A Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware groups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail Pavolovich Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies.
Indictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive and LockBit.
The indictments allege that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. Prosecutors say that on May 27, 2022, Matveev conspired with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on April 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in Washington, D.C.
Meanwhile, the U.S. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact financially. Also, the U.S. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev, although he is unlikely to face either as long as he continues to reside in Russia.
In a January 2021 discussion on a top Russian cybercrime forum, Matveev’s alleged alter ego Wazawaka said he had no plans to leave the protection of “Mother Russia,” and that traveling abroad was not an option for him.
“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”
In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. 17, 1992).
A month after that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter a series of bizarre selfie videos in which he lashed out at security journalists and researchers (including this author), while using the same Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance.
“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in one of the videos. “By the way, it is my voice in the background, I just love myself a lot.”
Prosecutors allege Matveev used a dizzying stream of monikers on the cybercrime forums, including “Boriselcin,” a talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.
Previous reporting here revealed that Matveev’s alter egos included “Orange,” the founder of the RAMP ransomware forum. RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.”
As noted in last year’s investigations into Matveev, his alleged cybercriminal handles all were driven by a uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder.
In thread after thread on the crime forum XSS, Matveev’s alleged alias “Uhodiransomwar” could be seen posting download links to databases from companies that have refused to negotiate after five days.
Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces more than 20 years in prison.
Further reading:
Who is the Network Access Broker “Wazawaka?”
The New Jersey indictment against Matveev (PDF)
The indictment from the U.S. attorney’s office in Washington, D.C. (PDF)
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.
Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6. If you use Apple devices and you don’t have automatic updates enabled (they are on by default), you should probably take care of that soon as detailed instructions on how to attack CVE-2023-28206 are now public.
Microsoft’s bevy of 100 security updates released today include CVE-2023-28252, which is a weakness in Windows that Redmond says is under active attack. The vulnerability is in the Windows Common Log System File System (CLFS) driver, a core Windows component that was the source of attacks targeting a different zero-day vulnerability in February 2023.
“If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago,” said Dustin Childs at the Trend Micro Zero Day Initiative. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware.”
According to the security firm Qualys, this vulnerability has been leveraged by cyber criminals to deploy Nokoyawa ransomware.
“This is a relatively new strain for which there is some open source intel to suggest that it is possibly related to Hive ransomware – one of the most notable ransomware families of 2021 and linked to breaches of over 300+ organizations in a matter of just a few months,” said Bharat Jogi, director of vulnerability and threat research at Qualys.
Jogi said while it is still unclear which exact threat actor is targeting CVE-2023-28252, targets have been observed in South and North America, regions across Asia and at organizations in the Middle East.
Satnam Narang at Tenable notes that CVE-2023-28252 is also the second CLFS zero-day disclosed to Microsoft by researchers from Mandiant and DBAPPSecurity (CVE-2022-37969), though it is unclear if both of these discoveries are related to the same attacker.
Seven of the 100 vulnerabilities Microsoft fixed today are rated “Critical,” meaning they can be used to install malicious code with no help from the user. Ninety of the flaws earned Redmond’s slightly less-dire “Important” label, which refers to weaknesses that can be used to undermine the security of the system but which may require some amount of user interaction.
Narang said Microsoft has rated nearly 90% of this month’s vulnerabilities as “Exploitation Less Likely,” while just 9.3% of flaws were rated as “Exploitation More Likely.” Kevin Breen at Immersive Labs zeroed in on several notable flaws in that 9.3%, including CVE-2023-28231, a remote code execution vulnerability in a core Windows network process (DHCP) with a CVSS score of 8.8.
“‘Exploitation more likely’ means it’s not being actively exploited but adversaries may look to try and weaponize this one,” Breen said. “Micorosft does note that successful exploitation requires an attacker to have already gained initial access to the network. This could be via social engineering, spear phishing attacks, or exploitation of other services.”
Breen also called attention to CVE-2023-28220 and CVE-2023-28219 — a pair of remote code execution vulnerabilities affecting Windows Remote Access Servers (RAS) that also earned Microsoft’s “exploitation more likely” label.
“An attacker can exploit this vulnerability by sending a specially crafted connection request to a RAS server, which could lead to remote code execution,” Breen said. While not standard in all organizations, RAS servers typically have direct access from the Internet where most users and services are connected. This makes it extremely enticing for attackers as they don’t need to socially engineer their way into an organization. They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”
For more details on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
s3-ep124-auth--1200
Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating “Trickbot,” a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities.
Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into “a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks,” the Treasury Department said.
A spam email from 2020 containing a Trickbot-infected attachment. Image: Microsoft.
“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States,” the sanctions notice continued. “In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”
Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly “Bentley” Kovalev.
A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive “money mule” scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot.
In 2015, Kovalev reportedly began filming a movie in Russia about cybercrime called “Botnet.” According to a 2016 story from Forbes.ru, Botnet’s opening scene was to depict the plight of Christina Svechinskaya, a Russian student arrested by FBI agents in September 2010.
Christina Svechinskaya, a money mule hired by Bentley who was arrested by the FBI in 2010.
Svechinskaya was one of Bentley’s money mules, most of whom were young Russian students on temporary travel visas in the United States. She was among 37 alleged mules charged with aiding an international cybercrime operation — basically, setting up phony corporate bank accounts for the sole purpose of laundering stolen funds.
Although she possessed no real hacking skills, Svechinskaya’s mugshot and social media photos went viral online and she was quickly dubbed “the world’s sexiest computer hacker” by the tabloids.
Kovalev’s Botnet film project was disrupted after Russian authorities raided the film production company’s offices as part of a cybercrime investigation. In February 2016, Reuters reported that the raid was connected to a crackdown on “Dyre,” a sophisticated trojan that U.S. federal investigators say was the precursor to the Trickbot malware. The Forbes.ru article cited sources close to the investigation who said the film studio was operating as a money-laundering front for the cybercrooks behind Dyre.
But shifting political winds in Russia would soon bring high treason charges against three of the Russian cybercrime investigators tied to the investigation into the film studio. In a major shakeup in 2017, the Kremlin levied treason charges against Sergey Mikhaylov, then deputy chief of Russia’s top anti-cybercrime unit.
Also charged with treason was Ruslan Stoyanov, then a senior employee at Russian security firm Kaspersky Lab [the Forbes.ru report from 2016 said investigators from Mikhaylov’s unit and Kaspersky Lab were present at the film company raid].
Russian media outlets have speculated that the men were accused of treason for helping American cybercrime investigators pursue top Russian hackers. However, the charges against both men were classified and have never been officially revealed. After their brief, closed trial, both men were convicted of treason. Mikhaylov was given a 22 year prison sentence; Stoyanov was sentenced to 14 years in prison.
In September 2021, the Kremlin issued treason charges against Ilya Sachkov, formerly head of the cybersecurity firm Group-IB. According to Reuters, Sachkov and his company were hired by the film studio “to advise the Botnet director and writers on the finer points of cybercrime.” Sachkov remains imprisoned in Russia pending his treason trial.
Trickbot was heavily used by Conti and Ryuk, two of Russia’s most ruthless and successful ransomware groups. Blockchain analysis firm Chainalysis estimates that in 2021 alone, Conti extorted more than USD $100 million from its hacking victims; Chainalysis estimates Ryuk extorted more than USD $150 million from its ransomware victims.
The U.S. cybersecurity firm CrowdStrike has long tracked the activities of Trickbot, Ryuk and Conti under the same moniker — “Wizard Spider” — which CrowdStrike describes as “a Russia-nexus cybercriminal group behind the core development and distribution of a sophisticated arsenal of criminal tools, that allow them to run multiple different types of operations.”
“CrowdStrike Intelligence has observed WIZARD SPIDER targeting multiple countries and industries such as academia, energy, financial services, government, and more,” said Adam Meyers, head of intelligence at CrowdStrike.
This is not the U.S. government’s first swipe at the Trickbot group. In early October 2020, KrebsOnSecurity broke the news that someone had launched a series of coordinated attacks designed to disrupt the Trickbot botnet. A week later, The Washington Post ran a story saying the attack on Trickbot was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the U.S. National Security Agency (NSA).
Days after Russia invaded Ukraine in February 2022, a Ukrainian researcher leaked several years of internal chat logs from the Conti ransomware gang. Those candid conversations offer a fascinating view into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. They also showed that Conti enjoyed protection from prosecution by Russian authorities, as long as the hacker group took care not to target Russian organizations.
In addition, the leaked Conti chats confirmed there was considerable overlap in the operation and leadership of Conti, Trickbot and Ryuk.
Michael DeBolt, chief intelligence officer at cybersecurity firm Intel 471, said the leaked Conti chats showed Bentley oversaw a team of coders tasked with ensuring that the Trickbot and Conti malware remained undetected by the different antivirus and security software vendors.
In the years prior to the emergence of Trickbot in 2016, Bentley worked closely on the Gameover ZeuS trojan, a peer-to-peer malware threat that infected between 500,000 and a million computers with an automated ransomware strain called Cryptolocker, DeBolt said.
The FBI has a standing $3 million bounty offered for the capture of Evgeny “Slavik” Bogachev, the alleged author of the Zeus trojan. And there are indications that Bentley worked directly with Bogachev. DeBolt pointed to an October 2014 discussion on the exclusive Russian hacking forum Mazafaka that included a complaint by a Russian hosting firm against a forum user by the name “Ferrari” who had failed to pay a $30,000 hosting bill.
In that discussion thread, it emerged that the hosting company thought it was filing a complaint against Slavik. But the Mazafaka member who vouched for Ferrari’s membership on the forum said they knew Ferrari as Bentley the mule handler, and at some point Slavik and Bentley must have been sharing the Ferrari user account.
“It is likely that Slavik (aka. Bogachev) and Bentley (aka. Kovalev) shared the same ‘Ferrari’ handle on the Mazafaka forum circa 2014, which suggests the two had a working relationship at that time, and supports the recent US and UK Government announcements regarding Kovalev’s past involvement in cybercrime predating Dyre or the Trickbot Group,” DeBolt said.
CrowdStrike’s Meyers said while Wizard Spider operations have significantly reduced following the demise of Conti in June 2022, today’s sanctions will likely cause temporary disruptions for the cybercriminal group while they look for ways to circumvent the financial restrictions — which make it illegal to transact with or hold the assets of sanctioned persons or entities.
“Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name,” Meyers said.
The prosecution of Kovalev is being handled by the U.S. Attorney’s Office in New Jersey. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).