Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
US Government Pursues Ransomware Operators
The US Government is continuing to pursue ransomware operators around the world. In their latest success, the US Department of Justice has announced the FBI's arrest of a 20-year-old Russian national, Ruslan Magomedovich Astamirov in connection with LockBit ransomware operations.
'According to a criminal complaint obtained in the District of New Jersey, from at least as early as August 2020 to March 2023, Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware. Specifically, Astamirov directly executed at least five attacks against victim computer systems in the United States and abroad.
'"Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice."'
Astamirov is the second LockBit-affiliated Russian to be arrested.
Meanwhile, as the CL0P gang continues to exploit the MOVEit Transfer file transfer software and starts to extort the victims, the US State Department's Rewards for Justice program is offering up to $US10 million in rewards leading to the identification or location of CL0P and similar groups.
Uncredited, Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses, US Department of Justice, 15 June 2023. Available online at https://www.justice.gov/opa/pr/russian-national-arrested-and-charged-conspiring-commit-lockbit-ransomware-attacks-against-us.
Rewards for Justice, "Advisory from @CISAgov, @FBI: ... ", tweet, 17 June 2023. Available online at https://twitter.com/RFJ_USA/status/1669740545403437056.
Android RAT Masquerades as Chat Apps
Researchers at ESET have been tracking an updated version of the GravityRAT spyware for Android, which is being distributed as trojaned versions of the messaging apps BingeChat and Chatico. These apps have never been distributed via the Google Play store, but instead are being promoted through malicious web sites - although how victims are lured to them is unknown.
GravityRAT has been around since at least 2015, and is a cross-platform remote access trojan, with versions for Windows, macOS and Android; its operator is unknown but possibly based in Pakistan, as it focuses on Indian targets. ESET tracks the threat actor as SpaceCobra.
This new variant actually does provide chat functionality, being based on the open-source OMEMO Instant Messenger app, but before the user even logs in to the app, it has already contacted its C2 server, exfiltrating the user's data and waiting for commands. GravityRAT can exfiltrated call logs, the user's contact list, SMS messages, various types of files and the device locations; the new variant can also delete files, contacts and call logs. It is also capable of exfiltrating backup files created by WhatsApp Messenger, which is extremely popular in India.
The ESET report contains IOC's and a mapping to MITRE ATT&CK techniques.
Stefanko, Lukas, Android GravityRAT goes after WhatsApp backups, blog post, 15 June 2023. Available online at https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.