IT NEWS

BackupBuddy WordPress plugin vulnerable to exploitation, update now!

Users of WordPress may need to perform an urgent update related to the popular BackupBuddy plugin. BackupBuddy is a plugin which offers backup solutions designed to combat “hacks, malware, user error, deleted files, and running bad commands”. Unfortunately, running an older version of BackupBuddy could leave your site open to potential breaches. According to Security Week, the issue tagged as CVE-2022-31474 is down to an “insecure method of downloading the backups for local storing”. This results in people being able to grab files from the server without having been properly authenticated first.

Traversing a WordPress installation

The vulnerability is listed as a “Directory Traversal Vulnerability”, and affects users running BackupBuddy from version 8.5.8.0 up to 8.7.4.1. The developers make the following observations:

  • Using this vulnerability, attackers can view the contents of any file on your server which is readable by the WordPress installation. Sensitive files could be made available to the attackers, which is not something you’d want to happen.
  • The vulnerability is being actively exploited in the wild. Sometimes you get lucky and find that something has been patched before anyone can make use of it. This isn’t the case here, sadly.
  • The developers have made the security update available to anybody running BackupBuddy, regardless of version. No matter which licence you’re using, you can apply the fix. In theory, there is no need for anyone, anywhere to be running a vulnerable installation with the fix available to install.

Next steps to take for BackupBuddy users

  • Backup to version 8.7.5 right away. You should be doing this whether or not you’re concerned by the above security issue. Old versions of products frequently fall victim to additional security issues over time, especially if they’re no longer maintained.
  • Reset your database password if you suspect there’s been a compromise of your WordPress installation.
  • Change your WordPress salts. These are tools at your disposal used to help keep passwords for your site secure.
  • Reset and update anything else not for public consumption in your wp-config.php, for example stored API keys for other services.

The risks of not updating your site and plugins

WordPress is an immensely popular target for people fully invested in site compromise. Hijacked sites can be used for SEO poisoning, redirecting to malicious sites, spam, malware installation, phishing, and more.

If you’re running BackupBuddy, go and check your current version and update right away. Once that’s done, it would be wise to ensure everything else on your WordPress installation is fully up to date too. Let’s not make it easy for those up to no good: It won’t help your business, or the people who make use of your site.

Update now! Google patches vulnerabilities for Pixel mobile phones

Google’s Pixel Update Bulletin for September included two security patches that are Pixel specific.

Both underlying vulnerabilities are rated critical and could lead to privilege escalation and device takeover.

The vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that are Pixel specific:

CVE-2022-20231: a critical Elevation of Privileges vulnerability in Trusty. This buffer overflow vulnerability allows a local application to escalate privileges on the system.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. The Trusty OS runs on the same processor as the Android OS, but Trusty is isolated from the rest of the system by both hardware and software. Trusty and Android run parallel to each other. Trusty has access to the full power of a device’s main processor and memory but is completely isolated. Trusty’s isolation is designed to protect it from malicious apps installed by the user and potential vulnerabilities that may be discovered in Android.

CVE-2022-20364: a critical Elevation of Privileges vulnerability in Kernel. The Android kernel is based on an upstream Linux Long Term Supported (LTS) kernel. At Google, LTS kernels are combined with Android-specific patches to form what are known as Android Common Kernels (ACKs). This buffer overflow vulnerability exists due to a boundary error within the kernel component. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

Buffer overflow

A buffer overflow occurs when a program or process attempts to write more data to a fixed-length block of memory, or buffer, than the buffer is allocated to hold. Buffers contain a defined amount of data. Any extra data could overwrite assigned data values in memory addresses adjacent to the destination buffer.

Elevation of privileges

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Mitigation

All supported Google devices will receive an update to the 2022-09-05 patch level. The update also includes patches for the 46 bugs that Google addressed in Android this month. We encourage all Pixel users to accept these updates to their devices.

To learn how to check a device’s security patch level, read the instructions on the Google device update schedule.

Stay safe, everyone!

Important update! iPhones, Macs, and more vulnerable to zero-day bug

On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed it’s aware that threat actors may have been actively exploiting this vulnerability, which is tracked as CVE-2022-32917.

As it’s a zero-day, nothing much is said about CVE-2022-32917, only that it may allow malformed applications to execute potentially malicious code with kernel privileges. Apple says it’s patched this flaw with improved bounds checks. Below is a list of products this bug affects:

  • Macs running macOS Monterey 12.6 and macOS Big Sur 11.7
  • iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

CVE-2022-32917 is the eighth zero-day flaw that Apple has addressed since the beginning of 2022. The first seven are as follows:

As this latest vulnerability is already being exploited, it’s really important that you update your devices as soon as you can. Stay safe!

Steam account credentials phished in browser-in-a-browser attack

Steam users are once again under threat from a particularly sneaky tactic used to steal account details. As with so many Steam attacks currently, it accommodates for the possibility of users relying on Steam Guard Mobile Authentication for additional protection. It also makes use of a recent “browser within a browser” technique to harvest Steam credentials.

The attack leans into a common threat tactic where Steam is concerned, which is E-sports and other tournament related events. This is a tactic that has been around for years, and it usually takes one of two forms.

  1. Steam users are asked via Steam Chat or forum posts to “vote” for someone’s favourite team on a competition website. These requests often come from compromised accounts themselves. The bogus site phishes the victim at what claims to be the voting stage. These sites may also ask users to turn off their Steam Guard protection before submitting their username and password.

  2. Scammers ask Steam users to join a team or league, and direct them to malware or phishing pages.

It’s the second of these possibilities that is used as this particular scam’s launch pad.

A browser in a browser

In this case, people are asked if they can play. If not, they’re asked if they can at least vote for the scammer’s non-existent team. In this case, it’s a Roblox team in the “Metanola Cup”.

The fake site emulates what appears to be a site dedicated to organising and promoting various E-sport competitions and teams. This is where the sneaky part comes into play. This particular scam makes use of a “browser in a browser” attack first mentioned on Bleeping Computer in March of this year. The fake browser window sitting inside the real thing can make it very difficult to realise you’re looking at a phishing attempt.

In this case, most potential victims would assume the popup inside the main browser window, which appears to display the genuine Steam URL and “Valve Corp. [US]” next to the green padlock, is the real thing. It even detects your language from the browser preferences and then selects one of 27 different types.

Finally, the site asks for the user’s Steam Guard authentication code. This is the 2FA code displayed on the Steam mobile app when logging into your account. Without the code, you can’t login. The scammers will harvest these codes and either have the details entered automatically, or do it manually. If they choose to do this manually and they’re not around when victims are handing over details, their window for success is going to be quite short.

Avoiding Steam-focused attacks

As mentioned in the Bleeping Computer article, this is not an easy tactic to spot in the wild. Blocking JavaScript is one way to do it, but you risk compromising the functionality of many websites if you go down this path. The best defence is to studiously ignore any and all messages sent your way from strangers in relation to the below, and this includes topics unrelated to E-sports:

  • Joining an E-sports league

  • Joining or helping out an E-sports team

  • Voting for a team or individual

  • The promise of cheap items or trades/discounts

  • Free games, bonus promotional offers and items

  • The “I accidentally reported you” scam

Stay safe out there!

Facebook engineers aren’t sure where all user data is kept

If it takes a village to raise a child, apparently it takes Facebook a team to tell you what data the company keeps about you and where they keep it.

In the recently unsealed transcript of a hearing led by “Discovery Special Master” Daniel Garrie, an expert appointed by the court, two Facebook engineers were grilled regarding what user data the company keeps about its users and where they are. To everyone’s frustration, their response was, essentially, “We don’t know.”

The hearing is part of an ongoing lawsuit concerning the Facebook-Cambridge Analytica scandal.

Garrie has attempted to get Facebook to reveal where personal data is stored in its 55 subsystems, but two veteran Facebook engineers—Eugene Zarashaw and Steven Elia—who were present at the hearing, couldn’t give satisfying answers.

“I don’t believe there’s a single person that exists who could answer that question,” Zarashaw said, according to the transcript. “It would take a significant team effort to even be able to answer that question.”

The Intercept, which first reported this story, has noted Garrie’s seeming disbelief over simple questions left unanswered. However, the engineers’ inability to give solid answers as to where Facebook user data is kept doesn’t surprise Dina El-Kassaby, a spokesperson from Meta. In a statement, she said, “Our systems are sophisticated and it shouldn’t be a surprise that no single company engineer can answer every question about where each piece of user information is stored.”

“We’ve built one of the most comprehensive privacy programs to oversee data use across our operations and to carefully manage and protect people’s data. We have made—and continue making—significant investments to meet our privacy commitments and obligations, including extensive data controls.”

The engineers not knowing where user data is kept also lends credence to an internal document leaked in April 2022, claiming Facebook can’t tell where all the data it gathers comes from or is stored.

This internal document was written in 2021 by Facebook privacy engineers on the Ad and Business Product team, the group tasked to build and maintain the social network’s ads system.

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And, yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document read.

6 patch management best practices for businesses

Patching is a thorn in the side of many businesses today: Everything from keeping up with the volume of patches to prioritizing what needs to be patched first can cause major delays in a business’s patching process.   

Needless to say, businesses are looking to streamline their patch management process as much as possible. Patch management refers to applying software updates for operating systems and applications and deploying them to eliminate known security vulnerabilities. With certain patch management best practices, you can help ensure a smoother patching process. 

In this post, we’ll give you six patch management best practices for businesses. 

1. Establish a baseline inventory 

It is essential to start with a baseline inventory of your production systems because you’ll need it to assess the current state of patching in your organization. Here it would be best if you had a solution that uses CVSS 3.1 because the severity of the patch is key to making a decision later.  

Besides CVSS, standardization is an essential part of the patch management process. However, multiple versions of an application running in production drive up support costs and increase security risks. Therefore, one of your primary goals should be to determine the version of each operating system and application your users should be running and devise a plan for standardizing around your preferred version. The process sometimes involves more than just upgrading to the latest version. There may be dependencies that must be upgraded before deploying your chosen version, or hardware requirements to consider.

2. Categorize and group each asset by risk and priority 

Performing all these upgrades and patch deployments at the same time would be incredibly risky; for example, servers that host critical applications require testing (to verify) and scheduling a possible reboot. 

In terms of organization best practices, one recommendation is creating a nested group. Take a group of endpoints in sales, for example, where “revenue recognition” is a subgroup of sales. Grouping and subgrouping in Malwarebytes Nebula allows the administrator to apply critical severity patches to a specific group of endpoints. For further reading, see this document.

3. Test the patch stability 

The need for testing must be balanced against the need to address the security vulnerability. Some organizations use a relatively short testing phase for critical patches but perform more in-depth testing for patches that are designed to address less serious vulnerabilities.

So, what’s the difference between short-testing and in-depth testing? Short testing is installing the patch on one or two target host machines and ensuring the critical application and operating system remain operational after a reboot. Long testing includes the steps in short testing but adds a “soak period” where the testing includes a variety of host systems, and the testing period is extended to ensure compatibility.

4. Identify endpoints that need patching 

The next step in the process is to determine which endpoints to patch. A good patch management application can help you with a nested grouping of your endpoints. The collection of your endpoint should represent how essential they are to your organization. 

Note: If the team decides not to deploy a particular patch, your organization needs a compensating control or solution to mitigate the risk of exploitation (mitigation versus prevention). In addition to an EDR solution, we recommend cyber insurance to mitigate worst-case scenarios. 

5. Pilot deployment of sample of patches 

A pilot deployment to a representative sample of the user base prior to performing an organization-wide deployment helps to verify that the patch is indeed safe for production use. It gives you one last chance to catch any issues that did not surface during lab testing. 

Note: Microsoft VSS snapshots were explicitly designed to roll back an endpoint image if a patch causes a catastrophic failure. Therefore, schedule your patch deployment to be after VSS snapshots, in case you need to roll back an endpoint image quickly. 

6. Document systems pre- and post-patching 

Documenting the state of your systems before and after a patch is applied is essential. That way, if problems begin to occur later, it will be easier to determine if they can be attributed to an applied patch. The documentation can be as simple as a spreadsheet with the hostname, the patch level, the date when the patch was applied, the specific patch, and the type of testing performed (short versus long) if any. Regardless, documentation is important, so that you know what happened, when it happened, and who did it—this information will assist you in troubleshooting problems, should one arise.

Act swiftly through the patching process and neutralize the greatest risks  

In a world where so many data breaches happen because a patch for a known vulnerability was available but not applied, businesses are right to be proactive in their patch management activities. However, patching is still a challenge for many businesses, who can’t easily track whether vulnerabilities are being patched in a timely manner or who are adverse to taking critical applications offline in order to patch them. 

The six patch management best practices we outlined in this post can help frame a logical workflow to your patch management activities, helping you reduce the risk of issues arising during your patching process. 

Want to learn more about what vulnerability assessment and patch management look like in action? Check out our Vulnerability and Patch Management landing page or watch the demos below.

Vulnerability Assessment:
Patch Management: 
More resources:
What is patch management?
What is vulnerability assessment?
Podcast: Why software has so many vulnerabilities

The MSP playbook on deciphering tech promises and shaping security culture

The in-person cybersecurity conference has returned.

More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at RSA 2022. In Las Vegas just last month, even more hackers, security experts, and tech enthusiasts flooded the Mandalay Bay hotel, attending the conferences Black Hat and DEFCON. 

And at nearly all of these conferences—and many more to come—cybersecurity vendors are setting up shop to show off their latest, greatest, you-won’t-believe-we’ve-made-this product. 

The dizzying array of product names, features, and promises can overwhelm even the most veteran security professional, but for one specific group of attendee, sorting the value from the verve is all part of the job description. 

We’re talking today about managed service providers, or MSPs. 

MSPs are the tech support and cybersecurity backbone for so many small businesses. Dentists, mom-and-pop restaurants, bakeries, small markets, local newspapers, clothing stores, bed and breakfasts off the side of the road—all of these businesses need tech support because nearly everything they do, from processing credit card fees to storing patient information to managing room reservations, all of that, has a technical component to it today.

These businesses, unlike major corporations, rarely have the budget to hire a full-time staff member to provide tech support, so, instead, they rely on a managed service provider to be that support when needed. And so much of tech support today isn’t just setting up new employee devices or solving a website issue. Instead, it’s increasingly about providing cybersecurity. 

What that means, then, is that wading through the an onslaught of marketing speak at the latest cybersecurity conference is actually the responsibility of some MSPs. They have to decipher what tech tools will work not just for their own employees, but for the dozens if not hundreds of clients they support. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts at Malwarebytes about how MSPs can go about staying up to date on the latest technology while also vetting the vendors behind it. As our guests Eddie Phillips, strategic account manager, and Nadia Karatsoreos, senior MSP growth strategist, explain, the work of an MSP isn’t just to select the right tools, but to review whether the makers behind those tools are the right partners both for the MSP and its clients. 

As Karatsoreos said:

“You need to do your research… Do they have the right background to match what you’re offering? Do they have training for you? Do they have integrations? … Do they have a partner program? Because, as we know with MSPs, they don’t just want a product that just gets installed… They need that support of the partner program. Do they allow you to have a trial or a demo to make sure that it works in your environments? Are they constantly updating? And what does their security system look like? Are they protected?”

She continued:

“These are all things behind the technology that an MSP really needs to consider when considering those vendors.”

Tune in today to listen to Karatsoreos and Phillips discuss the many responsibilities of being an MSP today. 

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

A week in security (September 5 – 11)

Last week on Malwarebytes Labs:

Stay safe!

The North Face hit by credential stuffing attack

The North Face clothing brand, which specialises in outdoor and heavy weather outerwear, has experienced a “large-scale” credential stuffing attack. This has resulted in no fewer than 194,905 accounts being compromised. What is credential stuffing, and how did it affect The North Face customers?

What is credential stuffing?

Credential stuffing is an attack reliant on service users being a little lax with their password practices. If users of Site A reuse their password on sites B and C, this is a problem. Should Site A ever be compromised, those login details are exposed. They might end up on data dumps, or forums, or anywhere else you care to imagine. People with access to the credentials from Site A will then try them on sites B and C, often via automation. If the user has reused their password, the accounts on those additional sites will also be vulnerable.

Indeed, sometimes people will also reuse credentials from one site as their password for their email address too. This provides attackers with further inroads for all accounts tied to the address, and could end with a user losing access to many more of their online accounts.

Password reuse is tempting, because it’s impossible to remember a different password for each online account. That’s why people are encouraged to use tools like password managers, as they make it easy to generate and remember all your passwords. With this in place, victims are limited to “just” the fallout from the initial attack and can quickly take appropriate action.

Which details are at risk from attackers?

According to Bleeping Computer, the North Face attacks began on July 26, with site operators detecting unauthorised activity on August 11. The attacks were shut down completely by August 19. Some of the information potentially accessed includes:

  • Name
  • Billing address
  • Purchase history
  • Shipping address
  • Telephone number

No payment details were accessed, which is very good news for anyone impacted by the stuffing attacks.

Please notice this breach

Data breach notices are being sent to anyone affected. Additionally, passwords have been reset and new login details will be required. Hopefully users will take note of the following suggestions:

Please change your password at thenorthface.com and other sites where you use the same password. We strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites. If a breach occurs on one of those other websites, an attacker could use your email address and password to access your account at thenorthface.com.

In addition, we recommend avoiding using easy-to-guess passwords. You should also be on alert for schemes known as “phishing” attacks, where malicious actors may pretend to represent The North Face or other organizations. You should not provide your personal information in response to any electronic communications regarding a cybersecurity incident. We have included below further information on steps you may consider taking to protect your credit.

It remains to be seen what the fallout from this one will be. With the type of data listed above, it’s fair to say that phishing and social engineering will likely be close to the top of the follow-up threat pile. Stay safe out there!

Ransomware review: August 2022

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

As expected, LockBit remained the dominant ransomware variant in August, as it has all year. At the other end of the scale REvil’s revival in slow motion continued with a single victim listed, RansomEXX posted its first victim for four months, and Snatch posted a single victim after fourty days of inactivity. Intriguingly, the victim listed on the Snatch site was also listed by REvil in April. It’s not unusual for victims to be attacked multiple times, so this is not necessarily a sign of cooperation.

Known ransomware attacks in August 2022 by gang
Known ransomware attacks by gang, August 2022

As we wrote in June, part of LockBit’s success comes from avoiding the kind of fatal missteps made by rivals like Conti, REvil, and DarkSide, all of whom attracted a great deal of public attention from US law enforcement. We cannot help wondering how long that will last though. LockBit has been the most active ransomware threat for all of 2022 and it is impossible to imagine there isn’t a team of FBI agents somewhere plotting its demise.

Over the last six months, between March 2022 and August 2022, LockBit has racked up 430 known attacks in 61 different countries, including 128 in the USA. In that period it was responsible for one in three known ransomware attacks—more than the next four most active gangs combined, and 300 more than its nearest rival. Between March and August it averaged about 70 known attacks per month, while the median average for the gangs we monitor has never exeeded seven.

Known ransomware attacks by gang, between March 2022 and August 2022
Known ransomware attacks by gang, between March 2022 and August 2022

The USA continues to bear the brunt of ransomware attacks, although its preeminence likely reflects the size of its service economy and the large number of potential vicitms rather than a deliberate targeting. Few countries escape attention and the 175 known attacks in August spread across 43 countries as diverse as Luxembourg, Qatar, and Gabon.

Known ransomware attacks in August by country
Known ransomware attacks by country, August 2022
Known ransomware attacks by industry sector, August 2022
Known ransomware attacks by industry sector, August 2022

The future of ransomware

Two events in August hinted at how ransomware gangs’ tactics may evolve beyond “double extortion”, the biggest innovation in ransomware tactics in recent years.

Originally, ransomware encrypted files and its operators demanded a ransom in return for a decryption tool. It was all but impossible to decrypt the files without the decryption tool, but victims could avoid paying a ransom by restoring encrypted files from backups.

In late 2019 the group behind Maze ransomware began stealing files from its victims before encrypting them, and then threatened to leak the stolen files on a dark web website. This gave victims an incentive to pay the ransom even if they could restore their system from backups. The tactic was quickly copied and it is now standard for large ransomware groups.

Triple extortion

In August, LockBit stole data from security company Entrust in a double extortion attack. According to LockBit, which spoke to VX-Underground, the victim’s unusual response was to prevent LockBit from publishing the stolen data by launching a distributed denial of service (DDoS) attack against the group’s leak site.

The attack delayed the leak but does not seem to have prevented it. However it does seem to have inspired LockBit to try the same thing. Having seen how effective DDoS attacks can be, the group took to a hacking forum to explain that it is now planning to use DDoS as a third stick to beat victims with, alongside encryption and extortion.

LockBit announces a DDoS service
LockBit rants about the alleged Entrust DDoS and then copies the idea

The utterings of ransomware gangs should always be taken with a pinch of salt, but the idea is worth taking seriously because it isn’t new. In fact DDoS extortion is an older tactic than encrypting files and demanding a ransom. It has simply fallen out of favor in recent years.

The end of ransomware?

Data leaking has been such a successful tactic that some groups, like Karakurt, don’t bother to encrypt files at all and rely entirely on the threat of leaked data. We believe that we will see more gangs taking this approach in future.

Since ransomware gangs started adopting “big game” tactics about five years ago, the skills required for a successful attack have changed. In a “big game” attack the encrypting malware is a commodity—the expertise that determines an attacker’s likely success are their ability to find a target, understand its value, and then break into its network and operate undetected.

This has led to significant specialization, with some criminal groups providing the software, some working as initital access brokers, and others actually performing the attacks. The skills that access brokers and attackers have developed have lucrative uses beyond deploying ransomware, such as surveillance, sabotage, espionage, and data exfiltration.

If encrypting ransomware ceases to generate significant revenue, its operators will simply pivot to other forms of attack. The pressure to do that started with improved backups triggering the switch to “double extortion”, and has increased as a result of Russia’s war in Ukraine. Since the start of the war, ransomware gangs have found it harder to get paid because of the threat of sanctions, and one of the most high profile gangs has disappeared completely as a direct result.

Ransomware operator Mikhail Matveev was asked in a recent interview with The Record if he thought ransomware will remain the best monetization model for cybercriminals over the next three years. His response: “ransomware will soon die—not in three years, but sooner. Literally, everything has changed over the last six months. Since the beginning of the special operation in Ukraine, almost everyone has refused to pay.”

Some members of the security industry have gone further, predicting ransomware’s imminent demise.

We believe that while the long term trend may see gangs moving away from encryption, we don’t expect a sudden change. The reality is that some groups find it difficult to obtain their demands without the use of encryption, and encryption is still the tactic of choice for 2022’s most successful ransomware group, LockBit.

New groups

It seems that some cybercriminals haven’t received the memo about the imminent end of ransomware-as-a-service, and a handful of new groups appeared in August, just as they did in July. The new groups are D0nut, IceFire, DAIXIN, and Bl00dy. Unusually, Bl00dy doesn’t have a leak site and instead use the Telegram messaging app.

D0nuts ransomware
The banner of the D0nut leak site
IceFire ransomware
The IceFire leak site
Daixin ransomware
The DAIXIN leak site