Blog entry by Les Bell

Les Bell
by Les Bell - Tuesday, 15 August 2023, 9:55 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Bulletproof Hosting Service Shut Down, Five Admins Arrested

In a joint operation, US and European agencies have seized all the servers of, and closed down, a bulletproof hosting service which was being used by cybercriminals to launch attacks across the world.

https://www.europol.europa.eu/cms/sites/default/files/styles/1300x/public/images/SplashOpEC3.png.webp?itok=Vm0B3drz

Image credit: Europol

According to court documents unsealed in Tampa, Florida, last week, Artur Karol Grabowski, 36, operated a web hosting company named LolekHosted, which offered secure web hosting intended to facilitate a variety of cybercrime activities, including ransomware, brute-forcing and phishing. The site allowed its clients to register using false information, making payments via cryptocurrencies. Its systems did not maintain logs of its clients' server IP addresses and in fact, frequently changed them; it also ignored abuse complaints made by third parties, and notified clients of any enquiries received from law enforcement agencies. Grabowski advertised that the site was "bulletproof", provided "100% privacy hosting" and allowed clients to host "everything except child porn."

Among the ransomware variants hosted by LolekHosted was NetWalker, which was deployed on approximately 400 networks of roughly 50 victims including municipalities, hospitals, law enforcement and emergency services, school districts, colleges, and universities, resulting in payment of over BTC 5,000 (with a current value of approximately $US146 million). One of these victims was located in the Middle District of Florida, which is why the US District Court there issued a seizure warrant for the domain registration of Lolekhosted.net - see the new banner above.

Meanwhile, the Polish Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości) under the supervision of the Regional Prosecutor's Office in Katowice (Prokuratura Regionalna w Katowicach) took action, seizing all the servers and arresting five administrators. It is not clear whether Grabowski was one of those arrested, but if so, and extradited to the US, he will face charges of computer fraud conspiracy, wire fraud conspiracy, and international money laundering which will attract a sentence of up to 45 years in prison.

Europol, 5 arrested in Poland for running bulletproof hosting service for cybercrime gangs, news release, 11 August 2023. Available online at https://www.europol.europa.eu/media-press/newsroom/news/5-arrested-in-poland-for-running-bulletproof-hosting-service-for-cybercrime-gangs.

US DoJ Office of Public Affairs, Administrator of 'Bulletproof' Webhosting Domain Charged in Connection with Facilitation of NetWalker Ransomware, press release, 11 August 2023. Available online at https://www.justice.gov/opa/pr/administrator-bulletproof-webhosting-domain-charged-connection-facilitation-netwalker.

DHS Plans Review of Cloud Security Practices

Last month, we brought you news of a number of attacks on Microsoft 365 (Outlook Online) which affected a number of US and European government agencies, which which were attributed by Microsoft to a Chinese state-affiliated threat actor which they track as Storm-0558. The attacks were accomplished by forging authentication tokens for Outlook Web Access in Exchange Online and Outlook.com using an acquired Microsoft Managed Service Account (MSA) consumer signing key.

In response to this intrusion, the Department of Homeland Security's Cyber Safety Review Board (CSRB) has announced plans for an in-depth review on the malicious targeting of cloud computing environments, focusing on the approaches which government, industry and cloud service providers should employ to strengthen identity management and authentication in the cloud. The intention is to develop actionable recommendations that will advance security practices for both cloud service providers and their customers.

"Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology", said Secretary of Homeland Security Alejandro N. Mayorkas. "Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure. In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one. Actionable recommendations from the CSRB will help all organizations better secure their data and further cyber resilience".

Once completed, Secretary Mayorkas will provide a report to the Cybersecurity and Infrastructure Security Agency and thence ultimately to President Biden. The CSRB has previously reported on the log4j vulnerability and its most recent report, publicly released only last week, examined the recent attacks by the extortion-focused Lapsus$ ransomware group, finding that Lapsus$ leveraged simple techniques to evade the industry-standard security tools used by most enterprises.

Department of Homeland Security, Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security, press release, 11 August 2023. Available online at https://www.dhs.gov/news/2023/08/11/department-homeland-securitys-cyber-safety-review-board-conduct-review-cloud.

Cyber Safety Review Board, Review of the Attacks Associated with Lapsus$ and Related Threat Groups, technical report, 24 July 2023. Available online at https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report.

CISA Releases Vulnerability Summary for Week of 7 August

The Cybersecurity & Infrastructure Security Agency has released its weekly summary of new vulnerabilities culled from NIST's National Vulnerability Database. It includes the usual array of issues, some with CVSS scores of 9.8 and 9.9. As always, worth a look.

CISA, Vulnerability Summary for the Week of August 7, 2023, bulletin, 14 August 2023. Available online at https://www.cisa.gov/news-events/bulletins/sb23-226.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: