Alleged Karakut ransomware scumbag charged in US

Infosec in brief Deniss Zolotarjovs, a suspected member of the Russian Karakurt ransomware gang, has been charged in a US court with allegedly conspiring to commit money laundering, wire fraud and Hobbs Act extortion.

The 33-year-old Latvian national, who had been living in Moscow, was arrested in the European nation of Georgia in December 2023 and extradited to the United States earlier this month. 

According to court documents [PDF], Zolotarjovs was involved in stealing data from at least six US companies between August 2021 and November 2023. Zolotarjovs and his Karakurt cohorts then allegedly extorted the victim organizations, demanding a cryptocurrency ransom payment, and in some cases leaked the victims’ sensitive information online. 

In one case, a target paid the gang $1.3 million in bitcoin after the criminals harassed its employees and demanded payment in exchange for not publishing the data.

Zolotarjovs – who used the alias “Sforza” – was in charge of conducting negotiations with Karakurt’s victims for so-called “cold-case extortions.” That’s where the orgs refused to pay the ransom demand initially, prompting the gang to put more pressure on victims – calling and emailing employees and partners directly, and pressuring the victims to cave to the extortion demands.

“Some of the chats indicated Sforza’s efforts to revive cold cases were successful in extracting ransom payments,” according to the court documents. “Sforza also discussed efforts to recruit paid journalists to publish news articles about victims in order to convince other victims to take Karakurt’s extortion demands seriously.” 

Zolotarjovs is the first alleged Karakurt member to be arrested and extradited.

Vulnerabilities of the week: Chrome bug exploited in the wild

Google this week pushed a Chrome update with 38 security fixes including one that was found and exploited before it had a plug.

The high-severity vulnerability – tracked as CVE-2024-7971 – is caused by type confusion in Chrome’s V8 JavaScript engine. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) researchers found and reported the bug on August 19.

“Google is aware that an exploit for CVE-2024-7971 exists in the wild,” the security alert noted. 

Of the 38 fixes, CVE-2024-7971 is one of seven deemed high severity. The rest are rated medium and low.

Microsoft issues workaround for dual-boot crashing issues

Microsoft has published a workaround for dual-boot PCs running both Windows and Linux that cannot boot Linux after installing the August Windows security update.

This update was supposed to fix a two-year-old buffer overflow vulnerability in the GRUB open source boot loader that, if exploited, could allow rogue users or malware on a system to bypass the Secure Boot feature and load malicious code onto a computer during the startup process.

In its August Patch Tuesday event, Redmond assured customers that the update “is not applied to dual-boot systems that boot both Windows and Linux and should not affect these systems.” 

This, however, wasn’t the case. And shortly after applying the patch, many admins began reporting that their Linux distros would no longer boot on dual-boot devices.

Microsoft has now issued a multi-step workaround, and you can follow the procedures here

Plus, the Windows giant says it will continue “investigating the issue with our Linux partners and will provide an update when more information is available.” 

AARL paid ransomware crew a million dollars

The National Association for Amateur Radio (ARRL) has revealed that it paid $1 million to a ransomware gang that compromised the nonprofit’s network in early May.

In an email sent to AARL members on August 21, the organization said the unnamed crime crew encrypted and deleted data on “everything from desktops and laptops to Windows-based and Linux-based servers” during the early morning hours of May 15. 

Within three hours, AARL had assembled an incident response team including external security experts and alerted the FBI along with local law enforcement.

Last month, AARL notified 150 employees that their data had been stolen during the attack.

In this week’s security incident report, the organization described the initial ransom demands as “exorbitant.” 

“It was clear they didn’t know, and didn’t care, that they had attacked a small 501(c)(3) organization with limited resources … It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment,” the letter noted. “After days of tense negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom.” 

AARL’s insurance policy covered most of the ransomware payments, plus the restoration costs, we’re told.

Qilin steals crednetials stored in Chrome

Qilin ransomware group is using a new tactic to steal account credentials stored in the Google Chrome browser, according to Sophos security researchers.

During a breach investigated by Sophos X-Ops team, the ransomware gang first gained access to the network via compromised credentials for a VPN portal that didn’t have multi-factor authentication. 

Qilin then waited 18 days before moving laterally to a domain controller and then edited the domain policy to introduce a logon-based Group Policy Object (GPO). 

The GPO contained a PowerShell script named IPScanner.ps1 that attempted to harvest credentials stored in Chrome across all machines on the domain. It also contained a batch script named logon.bat that executed the malware.

“This combination resulted in harvesting of credentials saved in Chrome browsers on machines connected to the network,” Sophos warned. “Since these two scripts were in a logon GPO, they would execute on each client machine as it logged in.”

This is especially worrisome because it could potentially allow attackers to steal all endpoint-stored credentials across a victim organization. 

“If [Qilin], or other attackers, have decided to also mine for endpoint-stored credentials – which could provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means – a dark new chapter may have opened in the ongoing story of cyber crime,” Sophos cautioned.

CertiK issues mea culpa for ‘whitehat’ extortion

CertiK has finally (somewhat) apologized for its “whitehat” security researchers who, after finding and disclosing a critical bug on Kraken, then exploited the flaw and stole $3 million from the cryptocurrency exchange before eventually returning the funds.

Spotting the critical vulnerability and ensuring it was fixed “was a win for blockchain and Web3 security,” the blockchain security firm declared in a statement. 

“However, in conducting this work, we made errors in judgment and poorly communicated with Kraken, resulting in a public dispute that raised significant concerns within the community,” CertiK continued.

The security shop admitted that it does “regret that this incident occurred and have taken necessary steps to minimize the risk of similar misunderstandings occurring again.” ®

READ MORE HERE