NCA Unveils LockBitSupp Identity

Several days ago, on May 5, 2024, a changed LockBit site variant, that appeared after the law enforcement hack in February of the same year, got back online. Earlier, it used to contain the hefty list of information that law enforcement agencies managed to leak from the network of the threat actor. This time, however, they went further: instead of court judgments, they promised to publish personal information of the LockBit gang leader.

Man under the nickname LockBitSupp always attracted a lot of attention: both due to the success of his ransomware group and unusual publicity of a ransomware group leader that was never seen before. What’s more tempting is the promise to pay $10 million to a person who’d reveal his identity. He was outstandingly confident about his anonymity, and for a good reason, so the huge reward was left unclaimed ever since this “contest” was first announced.

Though now, by the looks of it, Dmitry Yurievich Khoroshev owes $10 million to NCA specialists. During the first summary of Operation Cronos, NCA already threatened to publish his identity, but that was probably a mere bluff. But not this time – the full list of the guy’s personal information was both published and turned into courts in order to imply personal sanctions. They in particular suppose arrest of the personal assets and implying travel bans.

LockBit Leader Compromised: Will This Stop the Gang?

Despite the overall excitement around the identity reveal of LockBitSupp, it won’t make that much difference to the gang. Just another stain on the reputation, that has got the first, and much stronger blow back in February. Deanonymizing of the gang’s leader places it in the row with Evil Corp, whose chief Maksim Yakubets is a long-term guest of the FBI’s wanted board.

A more important news of the fresh release is an updated pack of data about the affiliates and operations of the ransomware group. NCA, together with law enforcement agencies, leaked attack statistics, affiliate counters and names, and the geography of attacks.

List of LockBit Affiliates

List of LockBit Affiliates

As far as the fresh leak says, after the February attack, 2/3 of the LockBit affiliates escaped the business. This was somewhat noticeable by the decline in the group’s activity, but not to that extent. Still, the quality of these attacks noticeably decreased: no loud names in the last two months. At the same time, the number of attacks on the UK companies plummeted to a similar extent (-73%) – definite reaction to the NCA’s effort.

The post LockBit Leader Identity Revealed, NCA Publishes More Data appeared first on Gridinsoft Blog.

Nation-State threat actors in a governmental warning notification

The advanced persistent threat actors, as the alert states, use custom-made software to attack ICS and SCADA devices. These instruments allow finding the targeted devices, compromising them, and taking control over them once the access to operational technology network is established.

The specially tailored tools are designed specifically to attack Open Platform Communications Unified Architecture (OPC UA) servers, Schneider Electric programmable logic controllers (PLCs,) and OMRON Sysmac NEX PLCs.

According to the document, the threat actors can also infiltrate the Windows-based engineering workstations of informational and operational technology networks. That is possible with the usage of an exploit of CVE-2020-15368 vulnerabilities related to AsrDrv103.sys motherboard driver. The driver can be compromised, leading to the execution of malicious code in the Windows core. The infiltrators aim to escalate privileges and, moving laterally within the industrial control system’s networks, create diversions in electricity and natural gas supply and distribution.

Dragos report and scale of the threat

The specialists at Dragos, an industrial cybersecurity company, have described¹ the recently revealed PIPEDREAM malware as a modular attack framework that can cause “disruption, degradation, and possibly even destruction, depending on targets and the environment.”

Robert M. Lee, CEO at Dragos, has stated that PIPEDREAM is connected to the nation-state actor under the moniker CHERNOVITE. Lee claims that it is the first time malicious software with such destructive capabilities has been discovered before its actual usage.

The PIPEDREAM is a complex program whose five constituent elements are responsible for different objectives. The malware is designed to detect and hijack devices, compromise the programmable logic controllers, and disrupt them, jeopardizing the correct work of industrial objects. If PIPEDREAM were used against existing industrial systems, the consequences would be unpredictable up to catastrophic.

Pipedream is malware aimed a physical destruction

The malware in question uses various-function exploits automatized to a high degree. Different modules of PIPEDREAM inject noxious configurations into devices, alter their parameters, and manage devices’ contents.

CODESYS, a development environment for controller programs, proved to have at least seventeen vulnerabilities potentially exploitable by hackers. PIPEDREAM is capable of compromising CODESYS as well.

The very possibility of hijackers tampering with the settings of the industries’ programmable controllers is appalling. Dragos warns about an option for the terrorists to destabilize the operational environment by disabling the emergency shutdown. If that occurred, the attacked system would go critical and unstable.

Mandiant report and Pipedream origins

Mandiant, a threat intelligence company, provided a report that matches the one by Dragos. In its message, Mandiant describes PIPEDREAM (aka INCONTROLLER) as malware designed to target specifically Schneider Electric and Omron automation systems.

Schneider Electric, in turn, reported² that there was neither evidence of vulnerabilities that could have been exploited by PIPEDREAM nor detected assaults on the company’s devices. However, the enterprise admitted that the threat level was troubling and added the “recommended mitigations” section to the notification for all customers to comply.

The trace leads to Russia

Apparently, the origin of the information about PIPEDREAM is the Russo-Ukrainian war. The clash takes place not solely on the ground but also on the Network³. After an unsuccessful hacker attack on a Ukrainian energy provider, cybersecurity company ESET⁴ has given a thorough description of how the INDUSTROYER2 malware worked. Possibly, that information helped Dragos and Mandiant detect and dissect another malicious program – PIPEDREAM.

The disputed malware now stands in one row with Stuxnet, Havex, Industroyer 1 and 2, Triton, and BlackEnergy2 – malicious tools designed against vital industrial control systems.

As a countermeasure against possible threats, cybersecurity agencies strongly advise industrial control organizations to increase all safety measures. These are well-known rules: 2-factor-authentication, no passwords auto-filling, changing passwords, and overall vigilance against potential invasive actions.

The post Nation-State Threat Actors are an Actual Menace, According to CISA appeared first on Gridinsoft Blog.

The Head of Cyber Command and director of the National Security Agency Paul Nakasone, in an interview with the New York Times, declined to elaborate on exactly what action the team of experts took. The US military’s computer operatives are increasingly willing to hack into criminals, not just statesmen who pose a threat to critical US infrastructure. But this is one of the first unequivocal evidence from Cyber Command that the agency is targeting criminal groups that hold the computer systems of American enterprises as “hostages.”

US government security officials have begun to actively pursue ransomware groups after attackers hacked into the networks of the fuel giant Colonial Pipeline and the world’s largest meat producer JBS earlier this year.

According to Paul Nakasone, the US government launched offensive actions against ransomware operators, including trying to cut off funding sources for hackers.

The US government’s counteractions against ransomware groups, many of which are based in Eastern Europe and Russia, also include indicting alleged extortionists and sanctioning cryptocurrency exchanges accused of laundering money for hackers.

However, it is not only the US government that has decided to use more aggressive measures against ransomware. The UK Government Liaison Center has announced plans to use national cyber forces formed last year to hack and pursue ransomware groups.

While the details of such operations are usually kept secret, they usually involve blocking criminals’ phone signals or interfering with their servers.

The post US Cyber ​​Command confirms cyberattacks against ransomware appeared first on Gridinsoft Blog.