In cooperation with Europol and Eurojust, law enforcement agencies from seven nations have arrested in Ukraine the core members of a ransomware group linked to attacks against organizations in 71 countries.

The cybercriminals paralyzed major corporations’ operations in attacks using ransomware such as LockerGoga, MegaCortex, HIVE, and Dharma.

“After remaining undetected in the compromised systems, sometimes for months, the criminals would deploy different types of ransomware, such as LockerGoga, MegaCortex, HIVE or Dharma,” Eurojust said.

“A ransom note was then presented to the victim to pay the attackers in bitcoin in exchange for decryption keys.”

Roles within this criminal network varied significantly: some members breached IT networks, while others reportedly helped launder the cryptocurrency payments made by victims to decrypt their files.

The attackers gained access to their targets’ networks by stealing user credentials in brute force and SQL injection attacks, as well as using phishing emails with malicious attachments.

Once in, they used tools like TrickBot malware, Cobalt Strike, and PowerShell Empire to move laterally and compromise other systems before triggering previously deployed ransomware payloads.

The investigation unveiled that this organized group of ransomware affiliates encrypted more than 250 servers of major corporations, leading to losses exceeding several hundred million euros.

 

Ransomware gang arrests in Ukraine

On November 21st, coordinated raids at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia resulted in the arrest of the group’s 32-year-old mastermind and the capture of four accomplices.

Over 20 investigators from Norway, France, Germany, and the United States helped the Ukrainian National Police with the investigation in Kyiv. Europol also set up a virtual command center in the Netherlands to process the data seized during the house searches.

“With the support of the TOR special unit, law enforcement officers conducted more than 30 authorized searches in the premises and cars of the suspects in Kyiv region, as well as in Cherkasy, Rivne, and Vinnytsia regions,” the National Police of Ukraine’ Department of Cyber Police said today [automated translation].

“Computer equipment, cars, bank and SIM cards, ‘draft’ records, as well as dozens of electronic media and other evidence of illegal activities were seized. In particular, almost 4 million hryvnias and cryptocurrency assets.”

This operation follows other arrests in 2021 as part of the same law enforcement action when police detained 12 more suspects part of the same ransomware group linked to attacks against 1,800 victims in 71 countries.

As the investigation revealed two years ago, the attackers deployed LockerGoga, MegaCortex, and Dharma ransomware. They also used malware like Trickbot and post-exploitation tools such as Cobalt Strike in their attacks.

Subsequent efforts at Europol and in Norway focused on analyzing data on devices seized in Ukraine in 2021 and helped identify additional suspects arrested one week ago in Kyiv.

 

Free LockerGoga and MegaCortex ransomware decrypters

The forensic analysis also allowed Swiss authorities to develop decryption tools for the LockerGoga and MegaCortex ransomware variants in collaboration with No More Ransom partners and Bitdefender.

This international police action was initiated by French authorities in September 2019 and focuses on locating threat actors in Ukraine and bringing them to justice with the help of a joint investigation team (JIT) comprising Norway, France, the United Kingdom, and Ukraine, with financial support from Eurojust and collaborating with Dutch, German, Swiss, and U.S. authorities.

The list of participating law enforcement agencies includes:

  • Norway: National Criminal Investigation Service (Kripos)
  • France: Public Prosecutor’s Office of Paris, National Police (Police Nationale – OCLCTIC)
  • Netherlands: National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie)
  • Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
  • Germany: Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) CID Esslingen
  • Switzerland: Swiss Federal Office of Police (fedpol), Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police
  • United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI)
  • Europol: European Cybercrime Centre (EC3)
  • Eurojust

“In an unprecedented effort, law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations wreaking havoc across the world,” Europol said.

“The operation comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory.”

 

Related Articles:

The Week in Ransomware – October 20th 2023 – Fighting Back

Qilin ransomware claims attack on automotive giant Yanfeng

Ransomware attack on indie game maker wiped all player accounts

Healthcare giant Henry Schein hit twice by BlackCat ransomware

Ukraine says it hacked Russian aviation agency, leaks data

 

Link to Source

Today, Microsoft shared a temporary fix for a known issue causing Outlook Desktop to crash when sending emails from Outlook.com accounts.

This confirms customer reports regarding crashing issues when using Outlook.com accounts shared on Microsoft’s community website and other social networks since last Monday, November 20.

According to online reports, restarting, repairing Outlook, reinstalling the application, and creating a fresh Outlook profile for the impacted email account fails to address the issue.

“I’ve tried everything (safe mode, new profile, repair pst, even up to and including a system restore to attempt to roll back a previous installation) to no avail,” one of the affected users said.

These problems only affect Outlook for Microsoft 365 users and those in the Current Channel (Preview) channel using Outlook build 17029.20028.

“The issue is fixed in future builds 17029.20052+. However, this build has not been released yet,” Microsoft said.

While a limited number of customers did report they had successfully worked around this known issue by reinstalling Office, Microsoft suggests reverting to an earlier version.

To do that, type Command Prompt in the Windows search box, right-click Command Prompt and click Run as administrator.

Next, paste the following commands into the Command Prompt window and hit Enter after each:

cd %programfiles%\Common Files\Microsoft Shared\ClickToRun

officec2rclient.exe /update user updatetoversion=16.0.16924.20124

Redmond also started rolling out fixes last week for some of the customers affected by another known Microsoft 365 issue behind ‘Something Went Wrong [1001]’ sign-in errors, rendering desktop Office apps unusable for many affected users.

These ongoing login issues impact customers using Excel, Word, Outlook, and PowerPoint for Microsoft 365, Microsoft 365 Apps for business, and Office apps for iOS and Android, as the company confirmed over a month ago.

Previously, it fixed another bug causing significant delays for Microsoft 365 customers when saving attachments in Outlook Desktop to a network share.

Earlier this year, Microsoft tackled various other Outlook issues, including ones blocking Microsoft 365 customers from accessing emails and calendars and causing slow starts and freezes during cache re-priming.

 

Related Articles:

Microsoft fixes ‘Something Went Wrong’ Office sign-in errors

Microsoft 365 users get workaround for ‘Something Went Wrong’ errors

Microsoft fixes Outlook Desktop bug causing slow saving issues

Microsoft fixes known issue causing Outlook freezes, slow starts

Microsoft fixes Outlook prompts to reopen closed windows

 

Link to Source

Passwords have long been used as the primary gatekeepers of digital security, yet they can also be a weak link in the chain.

According to IBM’s 2023 Cost of a Breach report, phishing (16%) and stolen credentials (15%) are still the most common initial attack vectors for cyber-attacks. Stealing and selling credentials is a lucrative business for cybercriminals – it’s not something they’ll be given up on anytime soon.

An organization’s first step should be to tighten up their password policies and stop end-users from choosing the weak and vulnerable passwords, with common patterns and easily guessable phrases.

But as Specops research shows, 83% of compromised passwords actually satisfy the password length and complexity requirements of regulatory password standards.

IT teams also need a way to scan Active Directories for passwords that have become compromised – before they’re used by attackers.

Why check for breached passwords?

Enforcing strong, longer passwords is crucial to help protect end-users against brute force, dictionary, and hybrid attacks. However, strong passwords can still become compromised. For example, people can be targeted with phishing attacks that trick them into giving up their credentials.

From that point on, the password is compromised until it is changed, which can often be too late – especially if the end-user or organization has no idea the initial credential theft has even occurred.

This risk is exacerbated through password reuse. Organizations can guide their employees through training and control the kinds of passwords they make at work, but they can’t stop them reusing the passwords in their personal lives.

This is particularly problematic if the personal devices and applications they use have weak security or are accessed via unsecured networks. A Google survey found that 66% of Americans reuse their passwords across more than one online account.

Without a tool to check for compromised passwords, it can take organizations a long time to discover they have a problem. IBM estimate it takes nearly a year on average to detect a breach from stolen or compromised credentials.

It’s risky to wait for end-users’ passwords to expire or relying on being able to spot the early signs of an attack through other measures.

These factors all underscore the urgency of being able to discover compromised passwords within your Active Directory.

How to find compromised passwords

There are manual ways to export passwords from your Active Directory and cross-reference them against publicly available lists of breached passwords. However, using a third party tool is far quicker and easier.

And in the case of Specops Password Auditor, it’s free tool. Specops Password Auditor is a powerful tool that can help you quickly identify and mitigate password-related vulnerabilities within your Active Directory.

Using Specops Password Auditor is straightforward. Simply download your free tool and follow these steps:

  1. Run Specops Password Auditor: After installation, launch Specops Password Auditor and allow it to scan your Active Directory.
  2. Analyze the report: It generates comprehensive reports that highlight user and password policy information. Pay special attention to the section on accounts using compromised passwords.
  3. Act: Once you’ve identified compromised passwords, prompt users to change them immediately. This step is vital in preventing unauthorized access to your systems.

Beyond identifying compromised passwords, Specops Password Auditor equips you with knowledge about the overall state of your password policies and user accounts, identifying blank passwords, breached passwords, identical passwords, admin accounts, delegable admin accounts, stale admin accounts, stale user accounts, user accounts with the control flag for not requiring a password set/password never expires, expired or expiring passwords, password age, and when passwords were last changed.

Armed with this information, you can make informed decisions to enhance your organization’s access security.

Specops Password Auditor Report
Specops Password Auditor

Automating breached password checks

Specops Password Auditor offers a great initial health check of your Active Directory by cross-referencing against 950 million known compromised passwords. It helps to inform you where your password policy needs improving and where your password-related vulnerabilities lie.

The next step is building a stronger password policy and automating the process of checking for compromised passwords. This is where a more advanced tool such as Specops Password Policy comes in.

Once you’ve identified compromised credentials and vulnerabilities using Specops Password Auditor report, you can bolster your organization’s password security further using Specops Password Policy.

Specops Password Policy enforces password length and complexity while preventing the use of common character types at the beginning or end of passwords and consecutively repeated characters.

To facilitate the creation of stronger yet memorable passwords, it supports passphrases, a combination of words that may seem unrelated, making them both easier for users to remember and harder for hackers to decipher.

Specops Password Policy with Breached Password Protection feature, checks your Active Directory against a list of 3 billion unique weak and known compromised passwords – including those being used right now in attacks on Specops’ honeypot accounts.

On top of that, if continuous scan is activated, users will be alerted by SMS or email as soon as their password has been discovered to be compromised and forced to change it. Our research team’s attack monitoring data collection systems update the service daily to ensure your network is protected from real-world password attacks.

Secure your business against breached passwords today

Compromised credentials offer attackers an easy route into your organization – it’s too risky to not have visibility over whether your end-users have been involved in breaches.

Start on boosting your access security with a free audit of your Active Directory for password-related vulnerabilities.

And if you’re interested in automating the process and securing against a constantly updated list of over 3 billion unique weak and compromised passwords, give Specops Password Policy a trial.

Sponsored and written by Specops Software.

Source – https://www.bleepingcomputer.com/news/security/are-your-end-users-passwords-compromised-heres-how-to-check/

The Microsoft AI research division accidentally leaked dozens of terabytes of sensitive data starting in July 2020 while contributing open-source AI learning models to a public GitHub repository.

Almost three years later, this was discovered by cloud security firm Wiz whose security researchers found that a Microsoft employee inadvertently shared the URL for a misconfigured Azure Blob storage bucket containing the leaked information.

Microsoft linked the data exposure to using an excessively permissive Shared Access Signature (SAS) token, which allowed full control over the shared files. This Azure feature enables data sharing in a manner described by Wiz researchers as challenging to monitor and revoke

When used correctly, Shared Access Signature (SAS) tokens offer a secure means of granting delegated access to resources within your storage account.

This includes precise control over the client’s data access, specifying the resources they can interact with, defining their permissions concerning these resources, and determining the duration of the SAS token’s validity.

“Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal,” Wiz warned today.

“In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”

Microsoft Azure Storage leak tweet

38TB of private data exposed via Azure storage bucket

The Wiz Research Team found that besides the open-source models, the internal storage account also inadvertently allowed access to 38TB worth of additional private data.

The exposed data included backups of personal information belonging to Microsoft employees, including passwords for Microsoft services, secret keys, and an archive of over 30,000 internal Microsoft Teams messages originating from 359 Microsoft employees.

In an advisory on Monday by the Microsoft Security Response Center (MSRC) team, Microsoft said that no customer data was exposed, and no other internal services faced jeopardy due to this incident.

Wiz reported the incident to MSRC on June 22nd, 2023, which revoked the SAS token to block all external access to the Azure storage account, mitigating the issue on June 24th, 2023.

“AI unlocks huge potential for tech companies. However, as data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards,” Wiz CTO & Cofounder Ami Luttwak told BleepingComputer.

“This emerging technology requires large sets of data to train on. With many development teams needing to manipulate massive amounts of data, share it with their peers or collaborate on public open-source projects, cases like Microsoft’s are increasingly hard to monitor and avoid.”

BleepingComputer also reported one year ago that, in September 2022, threat intelligence firm SOCRadar spotted another misconfigured Azure Blob Storage bucket belonging to Microsoft, containing sensitive data stored in files dated from 2017 to August 2022 and linked to over 65,000 entities from 111 countries.

SOCRadar also created a data leak search portal named BlueBleed that enables companies to find out if their sensitive data was exposed online.

Microsoft later added that it believed SOCRadar “greatly exaggerated the scope of this issue” and “the numbers.”

 

Source – https://www.bleepingcomputer.com/news/microsoft/microsoft-leaks-38tb-of-private-data-via-unsecured-azure-storage/