Researchers network security detailed the various measures that ransomware has taken to conceal their true identity on the network as well as the storage location of their web server infrastructure.
“Most ransomware operators use hosting providers outside of their country of origin (such as Sweden, Germany, and Singapore) to host ransomware active sites,” the researcher said. Researcher Paul Eubanks of Cisco Talos said. “They use VPS hop points as a proxy to conceal their real location when they connect to the ransomware web infrastructure for remote administration tasks.”
Also striking is the use of the TOR network and DNS proxy registration services to provide an extra layer of anonymity to their illegal activities.
But by taking advantage of operational security blunders by threat actors and other techniques, the cybersecurity company revealed last week that it was able to identify hidden services TORs are hosted on. on public IP addresses, some of which are previously unknown infrastructure associated with DarkAngels, Snatch, Quantum Ransomware Group, and Nokoyawa.
While ransomware groups are known to rely on the dark web to conceal their illegal activities, from leaking stolen data to negotiating payments with victims, Talos revealed that they can identify defines “public IP addresses that host the threat agent’s infrastructure like addresses in the dark web. “
“The methods we used to identify public internet IPs involved matching threat actors’ [self-signed] Eubanks indicates TLS certificate serial numbers and indexed page elements on the public internet.
Besides TLS certificate matching, the second method used to discover an adversary’s explicit web infrastructure entails checking the favorites associated with darknet sites to the public internet using a web crawler like Shodan.
In the case of Nokoyawa, a new strain of Windows ransomware that emerged earlier this year and shares significant code similarities with Karma, the website hosted on the hidden service TOR was found to contain a vulnerability. directory traversal allows researchers to access the “/var /log/auth.log” file used to log user logins.
The findings demonstrate that not only are the attackers’ leaked websites accessible to any user on the internet, other infrastructure components, including identity server data. , are exposed, making it possible to obtain login locations used to effectively manage ransomware servers.
Further analysis of successful root user logins shows that they originate from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, formerly belonged to GHOSTnet GmbH, a hosting provider offering Virtual Private Server (VPS) services.
“176.119.0”[.]However, 195 belongs to AS58271 listed under the name Tyatkova Oksana Valerievna, “Eubanks noted.” Maybe the operator forgot to use a Germany based VPS to obfuscate and log into a session with this web host directly from their physical location at 176.119.0.[.]195.”
LockBit adds bug bounty program to its improved RaaS operation
The development comes as operators of the emerging Black Basta ransomware expand its offensive arsenal by using QakBot for initial access and lateral migration, while also taking advantage of the PrintNightmare (CVE-) vulnerability. 2021-34527) to perform privileged file operations.
Furthermore, the LockBit ransomware gang last week announced the release of LockBit 3.0 with the message “Make Ransomware Great Again!,” in addition to launching their own Bug Bounty program, which offers rewards ranging from 1,000 to 1. million dollars to identify security flaws and a “great idea” to improve its software.
Satnam Narang, senior staff research engineer at Tenable, said: “The release of LockBit 3.0 with the introduction of the program bug bounty is an official invitation to cybercriminals to help support the team in its quest to maintain its lead.” with The Hacker News.
“The main focus of the bug bounty program is on defenses: Preventing security researchers and law enforcement from finding bugs in leaky or ransomware websites, identifying how members including affiliate program owners can be disturbed, as well as finding bugs in software messaging used by the group for internal communications and the Tor network itself. “
“Threats are ignored or identified as signal shows that law enforcement efforts are clearly a major concern for groups like LockBit. Ultimately, the team is planning to offer Zcash as a payment option, which is important, as Zcash is harder to track than Bitcoin, making it harder for researchers to track the team’s activity. “