it important?

Third-party patching involves applying patch updates to third-party applications that have been installed on your business endpoints, which includes desktops, laptops, servers, and other devices. Third-party patch management patches vulnerabilities that, if exploited, can jeopardize the security and functionality of software. Vulnerabilities expose your company’s attack surfaces to malicious actors looking for opportunities to access your network.

So, why is patching third-party applications important to your business?

Patching software vulnerabilities is a key driver for preventing future cyberattacks on your organization. The vulnerabilities found in your business’s third-party apps opens the flood gates for hackers.

These malicious adversaries spread in your systems through techniques such as privilege escalation and lateral movement, seeking out sensitive information and valuable data. Patching third-party vulnerabilities reduces the likelihood of an attack while also fixing the bugs to improve software functionality. Another reason your organization should consider third-party patching is that it can help your business satisfy necessary compliance regulations.

The risks to your business when neglecting to patch third-party applications

In 2021, 93% of companies experienced a cybersecurity breach of some kind due to third-party vendors or supply chain weakness. With the average cost of a data breach in the US at an astounding $9.4 million, the repercussions of a cyber incident caused by unpatched vulnerabilities are detrimental. Consequentially, an attack of such magnitude causes disruption to daily workflows, productivity, and in cases causes reputational harm. Neglecting to patch third-party apps is a risk your company can’t afford.

When security teams choose not to consistently patch endpoints, your risk of exposure to potential cyberattacks increases. In 2021 for instance, Log4Shell, a software vulnerability in Apache Log4j 2, took the world by storm. For more information on Log4Shell, read the Malwarebytes blog post – What SMBs can do to protect against Log4Shell attacks.

What can businesses learn from vulnerabilities like Log4Shell? The third-party application patch management process is essential. Although third-party app vendors don’t strictly adhere to a patch release schedule, they normally do this when a vulnerability is discovered with a patch being released to address it. Read our article on Security vulnerabilities: 5 times businesses (and governments) got hacked for more information on how hackers exploited vulnerabilities like Log4Shell to attack organizations.

It’s challenging for organizations to keep up with all the software updates and available patches for third-party apps. More companies rely on third-party applications for their day-to-day business operations. Adhering to patch management best practices can help alleviate your security team’s load and enhance your organization’s cyber prevention.

What is automated third-party patching?

Automated patch management allows businesses to automatically scan endpoint devices for patches that are needed and automate the distribution of patches. In some situations, automated patching allows businesses to flexibly schedule patching deployments so that the third-party patching process doesn’t interrupt daily workflows. This automation eliminates the grunt work of manual patching where system admins would otherwise spend hours applying software patches themselves.

What are the drawbacks of automated patch management software?

Automated patch management can help minimize manual workloads and improve your company’s security posture. But it should be noted that automating the patch management process comes with increased operational risk depending on the situation.

Depending on the type of security infrastructure your organization has, implementing automated patch management software to a system that relies heavily on manual infrastructure deployment and managing may not be the best option. Security architecture that’s legacy-application heavy is not ideal for automated patch management. This is especially the case for integral applications – a minute of downtime causes dramatic organizational losses.

A common misconception is that automated third-party patching means your systems are more secure. While automatic patching helps your company maintain strong security posture, it is not a cure-all for security and is limited to its pre-programmed policies used to scan and identify missing patches. As more companies adopt cloud-native security infrastructure, the easier it will be to automate third-party patching.

Third-party patch management vs vulnerability management – Let’s compare the two processes

Third-party software patch management is centralized on grouping, prioritizing, and identifying missing patches in third-party applications. Patch management vendors created patch management solutions to tackle patches, but not all patches will resolve security flaws. For this reason, patch management products alone can’t effectively secure your organization.

Vulnerability management addresses your security risks by identifying security vulnerabilities in your systems. These vulnerabilities include a range of security issues where in some cases deploying a patch is not the solution to a particular vulnerability. Other vulnerabilities could involve security training for staff, configuring firewall policies, or making changes to your network.

Third-party Patch Management and Compliance

Timely and consistent third-party patching reinforces your cybersecurity prevention.

Third-party applications need to be continually updated to decrease your risk of infection. Leaving third-party apps unpatched or out of date can hinder your organization from achieving patch compliance requirements. Cybersecurity regulatory compliance such as PCI (Payment Card Industry Security Standards Council), GDPR (General Data Protection Regulation), and HIPAA (Health Insurance Portability and Accountability Act), all set standards for patch deployment and security patching protocols.

Interested in learning more about cyberattack prevention with vulnerability assessment and patch management tools? Visit our Vulnerability and Patch Management Modules and explore related content below.

Vulnerability response for SMBs: The Malwarebytes approach

Listen to Lock and Code – Why software has so many vulnerabilities, with Tanya Janca

Malwarebytes’ modernized bug bounty program – here’s all you need to know

5 technologies that help prevent cyberattacks for SMBs

Request a demo of our Vulnerability Assessment and Patch Management module 

The Brazilian Federal Police have arrested a suspect after an investigation into last year’s breach of the Brazilian Ministry of Health. Responsibility for the breach was claimed by the LAPSUS$ group, when users found a message stating that system data had been copied and deleted and was in the hands of the group.

LAPSUS$ is a relative newcomer to the cybercrime scene that first appeared in the summer of 2021. It has made a name for itself by leaking sensitive information from some big targets. At the time it was thought that the group hailed from South America, based on its earliest targets and the near-native use of Spanish and Portuguese.

LAPSUS$ is also believed to be responsible for invading the systems of Empresa Brasileira de Correios e Telégrafos, and Localiza Rent a Car, as well as several others in South America, the United States and Europe, including Sociedade Independente de Comunicação, a private television channel in Portugal, the group Impresa, Electronic Art, Globant, Nvidia, Okta, Uber, and many others.

Members

In March 2022, the City of London Police said they had arrested seven teenagers in relation to LAPSUS$. Two of the seven suspects were charged with hacking offenses and one was re-arrested later after an attack on Rockstar Games.

The group is likely to be widespread. It has been growing due to its big successes and even bigger claims. The group has an international outreach, especially since it is very active on Telegram and the Dark Web. Based on linguistic analysis, the group is believed to also have Russian, Turkish, and German native speakers among their admins.

Methods

LAPSUS$ is mainly an information stealing operation that uses every possible method it can. Paying insiders, SIM-jacking, exploit vulnerabilities in software like Confluence, JIRA, and GitLab, buying or searching for leaked credentials, and AD Explorer—a publicly available tool to enumerate all users and groups in a network.

Most of the times the breached organization is extorted to pay a ransom to prevent the group from leaking the exfiltrated information, but in a few cases the group simply sold or published the stolen information without contacting the victim organization. In the case of the Nvidia breach, LAPSUS$ claimed it was mainly after the removal of the lite hast rate (LHR) limitations in all GeForce 30 series firmware—apparently all to help out gamers and the mining community.

Organized crime

The availability of fast internet has brought cybercriminals from all over the world together and allows them to cooperate internationally. Using end-to-end encrypted communications and the Dark Web allows them to do business below the radar of law enforcement agencies.

Koen Hermans, Dutch national public prosecutor for cybercrime said at the ONE-conference:

“At least 80% of cyberattacks are now caused by organized crime groups and data, tools and expertise are widely shared. Cybercriminal knowledge and skills are shared and offered for sale online, via messaging services, the dark web and other platforms. There is a revenue model behind it, in which cybercrime – according to experts – has already overtaken the international drug trade in terms of profitability.”

This requires law enforcement agencies to cooperate internationally, which seems to be easier for some. The FBI and Europol have been able to achieve some successes by deploying cybertechniques against criminals, but their success rate seems to be lower when the criminal activities are conducted digitally and require virtually no physical activities. It is easier to track a shipment of weapons or drugs than to monitor the trade in stolen information.

The result is a growing demand for specialized experts, for which the police force will need a good deal of extra funds and staff. 

It’s time for another tale of remote desktop disaster, as a newish form of ransomware carves out a name for itself. Bleeping Computer reports that individuals behind Venus ransomware are breaking into “publicly exposed Remote Desktop services”, with the intention of encrypting any and all Windows devices. Since at least August 2022, Venus has been causing chaos and has become rather visible lately.

This “Venus” is some skidware ransomware. For example samples:
One from July/August: 2e2cef71bf99594b54e00d459480e1932e0230fb1cbee24700fbc2f5f631bf12
And one from September: 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05

— MalwareHunterTeam (@malwrhunterteam) October 6, 2022

Venus brings bad remote tidings

It seems these attacks very much follow the typical Remote Services/Remote Desktop Protocol (RDP) gameplan. Break into the network via insecure access, stop processes and services according to the whims of the ransomware authors, and then encrypt the desired files. Confused people on the network will now find their filenames end with the .venus extension, and additional file markers with no currently obvious purpose placed inside the encrypted files.

The incredibly overt ransom note, which is somewhat difficult to read given it sports white text on a bright orange background, reads as follows:

“We downloaded and encrypted your data. Only we can decrypt your data. IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.”

You know, as opposed to being the victim of this scam instead.

A risk whether at home or in the office

Bleeping Computer notes one victim on their forum made several posts about being struck by this particular slice of ransomware. This individual found their home network under attack, external drives compromised, and a PC elsewhere in the house being used as a server receiving similar treatment.

In this case, the issue was RDP left running as a way to access a computer remotely. The victim notes that RDP was password protected, but it seems the password may not have been enough. This—and the timeless classic of having backup devices available but not getting round to doing the actual backing up—proved to be a dreadful combination blow.

Tips for avoiding the RDP to ransomware pipeline

RDP specifically continues to be a sore point for networks whether at home or in the office. Even with password protection, it may not be enough, as we’ve just seen to devastating effect for one unlucky individual.

If you’re running Windows 11, you’ll be pleased to know that Microsoft is taking action to help shore up the ways attackers can use RDP to break in. This has been achieved by limiting the number of times you can attempt to login, as per our article from back in July. If you’re interested in locking down your RDP in other ways, we have a long list of tactics for you to try out. The full list of tricks and tips from March can be seen here. Some of the key actions you should consider taking right now include:

• Use multifactor authentication for your RDP access. Attackers may crack your password, but without that second form of authentication to hand they’re going to find it a lot harder to get in.
• Rate limiting may now be somewhat redundant if you’re using Windows 11 considering recent security changes, but if not, this will slow down the speed that attackers can keep trying to guess your login.
• Place your RDP behind a VPN, but make sure you focus on keeping the VPN login secure as this is now your new point of access. This can be done by using multifactor authentication for login, and ensuring any email address tied to your account is similarly protected. If you’re able to use rate limiting alongside your VPN login too, then so much the better.

Stay safe out there!

A phishing campaign known to specifically target employees with access to their company’s Facebook Business and Ads accounts has significantly widened its net and begun using a first-of-its-kind information-stealing malware to go after crypto wallets.

The Ducktail (Woo-ooh!) campaign was first made public three months ago in July, but it’s thought to have been active since 2018. The cybercriminal behind the campaign is thought to be from Vietnam.

Ducktail 101

Social engineering attacks and malware form the core of Ducktail’s modus operandi. In previous campaigns, it used a .NET Core malware that specifically steals Facebook Business and Ads accounts and saved browser credentials. All stolen data was then exfiltrated to its command & control (C2) server, a private Telegram channel.

In this latest campaign, the cybercriminals replaced .NET Core with malware written in PHP. Not only does Ducktail continue to steal Facebook credentials and browser data, but it also steals cryptocurrency wallets, too. These are then stored on a command & control (C2) website in JSON (JavaScript Object Notation) format, wherein texts are easy to understand.

Note that Ducktail also broadened its target to include all Facebook users.

The attacker lures their target into downloading and installing a malicious installer (usually compressed in a ZIP file) by making them believe it’s a video game, subtitle, adult video, or cracked MS application file (among others). This ZIP is hosted on popular file-sharing platforms.

Once the file is opened, the malware shows a fake “Checking Application Compatibility” pop-up to distract users while it installs in the background. The malware then executes two processes: The first is for establishing persistence on the affected system, meaning the malicious script is scheduled to run daily and regularly; The second is for data stealing tasks. 

Zscaler researchers broke down the kinds of data this PHP malware steals:

• Browser information (machine ID, browser version, user profiles). In particular, this malicious script is after sensitive data stored in Chrome browsers. 
• Information stored in browser cookies
• Crypto account information from the wallet.dat file
• Data from various Facebook pages, such as API graph, Ads Manager, and Business, which are not limited to: 
  • Accounts and their status
  • Ads payment cycle
  • Currency details
  • Funding source
  • Payment method
  • PayPal payment method (email address tied to PayPal accounts)
  • Verification status

Data stored on the C2 website is retrieved and used to conduct further information theft within the affected system. Additional stolen information is fed back to the C2 server.

Stay safe from the Ducktail infostealer

As Ducktail uses clever social engineering tactics as the precursor to infection and information theft, it is more important than ever for Facebook users, especially those responsible for their business’s Facebook accounts, to be wary of this information stealer’s risks. Prevention is key.

• Never download files not relevant to your work, especially if you’re using company-provided computers and mobile devices.
• Be wary of downloading files from popular file-sharing sites. Malware is usually shared there, too.
• If something seems too good to be true, it probably is. You’d be better off avoiding it.

If you suspect you’ve been infected by Ducktail malware and you’re a Facebook Business administrator, check if any new users have been added to Business Manager > Settings > People. Revoke access to any unknown users with admin access.

Lastly, it is essential to have security software you can count on installed on your computer to protect against risky files that may still end up on the computer, regardless of one’s vigilance. Remember that some malware campaigns don’t need human intervention to infect systems. You have to watch out for those, too.

Stay safe!

Microsoft customers find themselves in the middle of a data breach situation. The Microsoft Security Response Center blog reports that researchers reported a misconfigured Microsoft endpoint on September 24. This miscongifuration resulted in the possibility of “unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers”.

Misconfigured servers are a major cause of unintentional data loss and unauthorised access. While the issue was apparently “quickly secured”, there are still questions as to what exactly happened and what the potential fallout could be.

Assessing the impact

The first and most important point: Microsoft sees no evidence of customer systems or accounts having been compromised, and affected customers have been “directly notified”.

As per Microsoft:

“The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.  We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.”

Of course, this isn’t the whole story and some data was unintentionally exposed. What is it, and how bad might things be as a result? Let’s hear from Microsoft again:

“The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorised Microsoft partner.”

The numbers game

What kind of scale are we talking about here? Bleeping Computer notes that the researchers who first discovered this claim to have linked this data to “more than 65,000 entities from 111 countries”. This data supposedly ranges from 2017 to August 2022. However, Microsoft disagrees with the assessment of what’s taken place. From its writeup:

“…after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users.”

Microsoft goes on to advise how to operate a searchable database of compromised data without risking further issues by locking down who, exactly, can access it. This is an ongoing situation, and some of those impacted are finding that obtaining specifics is proving to be difficult. For now, the best we can do is wait and see what other developments this one has in store for us.

Dutch police and other law enforcement agencies have managed to trick the DeadBolt ransomware operators into releasing 150 decryption keys for free. 

The method of obtaining decryption keys was found by a Dutch incident response company called Responders.NU, who shared the method with the police. The basis for the trick iss that it was possible to cancel an unconfirmed Bitcoin transaction before payment went through through, but after the decryption key was released.

Because of the large amount of Bitcoin transactions taking place at one time, it can take a while for payment to actually go through. That gave police enough time to block the transactions from going through before the payment actually took place. By then they’d already received the decryption key and could pass it on to the victims. They managed to repeat the process around 150 times before the ransomware gang pulled the plug on their system that gave out the decryption keys.

Deadbolt

DeadBolt is a ransomware that specializes in encrypting online network attached storage (NAS) devices. Owners of QNAP  (Quality Network Appliance Provider) devices have recently been the target of this ransomware operator. QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ DeadBolt ransomware, which annoyed part of its userbase.

More recently, QNAP detected that cybercriminals known as DeadBolt were exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that were directly connected to the internet. This DeadBolt campaign also targeted Asustor users. According to the police there are around 20,000 affected devices worldwide. Each of them received instructions to pay 0.05 Bitcoin (around $1000 at the time of writing) to get a decryption key for their files.

Decryption keys

The police wanted to emphasize that it is always important to file a complaint about cybercrime, even though the chances of apprehending the cybercriminals may seem slim. So they started by helping victims, from 13 countries, who had filed a complaint with their local police.

Most of the victims who they helped should have received instructions on how to access their personal decryption key by now.

If you have not been notified by the police but you still want to check if you are one of the lucky ones, you can follow the instructions on the site deadbolt.responders.nu and find out if your decryption key is available.

Mitigation

It is important to file a complaint if you are a victim of a cybercrime. Not only does it give law enforcement agencies a better understanding of what’s going on and how widespread a campaign is, it also provides them with information that may help them apprehend the criminals or recover your data or money.

To avoid falling victim to the DeadBolt ransomware, the obvious advice is to not connect your NAS directly to the internet, but we understand that that ruins the whole purpose of a NAS for some users.

Make sure that the firmware of your device and all the software running on it is up to date. These criminals will not only find new vulnerabilities, but also use old ones that have not yet been patched.

To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.