Last week on Malwarebytes Labs:

• “Nearly all” AT&T customers had phone records stolen in new data breach disclosure
• Fake Microsoft Teams for Mac delivers Atomic Stealer
• Dangerous monitoring tool mSpy suffers data breach, exposes customer details
• iPhone users in 98 countries warned about spyware by Apple
• Peloton accused of providing customer chat data to train AI
• Ticketmaster says stolen Taylor Swift Eras Tour tickets are useless
• Shopify says stolen customer data was taken in third-party breach
• “RockYou2024”: Nearly 10 billion passwords leaked online

Last week on ThreatDown:

• Watch out for CRYSTALRAY, an open source aficionado with a hunger for crypto
• Credential Dumping: How ransomware gangs steal login data and how to detect it
• WorkersDevBackdoor and MadMxShell converge in malvertising campaigns
• How the world’s worst ransomware gang avoids detection
• Patch now! July Patch Tuesday fixes two actively exploited vulnerabilities
• South Africa’s NHLS is recovering from a ransomware attack quickly, it just doesn’t feel that way
• Alabama State Department of Education stops ransomware attack but the assault on US education continues

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Summer mega sale

Go into your vacation knowing you’re much more secure: This summer you can get a huge 50% off a Malwarebytes Standard subscription or Malwarebytes Identity bundle. Run, don’t walk!

CRYSTALRAY Reconnaissance and Initial Access

Lateral Movement, Data Theft and Crypto-Mining

•  Reduce potential cloud attack surface through secure vulnerability, identity, and secrets management to prevent automated attacks.
• Organizations required to expose applications to the public Internet, may face additional vulnerabilities and therefore should  prioritize vulnerability remediation to reduce their risk of exposure
•  Cameras/runtime detections that enable organizations to detect successful attacks and take immediate remediate action, allowing for in-depth forensic analysis to determine root cause of attacks.

Enlarge / A Redbox movie rental kiosk stands outside a CVS store. (credit: Getty)

Since 2004, red DVD rental kiosks posted near entrances of grocery stores and the like tempted shoppers with movie (and until 2019, video game) disc rentals. But the last 24,000 of Redbox's kiosks are going away, as Redbox's parent company moved to chapter 7 liquidation bankruptcy this week. The end of Redbox marks another death knell for the DVD industry at a time when volatile streaming services are making physical media appealing again.

Redbox shutting down

Chicken Soup for the Soul Entertainment, which owns Redbox, filed for chapter 11 bankruptcy on June 29. But on Wednesday, Judge Thomas M. Horan of the US Bankruptcy Court for the District of Delaware approved a conversion to chapter 7, signaling the liquidation of business, per Deadline. Redbox's remaining 24,000 kiosks will close, and 1,000 workers will be laid off (severance and back pay eligibility are under review, and a bankruptcy trustee will investigate if trust funds intended for employees were misappropriated).

Chicken Soup bought Redbox for $375 million in 2022 and is $970 million in debt. It will also be shuttering its Redbox, Crackle, and Popcornflix streaming services.

Read 9 remaining paragraphs | Comments

A threat actor tracked as CrystalRay has hit 1,500 victims since February, stealing credentials and deploying backdoors.

The post ‘CrystalRay’ Expands Arsenal, Hits 1,500 Targets With SSH-Snake and Open Source Tools appeared first on SecurityWeek.

Enlarge / Artist's illustration of the COSI spacecraft. (credit: Northrop Grumman/European Southern Observatory (background image))

A small research satellite designed to study the violent processes behind the creation and destruction of chemical elements will launch on a SpaceX Falcon 9 rocket in 2027, NASA announced Tuesday.

The Compton Spectrometer and Imager (COSI) mission features a gamma-ray telescope that will scan the sky to study gamma-rays emitted by the explosions of massive stars and the end of their lives. These supernova explosions generate reactions that fuse new atomic nuclei, a process called nucleosynthesis, of heavier elements.

Using data from COSI, scientists will map where these elements are forming in the Milky Way galaxy. COSI's observations will also yield new insights into the annihilation of positrons, the antimatter equivalent of electrons, which appear to be originating from the center of the galaxy. Another goal for COSI will be to rapidly report the location of short gamma-ray bursts, unimaginably violent explosions that flash and then fade in just a couple of seconds. These bursts are likely caused by merging neutron stars.

Read 7 remaining paragraphs | Comments

Microsoft today released updates to fix more than 50 security vulnerabilities in Windows and related software, a relatively light Patch Tuesday this month for Windows users. The software giant also responded to a torrent of negative feedback on a new feature of Redmond’s flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

Last month, Microsoft debuted Copilot+ PCs, an AI-enabled version of Windows. Copilot+ ships with a feature nobody asked for that Redmond has aptly dubbed Recall, which constantly takes screenshots of what the user is doing on their PC. Security experts roundly trashed Recall as a fancy keylogger, noting that it would be a gold mine of information for attackers if the user’s PC was compromised with malware.

Microsoft countered that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data. But that claim rang hollow after former Microsoft threat analyst Kevin Beaumont detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont said on Mastodon.

In a recent Risky Business podcast, host Patrick Gray noted that the screenshots created and indexed by Recall would be a boon to any attacker who suddenly finds himself in an unfamiliar environment.

“The first thing you want to do when you get on a machine if you’re up to no good is to figure out how someone did their job,” Gray said. “We saw that in the case of the SWIFT attacks against central banks years ago. Attackers had to do screen recordings to figure out how transfers work. And this could speed up that sort of discovery process.”

Responding to the withering criticism of Recall, Microsoft said last week that it will no longer be enabled by default on Copilot+ PCs.

Only one of the patches released today — CVE-2024-30080 — earned Microsoft’s most urgent “critical” rating, meaning malware or malcontents could exploit the vulnerability to remotely seize control over a user’s system, without any user interaction.

CVE-2024-30080 is a flaw in the Microsoft Message Queuing (MSMQ) service that can allow attackers to execute code of their choosing. Microsoft says exploitation of this weakness is likely, enough to encourage users to disable the vulnerable component if updating isn’t possible in the short run. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 is the worst).

Kevin Breen, senior director of threat research at Immersive Labs, said a saving grace is that MSMQ is not a default service on Windows.

“A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly,” Breen said.

CVE-2024-30078 is a remote code execution weakness in the Windows WiFi Driver, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker could exploit this bug by sending a malicious data packet to anyone else on the same network — meaning this flaw assumes the attacker has access to the local network.

Microsoft also fixed a number of serious security issues with its Office applications, including at least two remote-code execution flaws, said Adam Barnett, lead software engineer at Rapid7.

“CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”

Separately, Adobe released security updates for Acrobat, ColdFusion, and Photoshop, among others.

As usual, the SANS Internet Storm Center has the skinny on the individual patches released today, indexed by severity, exploitability and urgency. Windows admins should also keep an eye on AskWoody.com, which often publishes early reports of any Windows patches gone awry.

Authorities in Australia, the United Kingdom and the United States this week levied financial sanctions against a Russian man accused of stealing data on nearly 10 million customers of the Australian health insurance giant Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank data while working with one of Russia’s most destructive ransomware groups, but little more is shared about the accused. Here’s a closer look at the activities of Mr. Ermakov’s alleged hacker handles.

Aleksandr Ermakov, 33, of Russia. Image: Australian Department of Foreign Affairs and Trade.

The allegations against Ermakov mark the first time Australia has sanctioned a cybercriminal. The documents released by the Australian government included multiple photos of Mr. Ermakov, and it was clear they wanted to send a message that this was personal.

It’s not hard to see why. The attackers who broke into Medibank in October 2022 stole 9.7 million records on current and former Medibank customers. When the company refused to pay a $10 million ransom demand, the hackers selectively leaked highly sensitive health records, including those tied to abortions, HIV and alcohol abuse.

The U.S. government says Ermakov and the other actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang REvil.

“REvil was among the most notorious cybercrime gangs in the world until July 2021 when they disappeared. REvil is a ransomware-as-a-service (RaaS) operation and generally motivated by financial gain,” a statement from the U.S. Department of the Treasury reads. “REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”

The sanctions say Ermakov went by multiple aliases on Russian cybercrime forums, including GustaveDore, JimJones, and Blade Runner. A search on the handle GustaveDore at the cyber intelligence platform Intel 471 shows this user created a ransomware affiliate program in November 2021 called Sugar (a.k.a. Encoded01), which focused on targeting single computers and end-users instead of corporations.

An ad for the ransomware-as-a-service program Sugar posted by GustaveDore warns readers against sharing information with security researchers, law enforcement, or “friends of Krebs.”

In November 2020, Intel 471 analysts concluded that GustaveDore’s alias JimJones “was using and operating several different ransomware strains, including a private undisclosed strain and one developed by the REvil gang.”

In 2020, GustaveDore advertised on several Russian discussion forums that he was part of a Russian technology firm called Shtazi, which could be hired for computer programming, web development, and “reputation management.” Shtazi’s website remains in operation today.

A Google-translated version of Shtazi dot ru. Image: Archive.org.

The third result when one searches for shtazi[.]ru in Google is an Instagram post from a user named Mikhail Borisovich Shefel, who promotes Shtazi’s services as if it were also his business. If this name sounds familiar, it’s because in December 2023 KrebsOnSecurity identified Mr. Shefel as “Rescator,” the cybercriminal identity tied to tens of millions of payment cards that were stolen in 2013 and 2014 from big box retailers Target and Home Depot, among others.

How close was the connection between GustaveDore and Mr. Shefel? The Treasury Department’s sanctions page says Ermakov used the email address ae.ermak@yandex.ru. A search for this email at DomainTools.com shows it was used to register just one domain name: millioner1[.]com. DomainTools further finds that a phone number tied to Mr. Shefel (79856696666) was used to register two domains: millioner[.]pw, and shtazi[.]net.

The December 2023 story here that outed Mr. Shefel as Rescator noted that Shefel recently changed his last name to “Lenin” and had launched a service called Lenin[.]biz that sells physical USSR-era Ruble notes bearing the image of Vladimir Lenin, the founding father of the Soviet Union. The Instagram account for Mr. Shefel includes images of stacked USSR-era Ruble notes, as well as multiple links to Shtazi.

The Instagram account of Mikhail Borisovich Shefel, aka MikeMike aka Rescator.

Intel 471’s research revealed Ermakov was affiliated in some way with REvil because the stolen Medibank data was published on a blog that had one time been controlled by REvil affiliates who carried out attacks and paid an affiliate fee to the gang.

But by the time of the Medibank hack, the REvil group had mostly scattered after a series of high-profile attacks led to the group being disrupted by law enforcement. In November 2021, Europol announced it arrested seven REvil affiliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals.

“The posting of Medibank’s data on that blog, however, indicated a connection with that group, although the connection wasn’t clear at the time,” Intel 471 wrote. “This makes sense in retrospect, as Ermakov’s group had also been a REvil affiliate.”

It is easy to dismiss sanctions like these as ineffective, because as long as Mr. Ermakov remains in Russia he has little to fear of arrest. However, his alleged role as an apparent top member of REvil paints a target on him as someone who likely possesses large sums of cryptocurrency, said Patrick Gray, the Australian co-host and founder of the security news podcast Risky Business.

“I’ve seen a few people poo-poohing the sanctions…but the sanctions component is actually less important than the doxing component,” Gray said. “Because this guy’s life just got a lot more complicated. He’s probably going to have to pay some bribes to stay out of trouble. Every single criminal in Russia now knows he is a vulnerable 33 year old with an absolute ton of bitcoin. So this is not a happy time for him.”

Update, Feb. 21, 1:10 p.m. ET: The Russian security firm F.A.C.C.T reports that Ermakov has been arrested in Russia, and charged with violating domestic laws that prohibit the creation, use and distribution of malicious computer programs.

“During the investigation, several defendants were identified who were not only promoting their ransomware, but also developing custom-made malicious software, creating phishing sites for online stores, and driving user traffic to fraudulent schemes popular in Russia and the CIS,” F.A.C.C.T. wrote. “Among those detained was the owner of the nicknames blade_runner, GistaveDore, GustaveDore, JimJones.”