Risky Business #737 -- LockBit gets absolutely rekt
Feb 20, 2024
auto_awesome
Law enforcement takes down LockBit ransomware, Chinese contractor I-SOON leaks info, GRU network shutdown, Signal's username challenges, Ukrainian media targeted by Russian hackers, Pegasus spyware in Poland, hackers use facial recognition for bank fraud, Ivanti's backdoor vulnerability, Windows policy challenges discussed
Law enforcement dismantled LockBit ransomware, seizing infrastructure and disrupting a $120 million operation.
Chinese contractor Isoon's data leak exposed sensitive info and APT activities, impacting national security.
Global law enforcement actions dismantled Soho router botnet, showcasing collaboration against cyber threats.
Deep dives
Global Collaboration Against Lockbit Ransomware
Law enforcement agencies from various countries collaborated to dismantle Lockbit ransomware, leading to the seizure of infrastructure used in extorting over $120 million from 2,000 victims. The operation included decryption keys, recovery tools, and indictments of affiliates, impacting the ransomware community.
Insight into Chinese Off-Sec Contractor Isoon Data Leak
A massive data leak from the Chinese Off-Sec contractor Isoon revealed sensitive information, including its involvement in anti-terrorism services and compromising data from entities like telcos and airlines. The leak showcased tools, data exfiltration from countries like Malaysia, and provided insights into Chinese APT operations.
Impact of Law Enforcement's Disruption Actions
Law enforcement efforts disrupted criminal activities, like dismantling a Soho router botnet linked to Russian intelligence. These actions have highlighted the effectiveness of global collaboration against cyber threats, emphasizing the role of law enforcement in combating cybercrime and the importance of disrupting malicious operations.
Backdoor Discovery in Avanti Endpoint Manager Product
A backdoor in the Avanti endpoint manager product was discovered by Gray Noise after investigating a code exec bug patched by Avanti. This backdoor, embedded in a code segment called CSRF magic, was a remnant from years ago and allowed remote execution of commands through a specific magic cookie. Its origin dated back to the early 2000s hacker groups and shared characteristics with other contemporary backdoors.
Rob Joyce's Retirement from NSA and Legacy
Rob Joyce, the cybersecurity director at NSA, announced his retirement after 34 years at the agency, effective March 31, 2024. His departure marked the end of an era characterized by technical proficiency and positive outreach efforts towards the cybersecurity community. Joyce's legacy included significant contributions to promoting Gidra and engaging with the hacker community, showcasing a more approachable side of the NSA post-Snowden era.
In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:
LockBit has been taken down by law enforcement
Some mega-juicy leaks out of Chinese offsec/APT contractor I-SOON
GRU gets its Moobot network shutdown
Signal adding usernames is… complicated
Much, much more
In this week’s sponsor interview Devicie’s Tom Plant joins the show to talk about problems orgs run into when it comes to Windows policies. There’s an expectation out there that Windows policies are set and forget, but sadly, this is not so.
