Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Vastaamo Suspect Arrested in France

Regular readers will be familiar with the privacy breach which occurred at Finnish psychotherapy provider Vastaamo in September 2020. The company was infected by ransomware which encrypted their patient records and held them ransom (AFP, 2020). When the company CEO refused to negotiate with the attackers, they responded by releasing sensitive patient records on a Tor network server, and then turned to extorting payments from the patients themselves. It appears that the company's software was only minimally secured and did not comply with Finland's regulations for healthcare records systems. The CEO was terminated and the company subsequently liquidated (Ralston, 2021).

Now comes news (Krebs, 2023) that, following the issue of an arrest warrant in October 2022 for the offences of 1 ) Aggravated computer break-in, offence 2) Aggravated extortion, attempt 3) Aggravated dissemination of information violating personal privacy 4) Extortion 5) Attempt of an extortion 6) Computer break-in 7) Message interception and 8) Falsification of evidence, a suspect has been detained in France.

Aleksanteri Tomminpoika Kivimäki, 25, had uploaded a large archive of patient data to the dark web, but made the mistake of including other files from his own home directory - including the ~/.ssh directory, in which the known_hosts file made particularly interesting reading for investigators. However, his arrest was purely coincidental - French police were responding to a domestic violence report and only identified Kivimäki after he had presented a fake Romanian ID.

It turns out that Kivimäki has a long history of hacking offences, but since most of them were committed while he was still a juvenile, resulting in very light penalties. Apparently he did not learn his lesson, and it seems likely that if, as expected, he is extradited to stand trial in Finland, he will face a much stiffer penalty this time.

AFP, 'Shocking' hack of psychotherapy records in Finland affects thousands, The Guardian, 27 October 2020. Available online at https://www.theguardian.com/world/2020/oct/26/tens-of-thousands-psychotherapy-records-hacked-in-finland.

Krebs, Brian, Finland's Most-Wanted Hacker Nabbed in France, Krebs on Security blog, 5 February 2023. Available online at https://krebsonsecurity.com/2023/02/finlands-most-wanted-hacker-nabbed-in-france/.

Ralston, William, They Told Their Therapists Everything. Hackers Leaked It All, Wired, 4 May 2021. Available online at https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/.

CISA Releases ESXiArgs Ransomware Recovery Script

The Cybersecurity & Infrastructure Security Agency has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware infecting their VMware ESXi servers. ESXiArgs encrypts configuration files, making virtual machines unusable. CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the Github project's README file to determine if it is fit for attempting to recover access to files in their environment.

The ESXiArgs exploit was first disclosed by CERT-FR in an alert on 3 February entitled "Exploitation campaign of a vulnerability affecting VMware ESXi". According to CERTFR, the exploit affects unpatched VMware ESXi servers, specifically:

• ESXi 7.x versions earlier than ESXi70U1c-17325551
  
• ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  
• ESXi versions 6.5.x earlier than ESXi650-202102101-SG
  

VMWare claims that the vulnerability (CVE-2021-21974), is a heap overflow in the OpenSLP code of ESXi, and was patched back in February 2021.

CERT-FR, [MàJ] Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi, Bulletin D'Alerte, 3 February 2023. Available online at https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/.

CISA, ESXiArgs-Recover, github project, 8 February 2023. Available online at https://github.com/cisagov/ESXiArgs-Recover.

Dutch Police Dismantle Exclu Secure Messaging Service

The Dutch police, who have previously demonstrated considerable skill in infiltrating criminal networks, have racked up another win by breaking into the Exclu encrypted messaging service and ultimately dismantling it. Exclu, which had an estimated 3,000 users, was first investigated by German authorities in June 2020, and they shared their intelligence with their Dutch colleagues. This allowed them to intercept the communications of criminal networks for a period of five months.

During the culminating action last week, 1,200 police officers were deployed; 45 people were arrested in the Netherlands and Belgium, including the administrators and owners of Exclu and 79 locations in the Netherlands, Germany and Poland were searched. Two drug laboratories were dismantled, 300,000 ecstasy tables and 20 firearms were seized along with 200 phones which will be forensically examined. €5.5 million was also confiscated.

Eurojust, New strike against encrypted criminal communications with dismantling of Exclu tool, press release, 6 February 2023. Available online at https://www.eurojust.europa.eu/news/new-strike-against-encrypted-criminal-communications-dismantling-exclu-tool.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.