Risky Biz News: LockBit leader unmasked, charged, and sanctioned
07:17 Share

The Lockpit ransomware leader unmasked and sanctioned. The UK accuses China of hacking the Ministry of Defence network. A new tunnel vision attack can leak VPN traffic. And Microsoft teases a new secure DNS client. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 8th of May, and this podcast episode is brought to you by Thinkst, the makers of the much-loved Thinkst Canary.

In today's top story, law enforcement agencies have doxed, charged and sanctioned the alleged administrator of the Lockbit ransomware gang. Officials have identified Lockbit's sup as a 31-year-old Russian national named Dmitry Yuryevich Horoshev from the city of Voronezh.

US officials say Horoshoff made over $100 million from Lockbit ransom payments. The sum is a fifth of the payments to the gang since it started in September of 2019. Besides criminal charges, Horoshoff was also sanctioned in Australia, the UK and the US. The UK National Crime Agency says it's now working to identify all the affiliates who worked for Lockbit and Horoshoff.

In other news, the UK government says that a foreign threat actor hacked a payroll system for the Ministry of Defence. The hackers stole the personal data of 272,000 current and former military personnel. Officials blamed the hack on a contractor's failure to maintain the payroll system, but said the incident won't impact monthly salary payments.

UK media linked the breach to a Chinese state-sponsored group. Privately, officials fear China will use the stolen data to identify MOD employees with financial problems and use them for intelligence operations. The US and UK governments imposed sanctions on Chinese group APT31 at the end of March for hacking members of parliament and the UK Electoral Commission, although it's unclear which group is behind this new breach.

The MITRE Corporation has linked its recent security breach to a Chinese APT known as UNC-5221. This is the same APT group that found and exploited an Avanti Connect Secure Zero day at the end of last year. MITRE says the group breached its R&D network in December of last year, two weeks before the group's hacking spree came to light. The company says the group used unique malware that was not seen in other intrusions.

The DHS and CISA have added four new members to the Cyber Safety Review Board. Former CISA Director Chris Krebs and NSA Cyber Security Director David Luber are part of a group replacing four outgoing members. Ten past members are returning to their roles. DHS Under-Secretary for Policy Robert Silvers will remain as Chair, while Heather Adkins, Vice President for Security Engineering at Google, will return as Deputy Chair.

US Cyber Command has appointed Morgan Adamski as its new Executive Director. She previously served as Director of the NSA Cyber Security Collaboration Centre. Adamski will assume her new position in early June 2024. The Executive Director position is the third highest role at Cyber Command.

The FBI warns that a financially motivated threat actor named Storm0539 is targeting the gift card departments of US retail corporations. The group uses phishing and smishing to gain access to internal networks and create fraudulent gift cards. Microsoft first spotted the group last December and has the ability to bypass MFA protections.

A pro-Kremlin hacktivist group linked to the Russian military is targeting Moldovan government sites with DDoS attacks. According to NetScout, the attacks have hit more than 50 government sites since the start of March. The campaign is the work of No Name 57, a group previously linked to Russian military. Moldovan officials have said the DDoS attacks are part of Russia's hybrid warfare campaign meant to destabilise its government.

Previous elements of the campaign involved attempted coups, assassinations, leaks and info ops. Netscout says No Name 057 is currently the most active geopolitical hacktivist group.

Russian security firm FACT has discovered a new ransomware gang named Morlock. The group launched this year and has carried out attacks against at least nine Russian companies so far. Morlock intrusions were linked to stolen credentials and exploitation of known vulnerabilities. The gang's ransomware is based on leaked versions of the Babuk and Lockbit code. FACT says Morlock members appear to be based in Ukraine.

The number of victims who paid ransomware gangs fell by 46% last year, despite a 70% increase in the number of victims. Blockchain analysis firm Chainalysis says the trend suggests that ransomware is getting easier to deploy but harder to monetize and profit from. The company's observations line up with a similar Coveweb report, which reported paid ransoms in only 28% of incident response cases in the first three months of 2024.

A threat actor has hacked the Genius.ai cryptocurrency project. The attacker hacked the project's Discord, stole a private key, minted new tokens and then sold them for $1.27 million profit. Genius has launched a token buyback scheme to reimburse impacted users.

HM security researcher Marco Evaldi has discovered 10 vulnerabilities in the Riot open source real-time operating system. The researcher discovered all the bugs during a short 16-hour security audit in January this year. Riot OS has released patches for all bugs over the past few weeks. The project says it will also review why its security team took weeks to respond to Evaldi's reports.

Thank you.

Attackers can use the DHCP server to modify users' routing and send traffic meant for the VPN via the normal network. This bypasses VPN encapsulation and allows threat actors to intercept and track the victim's traffic.

And finally, Microsoft has announced a new Windows feature designed to improve the security of DNS connections in corporate environments. The feature is called Zero Trust DNS. It uses a firewall to permit outbound traffic only to destinations that were identified by a verified DNS lookup. ZT DNS is currently in private preview and is expected to ship with Windows 11 in the future.

And that is all for this podcast edition. Today's show was brought to you by our sponsor, Thinkst, the makers of the much-loved Thinkst Canary. Find them at canary.tools. Thanks to your company.