We have compiled the most significant cybersecurity news of the week.
- Roskomnadzor confirmed the blocking of the Signal messenger in Russia.
- The BlackSuit ransomware demanded over $500 million from its victims.
- An 18-year-old vulnerability allowed bypassing security in Chrome, Firefox, and Safari.
Roskomnadzor Confirms Blocking of Signal Messenger in Russia
Access to the Signal messenger in Russia has been restricted by decision of Roskomnadzor, as reported by Interfax.
The agency cited “violation of legal requirements to prevent the use of the messenger for terrorist and extremist purposes” as the reason.
Russian users began reporting service disruptions on August 8.
The creators of Signal confirmed the blocking in several countries and promised to do “everything possible” to maintain and restore access to the messenger.
Alleged Administrators of Darknet Forum WWH Club Arrested in the US
Russian Pavel Kublitsky and Kazakhstani citizen Alexander Khodyrev were arrested in Florida on charges of conducting cybercriminal activities through the darknet marketplace WWH Club, as reported by Court Watch.
According to the investigation, both were administrators of a platform for hiring hackers, selling stolen credit cards, illegally obtained information, and training courses on cyber fraud. The forum had over 170,000 users.
The FBI gained access to the site’s admin panel and database.
The agency discovered over a hundred bitcoin addresses linked to the suspects, which received nearly 4,000 transactions totaling ~152 BTC (equivalent to $961,000 over the evaluation period) from July 2015 to June 2024.
In December 2022, Kublitsky and Khodyrev sought asylum in the US. They lived in South Florida and were unemployed. Meanwhile, Kublitsky owned a luxury condominium in Sunny Isles Beach, and Khodyrev purchased a 2023 Chevrolet Corvette worth $110,000.
An email linked Kublitsky to the Omsk branch of the financial pyramid MMM-2011, where he was the leader.
The accomplices are charged with trafficking and possessing unauthorized access devices. Their criminal cases are classified as “secret.”
BlackSuit Ransomware Demanded Over $500 Million from Victims
Experts from the CISA and the FBI provided new details about the operators of the BlackSuit ransomware, who extorted over $500 million in bitcoins from victims.
We published an advisory with the @FBI on Royal ransomware actors (rebranded as #BlackSuit) with #IOCs and #TTPs from FBI investigations and third-party reporting. Read the advisory for mitigations: https://t.co/xLhqbONfNp pic.twitter.com/0GsrUrEeVO
— Cybersecurity and Infrastructure Security Agency (@CISAgov) August 7, 2024
As a direct successor of the Conti cybercrime syndicate, the group began operations in January 2022 under the name Quantum, spreading the eponymous ransomware. The virus was later renamed Royal, and then BlackSuit, under which it operated from September 2022 to June 2023.
Ransom amounts typically ranged from $1 million to $10 million, with the largest individual demand being $60 million.
An 18-Year-Old Vulnerability Allowed Bypassing Security in Chrome, Firefox, and Safari
Researchers at Oligo Security discovered a vulnerability in major browsers, identified 18 years ago in 2006, which remains unpatched. It allows malicious sites to bypass security in Chrome, Firefox, and Safari, compromising local networks.
?NEW 0-DAY VULNERABILITY
Oligo’s research team has discovered a new #0day vulnerability in #Chrome, #Firefox, and #Safari.
This flaw exposes internal networks and private services on localhost to external attackers in public domains. @Forbes coverage:https://t.co/PmzwkQ5ehb— Oligo Security (@OligoSecurity) August 7, 2024
The bug, named 0.0.0.0 day, allows the use of the default IP address instead of the local host 127.0.0.1. This enables hackers to send remote requests to internal networks, potentially executing arbitrary code and accessing confidential information.
The vulnerability affects only devices running Linux and MacOS. Windows computers are safe, as Microsoft blocks incoming third-party connections at the operating system level.
Browser developers have acknowledged the issue and are working on a fix.
DEF CON Reveals Story of Identifying LockBit Administrator
The identification of the LockBit ransomware administrator, known by the aliases LockBitSupp and putinkrab, involved cybersecurity researcher John DiMaggio from Analyst1. At the DEF CON conference, he shared the story of infiltrating the gang and the tip that helped identify the hacker as 31-year-old Dmitry Khoroshev from Voronezh. A condensed version of the story was published by Techcrunch.
To get acquainted with LockBitSupp, DiMaggio pretended to be an aspiring cybercriminal wanting to join the gang. Using fake accounts, he communicated with the hacker’s inner circle, creating a persona with a background and connections in the darknet.
For months, he gained Khoroshev’s trust and became his friend, while gathering details of the cyberattacks. They discussed how to negotiate with victims and set the right ransom amount.
An anonymous tip helped reveal LockBitSupp’s real name — DiMaggio received his Yandex email address.
“This was my first experience of doxing. [After the FBI announced] his name, I published everything else: residence, current and previous phone numbers,” the specialist said.
As a farewell, DiMaggio wrote Khoroshev a message explaining that he had to reveal his identity before others did:
“LockBitSupp, you’re a smart guy. You said money is no longer the main thing, and you want to have a million victims before you stop, but sometimes you need to know when to leave. That time has come, my old friend.”
After that, Khoroshev never wrote back to him.
A detailed account with all documentation is available in DiMaggio’s blog.
Also on ForkLog:
- OKX denied targeted blocking of clients from the CIS. However, experts believe Russia is a high-risk zone for the exchange.
- The Nomad protocol hacker transferred 14,500 ETH to Tornado Cash.
- Illegal cryptocurrency turnover of $75.4 million was stopped in Kazakhstan.
- Unknown individuals withdrew over $11 million from the Ronin sidechain. The funds were later returned.
Weekend Reading Suggestions
In a special feature, we share personal stories of clients of the collapsed Mt.Gox exchange and their struggles to recover funds.