Tag Archive for: Admin

Authorities Claim LockBit Admin “LockBitSupp” Has Engaged with Law Enforcement

/in


LockBitSupp

LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, “has engaged with law enforcement,” authorities said.

The development comes following the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue accounts on third-party services like Mega, Protonmail, and Tutanota used by the criminals have been shuttered.

“We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement,” according to a message posted on the now-seized (and offline) dark web data leak site.

The move has been interpreted by long-term watchers of LockBit as an attempt to create suspicion and sow the seeds of distrust among affiliates, ultimately undermining trust in the group within the cybercrime ecosystem.

According to research published by Analyst1 in August 2023, there is evidence to suggest that at least three different people have operated the “LockBit” and “LockBitSupp” accounts, one of them being the gang’s leader itself.

Cybersecurity

However, speaking to malware research group VX-Underground, LockBit stated “they did not believe law enforcement know his/her/their identities.” They also raised the bounty it offered to anyone who could message them their real names to $20 million. It’s worth noting that the reward was increased from $1 million USD to $10 million late last month.

LockBit – also called Gold Mystic and Water Selkie – has had several iterations since its inception in September 2019, namely LockBit Red, LockBit Black, and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev prior to its infrastructure being dismantled.

“LockBit-NG-Dev is now written in .NET and compiled using CoreRT,” Trend Micro said. “When deployed alongside the .NET environment, this allows the code to be more platform-agnostic. It removed the self-propagating capabilities and the ability to print ransom notes via the user’s printers.”

LockBitSupp Ransomware Hacker

One of the notable additions is the inclusion of a validity period, which continues its operation only if the…

Source…

Admin behind E-Root stolen creds souk extradited to US • The Register

/in


A Moldovan who allegedly ran the compromised-credential marketplace E-Root has been extradited from the UK to America to stand trial.

Sandu Diaconu, 31, along with another individual whose name has been redacted from court documents, allegedly operated the illicit souk selling access to compromised servers worldwide between 2015 and 2020.

“The Marketplace existed primarily as a place for individuals to buy and sell RDP and SSH access (login credentials) to compromised servers, which was used to facilitate a wide range of illegal activity, such as ransomware attacks, fraudulent wire transfers, and tax fraud,” the indictment says [PDF].

On E-Root, other criminals could search for compromised computer credentials including Remote Desktop Protocol (RDP) and Secure Socket Shell (SSH) access, or by price, geographic location, internet service provider, open ports, and operating system.

During the course of the investigation, the Feds uncovered more than 350,000 compromised credentials listed for sale on E-Root, according to the US Justice Department. The victims included individuals and companies in the US and worldwide, and included at least one local government agency in Tampa, Florida, as well as a local church and and a doctor.

Criminals used the online payment system Perfect Money to make purchases on the credential-selling marketplace. In addition to developing and E-Root, Diaconu, whose admin moniker was “WinD3str0y,” also allegedly operated a sister website where buyers could convert Bitcoin into Perfect Money to try and hide their identities. 

The duo offered customer support and apparently maintained detailed records including buyers’ usernames, registration dates, email addresses, purchases, Perfect Money balances, last login dates, and IP addresses, the court documents say.

A joint US-UK effort took down E-Root in late 2020, and British law enforcement arrested Diaconu in May 2021 when he attempted to leave the country. In September 2023, Westminster Magistrates’ Court ordered Diaconu to be extradited to America to face charges, after he consented to travel to the US and face his Feds.

Diaconu, and the second unnamed E-Root admin, have been charged with…

Source…

Watch now: Cybersecurity admin says ransomware constant threat for ISU – The Pantagraph

/in



Watch now: Cybersecurity admin says ransomware constant threat for ISU  The Pantagraph

Source…

Windows vulnerability with new public exploits lets you become admin

/in


Windows vulnerability

A security researcher has publicly disclosed an exploit for a Windows local privilege elevation vulnerability that allows anyone to gain admin privileges in Windows 10.

Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network, create new administrative users, or perform privileged commands.

The vulnerability affects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates.

Researcher releases bypass to patched vulnerability

As part of the January 2022 Patch Tuesday, Microsoft fixed a ‘Win32k Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.

Microsoft attributes the discovery of this vulnerability to RyeLv, who shared a technical analysis of the vulnerability after Microsoft released the patch.

This week, multiple exploits were publicly released for CVE-2022-21882 that allow anyone to gain SYSTEM privileges on vulnerable Windows 10 devices.

After the exploit’s release, Will Dormann, a vulnerability analyst for CERT/CC and Twitter’s resident exploit tester, confirmed that the exploits works and provides elevated privileges.

BleepingComputer also tested the vulnerability and had no problem compiling the exploit and using it to open Notepad with SYSTEM privileges on Windows 10, as shown below. BleepingComputer could not get the exploit to work on Windows 11.

Notepad launched with SYSTEM privileges by exploit
Notepad launched with SYSTEM privileges by exploit
Source: BleepingComputer

While we only opened Notepad using this exploit, threat actors can also use it to add new users with Administrator privileges or execute other privileged commands.

While we would not normally report on a patched vulnerability, many administrators chose to skip January 2022 updates due to the significant number of critical bugs introduced by the January 2022 updates, including reboots, L2TP VPN…

Source…