The Good, the Bad and the Ugly in Cybersecurity – Week 11

The Good

It seems as though we have been on a roll the last few months with notable cybercrime arrests. This week, South Korean police announced the arrest of a 20-year old individual suspected of distributing and operating GandCrab ransomware.

Authorities did not reveal the name of the individual but say he was an ‘affiliate’ (aka customer) of GandCrab RaaS rather than the developer or primary seller. The unnamed male has been charged with distributing GandCrab, via phising emails, to targets primarily across South Korea. Between February and June of 2019, the suspect allegedly targeted approximately 6,000 addresses with phishing emails pretending to come from official entities such as local police stations, the Constitutional Court and the Bank of Korea. Victims were instructed to pay around $1300 in Bitcoin.

The attacker, who took 7% of the haul from each paying victim with the rest going to the GandCrab operators, is said to have only made about $10,500 (12M Won) from approximately 120 victims. Law enforcement were able to track the activities of the accused via cryptocurrency transactions. Despite common misconceptions, Bitcoin transactions are not anonymous. It would appear as though the suspect did not account for that, allowing authorities to easily determine the source and destination of key transactions. GandCrab is now retired, having been replaced with numerous, more intimidating, threats. However, this is a nice reminder that law enforcement is always on the trail, and they will catch up.

The Bad

The bad news this week is of course the current, ongoing, attacks against Microsoft Exchange servers across the world. The issue is now even more complex. While we have the original actor(s) continuing their campaign of locating and compromising servers, we now also have unrelated attackers attempting to scan for and take advantage of the in-place webshells. In addition to all this, we have started to observe multiple variations of PoC (Proof-of-Concept) code appear for some of the relevant vulnerabilities.

One particular example may have been particularly dangerous had it not been pulled from Github by Microsoft. That particular PoC was a combination attack leveraging CVE-2021-26855 and CVE-2021-27065. It also appears to have been the first functional (with a few tweaks) PoC to accurately exploit the pertinent flaws. Just hours after it was posted, it was pulled from Github. However, it is known that while the code was available it was accessed and pulled more than enough times for variants and reposts to begin appearing.

The bottom line is that priority should be placed on patching these exposed servers ASAP (if it has not been done already). Reducing or eliminating exposure is key. We wish all the infosec warriors out there all the best as they continue to work to ensure coverage from this threat. For those seeking additional guidance on the Hafnium/Exchange issues, we have posted a full blog covering the threat and recommendations for mitigation.

The Ugly

This week a rather disturbing disclosure emerged concerning Silicon Valley surveillance company Verkada, Inc. It is reported that a group of hackers was able to gain access to camera data and live feeds for nearly 150,000 Verkada cameras, some of which were installed in very sensitive locations. These included premises belonging to companies such as Cloudflare, Tesla, Intel, and Nissan. The hackers were also able to gain access to cameras in multiple prisons and healthcare entities, allowing unfettered visibility into some most sensitive areas.

The methodology behind the hack appears to be rather unsophisticated and highlights one of the oldest issues in information security: the use (and leaking) of default credentials or hardcoded “Super User / Super Admin” accounts.

The individuals involved in the breach, a ‘hacking’ collective calling themselves “APT 69420 Arson Cats”, were able to find a working “Super Admin” credential set exposed in the clear on the internet. With that account, they were able to gain access to the myriad data available to Verkada. However, it is also reported that the hackers could have potentially taken things a step further if desired.

In a statement to, the group stated that they were “able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code…in some instances, allow(ing) them to pivot and obtain access to the broader corporate network of Verkada’s customers or hijack the cameras and use them as a platform to launch future hacks”.

At the end of the day, this is a fairly scary reminder that our need for protection extends to all devices…not just traditional endpoints. The scope and definition of IoT is widening everyday, as is the requirement to secure these devices. If you are not already taking steps to ensure full visibility of all your “Smart” devices and their security, this may be a good time to review policies and stay safe!