I hope your week is going well so far. For some, it’s been smooth sailing, while others are juggling new projects and the usual daily grind. Speaking of high-stakes scenarios, the US has placed a $10 million bounty on the head of the LockBit creator (details in the article below). Imagine the mixed emotions that must bring! It’s fascinating how anonymity online can give people a sense of invincibility. But once your real identity is exposed, that sense of security vanishes, and the reality of a bounty on your head, sets in. 

In the US, $10 million is a significant amount, but in other parts of the world, its value is even more impactful. One has to wonder how this revelation affects the trust and relationships the LockBit creator has with those around him. 

Now, let's dive into this week's cybersecurity news update.... 

US indicts LockBit ransomware ringleader 

Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, has been indited by the DOJ for the development and administration of LockBit ransomware 

• Artur Sungatov and Ivan Kondratyev have also been charged for deploying LockBit against victims in the US 
• Khoroshev is facing 26 charges and up to 185 years in prison with a bounty of $10 million for information that helps law enforcement apprehend him 

Link (1): https://www.theverge.com/2024/5/7/24151493/us-lockbit-ransomware-ringleader-indictment-reward 

LastPass spin off from GoTo 

LastPass has announced it has separated from the parent company, GoTo - which was stated to start that process in December of 2021 

• The new holding company will be LMI Parent, a shareholder holding company 
• The CEO, Karim Toubba, will stay at the helm with the new structure 

Link  (1): https://www.theverge.com/2024/5/1/24146205/lastpass-independent-company-security-breaches 

Goldoon botnet exploits D-Link routers 

A new botnet dubbed, Goldoon, has been found to be exploiting a decade-old vulnerability in unpatched D-Link routers 

• CVE-2015-2051 - could allow a threat actor to run code remotely on infected hardware with low attack complexity 
• The activity spiked in April, which was doubling the frequency 

Link (1): https://therecord.media/goldoon-botnet-unpatched-dlink-routers 

Dropbox discloses breach of digital signature service 

Dropbox Sign (formally HelloSign) has announced a breach of their system where a threat actor was able to access customer information 

• Dropbox investigation has them to believe that only the Sign infrastructure was compromised, and not the other Dropbox platforms 
• Data exposed included Email, Usernames, phone numbers and hashed passwords along with general account settings and certain authentication information (API keys, OAuth tokens, and MFA) 
• If someone was to received or signed a Dropbox Sign document, but never created an account the email address and names were also exposed 
• If the authentication was set up through Google, no password was stored or exposed 
• Currently, there is no evidence of customer accounts being accessed or payment information 

Link (1): https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign 

Cybersecurity consultant arrested after allegedly extorting IT firm 

Vincent Cannady, 57, worked for a staffing company to assess and remediate potential vulnerabilities in a New York-based multinational IT ISP 

• On June 23, 2023, he was terminated for performance reasons 
• Cannady allegedly used a company-issued laptop to download proprietary and confidential documents, including architectural maps, trade secrets, and list of potential vulnerabilities to which he still maintained access to after being terminated 
• He threatened to publicly disclose the information unless the company agreed to pay him up to $1.5 million as a settlement, for what he claims to be employment termination 
• This one hit home, as a security professional we are trusted advisors to the organization we support and yet people are going to be just that... people.  I completely disagree with everything this individual did, and for an executive or outsider looking in it paints a horrible picture of our industry 

Link (1): https://www.bleepingcomputer.com/news/legal/cybersecurity-consultant-arrested-after-allegedly-extorting-it-firm/ 

Buffer Overflow Vulnerabilities in ArubaOS (critical 9.8 rating) 

There is a temporary work around available until patches can be applied. 

• CVE-2024-26305: Buffer overflow in ArubaOS' utility daemon 
• CVE-2024-26304: Buffer overflow in ArubaOS' L2/L3 management service 
• CVE-2024-33511: Buffer overflow in ArubaOS' automatic reporting service 
• CVE-2024-33512: Buffer overflow in ArubaOS' local user authentication database 
• No PoC has been released as of yet but all 4 exploits are accessible through Aruba's PAPI UDP port 8211 
• Aruba Mobility Conductors, Mobility Controllers, and WLAN and SD-WAN gateways are all affected 

Link (1): https://www.arubanetworks.com/support-services/security-bulletins/ 

Link (2): https://www.theregister.com/2024/05/02/hpe_aruba_patches/ 

Feds warn about North Korean exploitation of improperly configured DMARC 

Several Fed Agencies have published an advisory last week to warn of hackers targeting improperly configured DNS DMARC record policies 

• DMARC, a decade old, used by email platforms to authenticate messages and reduce the ability to spoof domains 
• North Korean hackers have been targeting improperly configured DMARC setups to make it look like their emails are coming from a legitimate domains email exchange, allowing them to masquerade as experts or academics with credible links to North Korean policy circles 
• This is a reminder that when creating a control, it is fully implemented - there are times to allow for testing to be performed but a following to finalize the controls is necessary - this is something we all know, but have a tendency to get busy chasing squirrels and circling back gets delayed or forgotten until it's too late 

Link (1): https://therecord.media/north-korea-kimsuky-hackers-dmarc-emails 

DHCP Based VPN Routing Leaks  

CVE-2024-3661: By design, the DHCP protocol does not authenticate messages, including for example the classless static route option (121). An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. Many, if not most VPN systems based on IP routing are susceptible to such attacks. 

• There are fix capabilities, but it will require a lot of times for vendors to update their VPN software or applying work arounds 
• The link above does provide a PoC for how this works 

Link (1): https://www.leviathansecurity.com/blog/tunnelvision 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!