The Good, the Bad and the Ugly in Cybersecurity – Week 19

The Good

It should be safe to say, at this point, that we are all aware of the child trafficking and child abuse issues that have arisen around (and adjacent to) the internet. Oftentimes, the Dark Web gets blamed for containing the most vile of material. This past week a huge victory was scored in the fight against the distribution of such material with the arrest of four individuals allegedly behind a huge child abuse sharing platform serving 400,000 members on the darknet.

In a statement, Germany’s federal police referred to the child pornography network as “Boystown” due to the fact that the platform primarily traded in pictures and recordings of abused boys. The arrests actually took place in April (with one of the four being apprehended in Paraguay); however, news of the operation was only released this week. The arrested individuals allegedly pro-actively engaged with their member community and even provided assistance on how to avoid detection by law enforcement so as to exchange their illicit materials “safely”.

The Boystown platform had been in operation for almost two years, first appearing in June 2019. However, following the operation and arrests, the site (and many associated sites and resources) have been seized and taken down. We applaud the efforts that went into this effort greatly. If you would like to review the BKA statement (Germany’s federal police) there is a copy posted on the BKA site.

The Bad

Bad news this week for ordinary citizens of Belgium as a massive DDoS (Distributed-Denial-of-Service) attack was reported to have disrupted websites belonging to the Belgium government. The large-scale attack was focused on Belnet (Belgian National Research and Education Network), which hosts many government, education, religious and civil online resources. Early on the 4th of May, users attempting to connect to associated websites were experiencing various hangs and availability issues.

Belnet quickly released a statement (translated):

“Due to a DDoS-attack some Belnet customers are experiencing connectivity problems. Our teams are working hard to mitigate the attacks and to restore connectivity. Belnet customers can contact our Service Desk at 02 790 33 00. We apologize for the inconvenience.”

The attackers used a variety of tactics in successive waves to ensure the network remained unavailable throughout Tuesday to the two hundred or more institutions and organizations that rely on it. Fortunately, by the evening, Belnet was able to announce that multiple countermeasures had been put in place, and it appears as though the attack had waned by early Wednesday. At this time, it is not clear what provoked the attack or who was behind it.

DDoS attacks are not at all uncommon these days. However, with attacks like this one we have to remind ourselves about the current situation (COVID). All COVID-19-centric, and other public health resources, were taken offline as part of this attack. When citizens are no longer able to access potentially life-saving information, these attacks become much more serious.

The Ugly

This has been a truly ugly week with regards to new ransomware, new leaks, and new attack campaigns. To start, this week the Astro Team ransomware group updated their victim blog with news of a new partnership. Astro Team appears to have forged a new partnership with “Xing Locker” to produce, perpetuate, and share even more swaths of sensitive data.

It has yet to be determined just how deep this partnership runs, but by all appearances it is similar to Astro Team + Mount Locker with respect to cross-posting dumps and potentially sharing access.

We also saw two formidable RaaS (Ransomware-as-a-Service) offerings go up for sale. Both “Toxin” and “Galaxy” services offer the usual raft of features and services, including upcoming leak/victim-shaming blogs. Each service offers the enterprising criminals competitive buy-in pricing or profit sharing. The initial advertisements for Galaxy offer interesting insight via their FAQ. For example, they have a specialized build for non-business targets, and the cut of profits with Galaxy is also negotiable.

Sadly, many of these services launch on a daily basis. Some pan out and become formidable threats (e.g., Avaddon) while others fizzle out if they don’t gain the attraction of enough criminals.

This week also saw news break concerning CVE-2021-21551, a slew of flaws in Dell firmware which affects millions of devices. The flaws, tracked under one CVE, are specific to Dell’s firmware update driver and can be utilized to escalate privileges and ultimately achieve kernel-mode permissions.

Click to play

While at this time we are not aware of any in-the-wild abuse, all Dell device owners are urged to review Dell’s security update and take the appropriate action.