REvil Ransomware Mastermind Sentenced to Over 13 Years in Historic Cybercrime Case

Yaroslav Vasinskyi, a Ukrainian national, was sentenced to 13 years and seven months in prison for his role in the REvil ransomware operation. He must also pay $16 million in restitution. Vasinskyi was involved in over 2,500 ransomware attacks that collectively demanded more than $700 million. His crimes included hacking computers worldwide, encrypting them, and threatening to leak stolen data unless a ransom was paid.

Nicole M. Argentieri, head of the Justice Department’s Criminal Division, stated, “Yaroslav Vasinskyi and his co-conspirators hacked into thousands of computers around the world and encrypted them with ransomware, then they demanded over $700 million in ransom payments and threatened to publicly disclose victims’ data if they refused to pay.”

Vasinskyi was arrested in October 2021 as he attempted to enter Poland. He faced charges including conspiracy to commit fraud and money laundering. His arrest was linked to the significant Kaseya supply-chain attack, which compromised over 1,500 companies globally through a zero-day flaw in Kaseya VSA software.

In March 2022, Vasinskyi was extradited to the United States, where he pleaded guilty to an 11-count indictment. Although he faced a potential maximum sentence of 115 years, he received just under 14 years. The case highlights significant actions by U.S. law enforcement in tackling international cybercrime and the eventual dismantling of the REvil ransomware operation.

Read: https://www.bleepingcomputer.com/news/security/revil-hacker-behind-kaseya-ransomware-attack-gets-13-years-in-prison/

Severe WordPress Plugin Vulnerability Exploited: Millions of Sites at Risk, Mal.Metrica Scam Unveiled

A severe flaw in the LiteSpeed Cache plugin for WordPress, known as CVE-2023-40000, is being actively exploited. Threat actors are creating unauthorized admin accounts on vulnerable websites. The vulnerability, disclosed by Patchstack in February 2024, was fixed in October 2023 with the release of version 5.7.0.1. However, older versions of the plugin remain active on 16.8% of all websites, leaving them at risk.

The exploit allows threat actors to gain full control over the website, enabling them to inject malware or install malicious plugins. The malware typically injects JavaScript code into WordPress files from domains like dns.startservicefounds[.]com and api.startservicefounds[.]com. Users are advised to apply the latest fixes, review all installed plugins, and delete any suspicious files and folders.

In related news, Sucuri revealed a redirect scam campaign called Mal.Metrica that uses fake CAPTCHA verification prompts on infected WordPress sites to redirect users to fraudulent sites. These sites aim to download sketchy software or trick victims into providing personal information under the pretense of receiving rewards. As many as 17,449 websites have been compromised with Mal.Metrica so far in 2024. WordPress website owners are advised to enable automatic updates for core files, plugins, and themes. Regular web users should be wary of clicking on links that seem out of place or suspicious.

Read: https://thehackernews.com/2024/05/hackers-exploiting-litespeed-cache-bug.html

Unmasking the Hidden Vulnerabilities in VPN Security on Untrusted Networks

A security flaw in virtual private networks (VPNs) identified by Leviathan Security researchers Lizzie Moratti and Dani Cronce. Their study reveals that VPNs may not be secure when used on untrusted networks due to vulnerabilities in how devices connect to these networks. The flaw involves exploiting the DHCP option 121 to redirect VPN traffic to a rogue server, allowing attackers to monitor and manipulate traffic.

Bill Woodcock, executive director at Packet Clearing House, notes that this vulnerability has been in the DHCP standards since 2002 but has only now been recognized as a serious threat to VPN security. This issue is particularly alarming for individuals who might be targets of spear-phishing attacks, including high net worth individuals or those in sensitive positions.

Leviathan suggests several mitigation strategies to counter this threat. These include using VPNs on Android devices, which ignore DHCP option 121, and setting up VPNs inside a virtual machine. They also recommend using a password-protected mobile hotspot, which secures the network against unauthorized access.

Ultimately, the researchers warn that VPNs cannot ensure complete security on local networks and are designed primarily to secure data transmitted over the internet. This revelation challenges the widespread belief in the absolute security of VPNs.

Read:
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/

Chinese Hackers Breach MITRE with Advanced Cyber Attack Tools

Chinese hackers infiltrated MITRE Corporation, known for its ATT&CK framework, using multiple backdoors and Web shells. The breach occurred late last year through zero-day vulnerabilities in Ivanti Connect Secure software. This was part of an ongoing attack from New Year’s Eve through mid-March, impacting MITRE’s unclassified network, NERVE.

On May 3, MITRE disclosed details about five specific payloads used in the attack. These included the “Rootrot” web shell, which embedded itself into a legitimate Ivanti file, enabling reconnaissance and lateral movement. This tool was linked to the Chinese advanced persistent threat group UNC5221. Other tools like the Python-based “Wirefire” and the Perl-based “Bushwalk” web shell were used for uploading files and executing commands.

MITRE also identified a previously undocumented web shell, “Beeflush,” notable for its ability to read and encrypt web traffic. Despite the breach, MITRE emphasized the importance of secure by design principles, zero trust, and continuous authentication policies.

Callie Guenther, a cyber threat research manager, commented on the breach, “Their own susceptibility to cyberattacks does not necessarily undermine their credibility or the value of the ATT&CK framework. The reality is this situation highlights the need for continued vigilance, improvement, and adaptation in cybersecurity measures, even among leading organizations.”

Read: https://www.darkreading.com/cloud-security/chinese-hackers-deployed-backdoor-quintet-to-down-mitre

TikTok Takes Legal Stand Against US Ban Threatening Free Speech and Operations

TikTok, alongside its parent company ByteDance, is legally contesting a new U.S. law endorsed by President Joe Biden that could shut down its operations in the U.S. The legislation, effective from April 24, demands ByteDance to either sell TikTok by January 19 or cease its U.S. operations. The lawsuit, filed in the US Court of Appeals for the District of Columbia, alleges that this law violates constitutional rights including the First Amendment’s protection of free speech.

The suit claims, “Divestiture is unfeasible — not commercially, not technologically, not legally,” highlighting the impracticality of selling TikTok’s U.S. operations within the given timeframe. TikTok argues that the law is discriminatory as it uniquely targets one platform, affecting 170 million American users. They argue it infringes on free speech by selectively targeting TikTok based on its ownership and content, without substantial evidence of a national security threat.

TikTok also points out less restrictive security measures they proposed, known as “Project Texas,” which the U.S. government ignored. Critics of the law see it as an infringement on First Amendment rights and an overreach of government power, while supporters cite national security concerns.

This ongoing legal battle underscores significant themes at the intersection of technology, privacy, and national security, potentially setting a precedent for how digital media is regulated in the U.S. TikTok has already invested $2 billion in data protection, engaging in extensive discussions with U.S. regulators that have now stalled, leading to this high-stakes lawsuit.

Read: https://reclaimthenet.org/tiktok-fights-back-against-ban

Elsewhere Online:


Intel CPUs Vulnerable to Data and Encryption Key Leaks via ‘Pathfinder’ Attack
Read: https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html

Akamai Expands Portfolio with $450 Million Noname Acquisition
Read: https://www.helpnetsecurity.com/2024/05/07/akamai-noname-acquisition/

Six Austrians Nabbed in Major Crypto Scheme Worth Millions
Read: https://www.infosecurity-magazine.com/news/six-arrested-million-euro-crypto/

Newly Found Code Execution Vulnerability Targets R Language
Read: https://latesthackingnews.com/2024/05/07/code-execution-vulnerability-found-in-r-language/

Bold Scammers Operate Openly Without Fear
Read: https://arstechnica.com/security/2024/05/these-dangerous-scammers-dont-even-bother-to-hide-their-crimes/

Previously on #AxisOfEasy