Bleeping Computer – Gridinsoft Blog https://gridinsoft.com/blogs/tag/bleeping-computer/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 29 Nov 2022 11:28:52 +0000 en-US hourly 1 https://wordpress.org/?v=90453 200474804 Ragnar Locker Ransomware Accidentally Attacked Belgian Police https://gridinsoft.com/blogs/ragnar-locker-ransomware/ https://gridinsoft.com/blogs/ragnar-locker-ransomware/#respond Tue, 29 Nov 2022 11:28:12 +0000 https://gridinsoft.com/blogs/?p=12309 The operators of the ransomware Ragnar Locker published on their “leak site” the data stolen from the police unit of the Belgian province of Antwerp. The problem is that the hackers believed that they had compromised the municipality of the city of Zwijndrecht, and the law enforcement officers were hacked by accident. Let me remind… Continue reading Ragnar Locker Ransomware Accidentally Attacked Belgian Police

The post Ragnar Locker Ransomware Accidentally Attacked Belgian Police appeared first on Gridinsoft Blog.

]]>

The operators of the ransomware Ragnar Locker published on their “leak site” the data stolen from the police unit of the Belgian province of Antwerp. The problem is that the hackers believed that they had compromised the municipality of the city of Zwijndrecht, and the law enforcement officers were hacked by accident.

Let me remind you that we also wrote that BlackCat ransomware gang publishes leaked data on the clear web site, and also that List of suspects in terrorism that are monitored by the FBI leaked to the network.

The Belgian media have already called this leak one of the largest in the history of the country, as it affected all Zwijndrecht police data from 2006 to September 2022.

Ragnar Locker ransomware

The Bleeping Computer writes that among the published data, you can find thousands of license plates, crime reports, personnel data, investigation reports and much more. Unfortunately, such a leak could reveal the identities of the people who reported the crimes, as well as jeopardize ongoing law enforcement operations and investigations.

At the same time, the Zwijndrecht police report on social networks that hackers gained access only to that part of the network where administrative data was stored, and the employees themselves were the first to suffer from the attack.

Zwijndrecht police chief Marc Snels told local media that the data breach was due to human error and all those affected are already being notified of the incident.

Marc Snels
Marc Snels
This is not the case when there was a leak in general of all data. The [compromised] network mainly contains personal information of our employees, such as personnel lists. But sometimes this network does contain confidential information. These are human mistakes. For example, fines and photos related to child abuse “leaked”. This, of course, is very unpleasant.Snels says.

It is known that the Belgian prosecutor’s office has already opened a criminal case in connection with this hack.

At the same time, Bleeping Computer notes that, according to Belgian journalists, the attackers targeted a poorly protected Citrix endpoint and penetrated the police network through it. Investigators also found that among the “leaked” data there are metadata of subscribers of telecommunication services and SMS messages of people who are under a secret police investigation. The files also contain traffic cam footage revealing the whereabouts of specific people at specific dates and times.

This is not the first such incident. For example, Techcrunch reported that Hackers have stolen personal data of about 4,000 American federal agents and police servicemen and uploaded it on the Internet.

The post Ragnar Locker Ransomware Accidentally Attacked Belgian Police appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ragnar-locker-ransomware/feed/ 0 12309
Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years https://gridinsoft.com/blogs/zeppelin-ransomware-victims/ https://gridinsoft.com/blogs/zeppelin-ransomware-victims/#respond Tue, 22 Nov 2022 08:55:01 +0000 https://gridinsoft.com/blogs/?p=12137 Since 2020, some information security specialists have helped victims, as individuals and companies affected by the Zeppelin ransomware. The fact is that a number of vulnerabilities were found in the encryptor, which were used to create a working decryptor. Let me remind you that we talked that Microsoft Links Hacker Group Vice Society to Several… Continue reading Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years

The post Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years appeared first on Gridinsoft Blog.

]]>
Since 2020, some information security specialists have helped victims, as individuals and companies affected by the Zeppelin ransomware. The fact is that a number of vulnerabilities were found in the encryptor, which were used to create a working decryptor.

Let me remind you that we talked that Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns (including using Zeppelin malware), and also that Azov Ransomware Tries to Set Up Cybersecurity Specialists.

The publication Bleeping Computer says that the authors of this decoder were specialists from the consulting information security company Unit221b. Back in 2020, they prepared a report on vulnerabilities in the ransomware, but eventually delayed its publication so that attackers would not know about the possibility of free file decryption.

Unit221b experts decided to try to hack Zeppelin when it was discovered that malware operators were attacking charitable and non-profit organizations and even homeless shelters.

Starting with a 2019 BlackBerry Cylance report, the researchers found that Zeppelin uses an ephemeral RSA-512 key to encrypt an AES key that blocks access to encrypted data. At the same time, the AES key was stored in each encrypted file, that is, cracking the RSA-512 key would allow decrypting the data and not paying a ransom to attackers.

Zeppelin ransomware victims
How Zeppelin encryption works

While working on this version, the experts found that the public key remains in the registry of the infected system for about five minutes after data encryption is completed. We managed to extract it by “cutting” it from the file system, Registration.exe memory dumps and directly from NTUSER.Dat in the /User/[user_account]/ directory.

Zeppelin ransomware victims
An Obfuscated key

The resulting data was obfuscated using RC4, and to deal with this problem, the experts used the power of 800 CPUs on 20 servers (each with 40 CPUs on board), which eventually cracked the key in six hours. After that, it remained only to extract the AES key from the affected files.

Unit221b founder Lance James told reporters that the company has now decided to go public with the details of the work done, as the number of Zeppelin victims has dropped significantly in recent months. The last major campaign using this ransomware was the attacks by the Vice Society, which abandoned Zeppelin a few months ago.

According to James, the data decryption tool should work even for the latest versions of Zeppelin and will be available to all victims free of charge, upon request.

Emsisoft, who often release their own free decryptors, told reporters that the need for a lot of computing power to recover keys, unfortunately, hinders the creation of a free tool for companies.

The post Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/zeppelin-ransomware-victims/feed/ 0 12137
Ransomware publishes data stolen from Cisco https://gridinsoft.com/blogs/data-stolen-from-cisco/ https://gridinsoft.com/blogs/data-stolen-from-cisco/#comments Wed, 14 Sep 2022 12:24:55 +0000 https://gridinsoft.com/blogs/?p=10566 The Yanluowang hack group published data stolen from Cisco back in May 2022. Cisco representatives acknowledged that the data leak took place, but still insist that the incident did not affect the company’s business in any way. Let me remind you that last month, Cisco representatives confirmed that back in May, the company’s corporate network… Continue reading Ransomware publishes data stolen from Cisco

The post Ransomware publishes data stolen from Cisco appeared first on Gridinsoft Blog.

]]>
The Yanluowang hack group published data stolen from Cisco back in May 2022. Cisco representatives acknowledged that the data leak took place, but still insist that the incident did not affect the company’s business in any way.

Let me remind you that last month, Cisco representatives confirmed that back in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain.

Then the company emphasized that the hackers did not steal anything serious at all, they only managed to steal non-confidential data from the Box folder associated with the hacked employee account.

The hackers themselves contacted Bleeping Computer and told reporters that they had stolen 2.75 GB of data from the company (approximately 3,100 files), including source codes and secret documents. According to journalists, many of the files were non-disclosure agreements, data dumps and technical documentation.

For example, the attackers gave the publication a redacted version of the agreement and showed a screenshot of the VMware vCenter admin console at the cisco.com URL. The screenshot showed numerous virtual machines, including one called GitLab and used by the Cisco CSIRT.

At the same time, Cisco continued to claim that the company has no evidence that the source code was stolen.

Let me remind you that we also reported that Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp.

As Bleeping Computer now reports, Yanluowang members have begun leaking stolen data on the dark web. Against this background, Cisco finally confirmed the data leak, but the company continues to insist that this incident did not affect the business in any way, and the leak of information does not change the initial assessment of the incident.

On September 11, 2022, the attackers who had previously published a list of filenames associated with the incident on the dark web posted the actual contents of the same files in the same location on the dark web. The contents of these files are consistent with what we have identified and disclosed.

Our previous analysis of the incident remains unchanged – we still do not see any impact on our business, including Cisco products or services, sensitive customer data, sensitive employee information, intellectual property, or supply chain processes.Cisco said.

I note that at the end of August, cybersecurity analysts from eSentire published a report in which they presented evidence of a possible connection between the Yanluowang group and the well-known Russian-speaking hack group Evil Corp (UNC2165).

The post Ransomware publishes data stolen from Cisco appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/data-stolen-from-cisco/feed/ 1 10566
The LockBit Group Is Taking on DDoS Attacks https://gridinsoft.com/blogs/ddos-attacks-and-lockbit/ https://gridinsoft.com/blogs/ddos-attacks-and-lockbit/#respond Tue, 30 Aug 2022 09:40:36 +0000 https://gridinsoft.com/blogs/?p=10244 Last week, after the information security company Entrust was hacked, the LockBit hacker group was subjected to powerful DDoS attacks. Now the hackers say they have improved DDoS protection and plan to do triple extortion in the future, using such attacks as additional leverage on victims. Let me remind you that we also reported that… Continue reading The LockBit Group Is Taking on DDoS Attacks

The post The LockBit Group Is Taking on DDoS Attacks appeared first on Gridinsoft Blog.

]]>
Last week, after the information security company Entrust was hacked, the LockBit hacker group was subjected to powerful DDoS attacks. Now the hackers say they have improved DDoS protection and plan to do triple extortion in the future, using such attacks as additional leverage on victims.

Let me remind you that we also reported that Hackers Launched LockBit 3.0 and Bug Bounty Ransomware, and also that Experts Find Similarities Between LockBit and BlackMatter.

Let me remind you that Entrust was hacked back in June 2022. Then the company confirmed to the media that Entrust was subjected to a ransomware attack, during which data was stolen from its systems. Then, the site that the LockBit hack group uses to “leak” data has a section dedicated to Entrust. The attackers said they were going to publish there all the information stolen from the company. Usually, such actions mean that the victim company has refused to negotiate with the extortionists or comply with their demands.

However, shortly after the publication of the data, the Tor site of the hackers went down, and the group reported that it had been subjected to a DDoS attack precisely because of the Entrust hack. The fact is that DDoS is accompanied by messages: “DELETE_ENTRUSTCOM_MOTHERFUCKERS”.

DDoS attacks and LockBit

As Bleeping Computer journalists now write, a group representative known as LockBitSupp announced that the group is back in operation with a more serious infrastructure, and now the data leak site is not afraid of DDoS attacks.

DDoS attacks and LockBit

Moreover, the hackers said they took this DDoS attack as an opportunity to learn triple extortion tactics that could be useful for them in the future. Indeed, with the help of DDoS attacks, can be put additional pressure on victims to pay a ransom (in addition to data encryption and threats to publish stolen information in the public domain).

I am looking for dudosers in the team, most likely now we will attack targets and engage in triple extortion: encryption + data leak + dudos, because I felt the power of dudos and how it invigorates and makes life more interesting.LockBitSup writes on a hacker forum.

LockBit also promised to distribute all the data stolen from Entrust via a 300 GB torrent so that “the whole world will know your secrets.” At the same time, a representative of the group promised that at first the hackers would share Entrust data privately with anyone who contacts them. Journalists note that over the weekend, LockBit has already released a torrent called “entrust.com”, containing 343 GB of information.

When it comes to protecting against DDoS attacks, one of the methods already implemented by hackers is the use of unique links in ransom notes. “The function of randomizing links in locker notes has already been implemented, each assembly of the locker will have a unique link that dudoser will not be able to recognize,” LockBitSupp says.

The hackers also announced an increase in the number of mirrors and backup servers, and also plan to increase the availability of stolen data by publishing it on the regular Internet and using “bulletproof” hosting for this.

The post The LockBit Group Is Taking on DDoS Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ddos-attacks-and-lockbit/feed/ 0 10244
New RedAlert Ransomware Targets Windows and Linux VMware ESXi Servers https://gridinsoft.com/blogs/new-redalert-ransomware/ https://gridinsoft.com/blogs/new-redalert-ransomware/#respond Fri, 08 Jul 2022 07:13:59 +0000 https://gridinsoft.com/blogs/?p=9242 Researchers have discovered a new RedAlert (aka N13V) ransomware that encrypts Windows and Linux VMWare ESXi servers and targets corporate networks. MalwareHunterTeam, an information security expert, was the first to notice the new malware, posting screenshots from the group’s dark web site on Twitter. Let me remind you that we also wrote that Information Security… Continue reading New RedAlert Ransomware Targets Windows and Linux VMware ESXi Servers

The post New RedAlert Ransomware Targets Windows and Linux VMware ESXi Servers appeared first on Gridinsoft Blog.

]]>
Researchers have discovered a new RedAlert (aka N13V) ransomware that encrypts Windows and Linux VMWare ESXi servers and targets corporate networks.

MalwareHunterTeam, an information security expert, was the first to notice the new malware, posting screenshots from the group’s dark web site on Twitter.

Let me remind you that we also wrote that Information Security Experts Told About The Linux Malware Symbiote That Is Almost Undetectable.

The new ransomware was named RedAlert because of the string the hackers used in the ransom note.

The attackers themselves call their malware N13V, writes Bleeping Computer.

New RedAlert ransomware

New RedAlert ransomware

The Linux version of the ransomware is reportedly targeted at VMware ESXi servers and allows attackers to shut down any active virtual machines before encrypting files.

The researchers say that during file encryption, the ransomware uses the NTRUEncrypt algorithm, which supports different “option sets” that provide different levels of security. It is noted that in addition to RedAlert, this algorithm uses only the FiveHands encryptor.

Another interesting feature of RedAlert is the “-x” command line option, which is responsible for “testing the performance of asymmetric encryption” using various sets of options. It is not yet clear whether there is a way to force a certain parameter during encryption, or whether the ransomware chooses the most effective one on its own.

New RedAlert ransomware

During file encryption, the malware only targets files associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and so on: .log, .vmdk, .vmem, .vswp, and .vmsn. The malware adds the .crypt[number] extension to these files.

Like almost all new enterprise-targeting ransomware operations, RedAlert conducts double-extortion attacks, which is when data is stolen, and then ransomware is deployed to encrypt devices.Bleeping Computer researchers write.

The payment site that victims are sent to via a ransom note is broadly similar to other ransomware sites in that it displays a ransom note and allows negotiating with the attackers. At the same time, the hackers emphasize that they only accept Monero cryptocurrency for payment.

New RedAlert ransomware

Although experts only discovered a ransomware targeting Linux, there are hidden elements on the group’s website, judging by which decryptors for Windows also exist.

So far, the RedAlert website contains data of only one attacked organization, that is, the malware is just starting its “work”.

The post New RedAlert Ransomware Targets Windows and Linux VMware ESXi Servers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-redalert-ransomware/feed/ 0 9242
AstraLocker Ransomware Operators Publish File Decryption Tools https://gridinsoft.com/blogs/astralocker-ransomware-operators/ https://gridinsoft.com/blogs/astralocker-ransomware-operators/#respond Wed, 06 Jul 2022 09:11:22 +0000 https://gridinsoft.com/blogs/?p=9179 AstraLocker ransomware operators have announced that the malware is ending its work and have uploaded data decryption tools to VirusTotal. The hackers say that they do not plan to return to ransomware in the future, but intend to switch to cryptojacking. The Bleeping Computer reports that it has already studied the archive published by the… Continue reading AstraLocker Ransomware Operators Publish File Decryption Tools

The post AstraLocker Ransomware Operators Publish File Decryption Tools appeared first on Gridinsoft Blog.

]]>
AstraLocker ransomware operators have announced that the malware is ending its work and have uploaded data decryption tools to VirusTotal. The hackers say that they do not plan to return to ransomware in the future, but intend to switch to cryptojacking.

The Bleeping Computer reports that it has already studied the archive published by the attackers and confirms that the decryptors are real and really help to decrypt the affected files.

Let me remind you that we also said that Free decryptor for BlackByte ransomware was published, and also that Cybersecurity specialists released a free decryptor for Lorenz ransomware.

Journalists note that they tested only one decryptor, which successfully decrypted files blocked during one of the AstraLocker campaigns. The other decryptors in the archive are apparently designed to decrypt files damaged during previous campaigns.

AstraLocker ransomware operators
Archive content

The journalists also managed to get a comment from one of the malware operators:

It was fun, but fun always ends. I close the whole operation, decryptors in ZIP files, clean. I’ll be back. I’m done with ransomware for now and I’m going to get into cryptojacking lol.

Although the malware developer did not say why AstraLocker suddenly stopped working, journalists believe that this may be due to recently published reports by security experts who studied the malware. This could bring AstraLocker to the attention of law enforcement.

Emsisoft, a company that helps ransomware victims recover data, is currently developing a universal decryptor for AstraLocker, which should be released in the near future.

What will we no longer see in the criminal world?

Threat intelligence firm ReversingLabs recently reported that AstraLocker used a somewhat unusual method of encrypting its victims’ devices compared to other strains of ransomware.

Instead of first compromising the device (hacking it or buying access from other attackers), the AstraLocker operator will directly deploy the payload from email attachments using malicious Microsoft Word documents.

The honeypots used in the AstroLocker attacks are documents that hide an OLE object with a ransomware payload that will be deployed after the target clicks “Run” in the warning dialog displayed when the document is opened.

Before encrypting files on a compromised device, the ransomware will check to see if it is running on a virtual machine, terminate processes, and stop backup and antivirus services that could interfere with the encryption process.

Based on analysis by ReversingLabs, AstraLocker is based on the leaked source code of Babuk Locker (Babyk) ransomware, a buggy yet still dangerous strain that came out in September 2021.

Also, one of the Monero wallet addresses in the AstraLocker ransom note was also linked to the operators of the Chaos ransomware.

The post AstraLocker Ransomware Operators Publish File Decryption Tools appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/astralocker-ransomware-operators/feed/ 0 9179
Hackers Launched LockBit 3.0 and Bug Bounty Ransomware https://gridinsoft.com/blogs/lockbit-3-0-and-bug-bounty/ https://gridinsoft.com/blogs/lockbit-3-0-and-bug-bounty/#respond Wed, 29 Jun 2022 06:44:08 +0000 https://gridinsoft.com/blogs/?p=9025 The LockBit ransomware group released the LockBit 3.0 malware, at the same time introduced its own bug bounty ransomware program, and also announced that it would accept ransoms in the Zcash cryptocurrency. Bleeping Computer recalls that LockBit appeared in 2019 and has since become one of the most active threats, accounting for about 40% of… Continue reading Hackers Launched LockBit 3.0 and Bug Bounty Ransomware

The post Hackers Launched LockBit 3.0 and Bug Bounty Ransomware appeared first on Gridinsoft Blog.

]]>
The LockBit ransomware group released the LockBit 3.0 malware, at the same time introduced its own bug bounty ransomware program, and also announced that it would accept ransoms in the Zcash cryptocurrency.

Bleeping Computer recalls that LockBit appeared in 2019 and has since become one of the most active threats, accounting for about 40% of all ransomware attacks in May 2022.

You might also be interested in: Conti vs. LockBit 2.0 – a Trend Micro Research in Brief.

Journalists say that over the weekend, the group released an updated version of its RaaS malware (LockBit 3.0), which hackers have been beta testing for the past few months. At the same time, it is noted that the new version of the malware has already been used in attacks.

Also, along with the release of a new version of the ransomware, the hackers also introduced their own bug bounty program.

We invite security researchers, all ethical and unethical hackers on the planet to participate in our vulnerability bounty program. The amount of rewards varies from $1,000 to $1 million.the hackers write.

LockBit 3.0 and bug bounty

It is easy to guess how exactly the hackers intend to use the vulnerabilities acquired in this way. In addition, the group offers rewards not only for bugs, but also for “brilliant ideas” to improve the work of their ransomware, as well as for doxing the head of their own affiliate program. The Hackers website lists the following categories of awards.

  1. Site errors: XSS vulnerabilities, MySQL injections, shells and more will be charged based on the severity of the error. The main vector is getting a decoder through bugs on the site, as well as gaining access to the history of correspondence with encrypted companies.
  2. Locker Errors: Any encryption errors resulting in file corruption or the ability to decrypt files without a decryptor.
  3. Brilliant Ideas: We pay for ideas. Please write how we can improve our website and software, the best ideas will be rewarded. What is interesting about our competitors that we do not have?
  4. Doxing: We will pay exactly one million dollars, no more and no less, for doxing the affiliate boss. It doesn’t matter if you are an FBI agent or a very smart hacker who knows how to find anyone, you can write to us on TOX messenger, tell us the name of the boss and get a million dollars in Bitcoin or Monero for it.
  5. Messenger TOX: vulnerabilities in the TOX messenger that allow intercepting correspondence, launching malware, determining the IP address of the interlocutor, and other interesting vulnerabilities.
  6. Tor network: any vulnerabilities that help get the IP address of the server where the onion site is installed, as well as gain root access to our servers and onion domains, followed by a database dump.

It should be noted that the proposal to dox the head of the LockBit affiliate program, known under the nickname LockBitSupp, as an experiment, appears not for the first time. For example, in April of this year, the group offered a million dollars to anyone on the XSS hacker forum who could recognize at least the first and last name of LockBitSupp.

LockBit 3.0 and bug bounty

Journalists also note that now on the site of the hack group, visitors are greeted by a gif with animated icons of the Monero and Bitcoin cryptocurrencies, which were previously accepted for paying ransoms. But now the logo of the Zcash cryptocurrency, which is known for its increased privacy, joined them.

LockBit 3.0 and bug bounty

Another innovation: a new ransomware model that will allow attackers to buy data stolen during attacks from LockBit. It has been noticed that one of the JavaScript files on the updated grouping site contains a modal dialog that will allow purchasing stolen data. Apparently, the data will be offered for purchase and download either through a torrent or directly through the site.

LockBit 3.0 and bug bounty

Since the LockBit 3.0 website has yet to release the details of the victims, it is not still clear how this innovation will work and whether it will be enabled anytime soon.

The post Hackers Launched LockBit 3.0 and Bug Bounty Ransomware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-3-0-and-bug-bounty/feed/ 0 9025
Information Security Specialists Discovered a 0-day Vulnerability in Windows Search https://gridinsoft.com/blogs/0-day-vulnerability-in-windows-search/ https://gridinsoft.com/blogs/0-day-vulnerability-in-windows-search/#respond Sat, 04 Jun 2022 12:24:21 +0000 https://gridinsoft.com/blogs/?p=8301 A new 0-day Windows Search vulnerability could be used to automatically open a search box and launch remote malware, which is easily done by simply opening a Word document. Bleeping Computer says the problem is serious because Windows supports the search-ms protocol URI handler, which allows apps and HTML links to run custom searches on… Continue reading Information Security Specialists Discovered a 0-day Vulnerability in Windows Search

The post Information Security Specialists Discovered a 0-day Vulnerability in Windows Search appeared first on Gridinsoft Blog.

]]>
A new 0-day Windows Search vulnerability could be used to automatically open a search box and launch remote malware, which is easily done by simply opening a Word document.

Bleeping Computer says the problem is serious because Windows supports the search-ms protocol URI handler, which allows apps and HTML links to run custom searches on the device. And while most searches will search on the local device, it’s also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search box.

For example, Sysinternals allows remotely mounting live.sysinternals.com as a network share to run its utilities. Users can use the following search-ms URI to find this remote share and display only files that match a specific name: search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals

In this case, the crumb search-ms variable specifies the search location, and the displayname variable specifies the title. When executing this command from the Run dialog box or the browser address bar in Windows 7, Windows 10 and Windows 11, a custom search box will appear, as in the screenshot below. The header says “Searching Sysinternals” as specified in the search-ms URI.

0-day vulnerability in Windows Search

Hackers can use the same approach for attacks, where phishing emails masquerade as updates or patches that supposedly need to be installed urgently. Attackers can set up a remote Windows share that will be used to host malware disguised as security updates, and then use the search-ms URI in their attacks.

It would seem difficult to get the user to click on such a URL, especially given the warning that will be displayed in this case.

0-day vulnerability in Windows Search

However, Hacker House co-founder and security researcher Matthew Hickey has found a way to combine a newly discovered vulnerability in Microsoft Office with a search-ms handler to open a remote search window by simply opening a Word document.

Let me remind you that the discovery of 0-day Follina became known just a few days ago, although researchers first found this bug back in April 2022, but then Microsoft refused to acknowledge the problem. The vulnerability is now tracked as CVE-2022-30190 and is known to be exploitable through normal Word document opening or File Explorer preview, using malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT) to execute.

The bug affects all versions of Windows that receive security updates, including Windows 7 and later, as well as Server 2008 and later.

Matthew Hickey
Matthew Hickey

CVE-2022-30190 is known to allow Microsoft Office documents to be modified to bypass Protected View and run URI handlers without user interaction, which can lead to further handler abuse. Hickey discovered yesterday that it is possible to modify existing exploits for Microsoft Word MSDT to abuse search-ms instead.

The new PoC automatically runs the search-ms command when the user opens a Word document. The exploit opens a Windows Search window that lists executable files on a remote SMB share. This shared folder can be named whatever the hacker wants, such as “Critical Updates”, and will prompt users to install the malware under the guise of a patch.

As with the MSDT exploits, Hickey demonstrated that it was possible to create an RTF that would automatically open a Windows Search window while still previewing in Explorer.

While overall this exploit is not as dangerous as the MS-MSDT RCE vulnerability, it can also be useful to attackers who can use it in sophisticated phishing campaigns.Matthew Hickey said.

Bleeping Computer journalists note that events is the reminiscence of the situation with the PrintNightmare RCE vulnerability discovered and fixed in Print Spooler in 2021. At that time, Microsoft quickly fixed the original bug, but its discovery led to many other local privilege escalation vulnerabilities related to the original problem. Then Microsoft developers were forced to make radical changes to Windows Printing in order to finally get rid of this class of vulnerabilities as a whole.

Now Microsoft will probably have to make it impossible to run URI handlers in Microsoft Office without user interaction. Until that happens, there will be regular reports of new exploits being created.

The post Information Security Specialists Discovered a 0-day Vulnerability in Windows Search appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerability-in-windows-search/feed/ 0 8301
Google Has Disabled Some of the Global Cache Servers in Russia https://gridinsoft.com/blogs/google-global-cache-in-russia/ https://gridinsoft.com/blogs/google-global-cache-in-russia/#respond Fri, 27 May 2022 13:43:08 +0000 https://gridinsoft.com/blogs/?p=8138 Media reports say that Google is notifying ISPs in Russia that it is shutting down its Google Global Cache (GGC) servers, which speed up the loading of its services, including YouTube content. These changes are reported by RBC, citing two of its own sources in the telecommunications industry. Let me also remind you that we… Continue reading Google Has Disabled Some of the Global Cache Servers in Russia

The post Google Has Disabled Some of the Global Cache Servers in Russia appeared first on Gridinsoft Blog.

]]>
Media reports say that Google is notifying ISPs in Russia that it is shutting down its Google Global Cache (GGC) servers, which speed up the loading of its services, including YouTube content.

These changes are reported by RBC, citing two of its own sources in the telecommunications industry.

Let me also remind you that we wrote that DuckDuckGo downgraded Russian state media in search results, and also that Hacker groups split up: some of them support Russia, others Ukraine.

Also, Dmitry Galushko, head of the legal company Ordercom, announced GGC shutdowns in his Telegram channel. According to him, several telecom operators received notifications about the GGC shutdown, including the Orenburg provider Radio Svyaz (operating under the Focus Life brand). The latter received a letter from one of the Irish “subsidiaries” of GoogleRaiden Unlimited Company, which said that “due to changes in legal practice” the servers will be turned off and Google employees will contact the provider in the near future in order to decommission the equipment.

A representative of Radio Svyaz confirmed to reporters that these servers were turned off on May 19, and a notification came a few days later. The company does not know the reason for the outage.

According to one of RBC’s sources, the MIPT-Telecom provider received the same notification. In this notice, Google referred to the provider’s employees as “the MIPT team,” and the source linked the shutdown of the servers to the fact that the institute was on the sanctions list. MIPT confirmed that in March 2022, the MIPT-Telecom provider was unilaterally disconnected from Google Global Cache.

A representative of Rostelecom, the largest Russian Internet access operator, told RBC that the company “does not observe outages” of Google Global Cache servers. The representative of MTS, in turn, said that “the delivery of traffic from Google’s resources is carried out for MTS in the normal mode.” They do not see any changes in the operation of this equipment and in MegaFon.

Representatives of VimpelCom (Beeline brand), T2 RTK Holding (Tele2) and ER-Telecom Holding refused to provide comments.

RBC’s own source in one of the major Internet providers said that the bankruptcy of the Russian “daughter” of Google is in no way connected with the shutdown of caching servers.

This structure was not engaged in their service. This is a global service.he explained.

Another IT services expert added that in addition to YouTube, Google Global Cache hosts other Google services such as Google CAPTCHA.

If the operator is deprived of the ability to store this service on the Google server, users may start to have problems: the CAPTCHA may not load or be displayed as a failure.he predicts.

This, according to the expert, “theoretically could affect the prices for the Internet for users”, because the operators will have to compensate for the increased maintenance costs.

Google’s Global Cache reduces external traffic between 70% to 90%, depending on the content consumption patterns of the end-users of ISP operators.Bleeping Computer writes.

Google Global Cache in Russia
How Google’s caching servers work

The load on the network may also increase while the stability of the channels may decrease: if earlier there were many sources of content and it was possible to use the one that is closer, then in the event of a mass shutdown of servers, all traffic will fall on several foreign channels that may have less bandwidth reserve, there will be less resistant to DDoS attacks, and so on.

The post Google Has Disabled Some of the Global Cache Servers in Russia appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/google-global-cache-in-russia/feed/ 0 8138
The Conti Ransomware Ceases Operations and Breaks Up into Several Groups https://gridinsoft.com/blogs/conti-ceases-operations/ https://gridinsoft.com/blogs/conti-ceases-operations/#respond Tue, 24 May 2022 09:16:47 +0000 https://gridinsoft.com/blogs/?p=8002 Experts report that the Conti ransomware is going out of business, group ceases operations, its infrastructure is disabled, and the group’s leaders have said the brand already does not exist. One of the first to notice the change was Elisey Boguslavsky of Advanced Intel, who tweeted that the group’s internal infrastructure had been shut down.… Continue reading The Conti Ransomware Ceases Operations and Breaks Up into Several Groups

The post The Conti Ransomware Ceases Operations and Breaks Up into Several Groups appeared first on Gridinsoft Blog.

]]>
Experts report that the Conti ransomware is going out of business, group ceases operations, its infrastructure is disabled, and the group’s leaders have said the brand already does not exist.
Elisey Boguslavsky
Elisey Boguslavsky

One of the first to notice the change was Elisey Boguslavsky of Advanced Intel, who tweeted that the group’s internal infrastructure had been shut down. According to him, other internal services of the group, such as chat servers, are also being decommissioned.

Let me remind you that we wrote that Leaked Conti ransomware source codes were used to attack Russian authorities, as well as that Experts analyzed the conversations of Conti and Hive ransomware groups.

The publication Bleeping Computer writes that at the same time, the public site for leaks “Conti News”, as well as the site for negotiating ransoms, are still available, but Boguslavsky explained to reporters that the Tor administrative panels used by hackers to negotiate and publish news on the site are already disabled.

Although Conti recently carried out a high-profile attack on Costa Rica, Boguslavsky believes it was done as a distraction while Conti members slowly migrated to other, smaller extortion groups.

Conti ceases operations
Conti threatens the government of Costa Rica

The only goal that Conti wanted to achieve with the latest attack was to use the platform as a tool for advertising, arrange their own “death”, and then be reborn in the most plausible way.

The secret purpose of the attack on Costa Rica, which was proclaimed by the internal leadership of Conti, was publicity, not ransom. Internal correspondence between members of the group indicates that the ransom requested was well under $1 million (despite rumors that the group was asking for a $10 million ransom and Conti’s own claims that the ransom was $20 million).say Advanced Intel experts.

Although the Conti brand no longer exists, experts are confident that this crime syndicate will play an important role in the extortion industry for a long time to come. So, Boguslavsky believes that instead of the traditional rebranding for hack groups (and the subsequent transformation into a new grouping), Conti’s leadership is collaborating with other smaller ransomware groups to carry out attacks.

As part of this “partnership”, small hack groups receive an influx of experienced pentesters, negotiators and operators from among Conti members. And the Conti syndicate, dividing into smaller “cells” controlled by a single leadership, gets mobility and the ability to evade the attention of law enforcement agencies.

According to the researchers, in this way Conti cooperates with groups HelloKitty, AvosLocker, Hive, BlackCat, BlackByte and so on. Also, Advanced Intel believes that members of Conti have created a number of new and autonomous groups that are completely focused on stealing data, not encrypting it. These groups include Karakurt, BlackByte and Bazarcall.

The post The Conti Ransomware Ceases Operations and Breaks Up into Several Groups appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/conti-ceases-operations/feed/ 0 8002