The Good, the Bad and the Ugly in Cybersecurity – Week 3

The Good

The U.S. Department of Justice this week arrested and charged Anatoly Legkodymov, a 40-year old Russian national, with offenses related to processing more than $700 million of illicit funds, including ransomware proceeds.

Legkodymov, who also went by the online names of ‘Gandalf’ and ‘Tolik’, was a senior executive and majority shareholder of Bitzlato, a cryptocurrency exchange that authorities say knowingly aided ransomware actors and other cybercriminals to process illicit funds.

Legkodymov bitzlatoSource

According to court documents, Bitzlato marketed itself as requiring minimal identification from users, specifying that “neither selfies nor passports [are] required” and knowingly fostered the perception that it was a safe haven for funds used for and resulting from criminal activities.

Bitzlato was heavily involved with cryptocurrency transactions through the notorious darknet market Hydra, which was taken down by cops in April 2022. It’s alleged that Bitzlato received more than $15 million in ransomware proceeds and transacted over $700 million in cryptocurrency with Hydra. The U.S. government says that after Hydra’s shuttering, Bitzlato continued to facilitate transactions for Russia-connected darknet markets such as BlackSprut, OMG!OMG!, and Mega.

Legkodymov, who was arrested in Miami on Tuesday, faces up to 5 years jail time if convicted of operating an illegal money transmitting business. As for Bitzlato, European authorities have conducted a separate operation to seize and dismantle its digital infrastructure, taking the service out of the cybercriminal ecosystem once and for all.

The Bad

Git users are being urged to update to the latest release following news of two critical remote code execution bugs this week. The RCEs could allow attackers to exploit heap-based buffer overflow flaws and execute arbitrary code.

CVE-2022-41903 and CVE-2022-23521 were patched on Wednesday, but a third Windows-specific vulnerability in the Git GUI tool, CVE-2022-41953, is still awaiting a fix. Users are being recommended not to use the tool until an update becomes available.

Mitigations for the two patched vulnerabilities for those that cannot immediately update are:

  • Disable ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
  • If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the git config --global daemon.uploadArch false command

Git is used widely in enterprises to manage development projects. The researchers that discovered the flaws in a sponsored audit pointed out that vulnerabilities in Git could allow attackers to compromise source code repositories or developer systems and potentially result in security breaches on a large scale.

The researchers went on to say that the sheer size of the Git codebase made it challenging to address all potential instances of the issues they discovered, and they made a number of recommendations to Git’s maintainers to improve code security.

In a separate blog post, GitHub says that it scanned all repositories on GitHub.com to confirm that no evidence existed that GitHub had been used as a vector to exploit any of the discovered vulnerabilities.

The Ugly

It’s another tough week for password managers as the recent troubles faced by LastPass have been followed by news of breaches of Norton Lifelock customer accounts.

Norton’s parent company, Gen Digital, has advised customers that a likely credential stuffing attack was used to compromise thousands of customer accounts in December. Customers that use the same password for different sites and services are susceptible to credential stuffing attacks if a reused password is exposed or leaked from a breach of one of those sites.

Suspicious activity began around December 1st and was followed by a large number of failed login attempts on December 12th. On January 9th, Gen Digital sent notices to around 6,500 customers of its password manager advising customers that “an unauthorized party likely has knowledge of the email and password you have been using with your Norton account…and your Norton Password Manager”. The advisory went on to recommend customers change their passwords with Norton Lifelock and elsewhere immediately.

The company says that intruders used a list of usernames and passwords obtained from another source such as the darknet to attempt to log into Norton customer accounts. Gen Digital insist that Norton Lifelock’s own systems were not compromised

Despite the bad news, password managers remain an effective first line of defense against account takeovers and compromises so long as users follow recommended procedures. These include using unique passwords for every site, ensuring master passwords are not easily guessable, and employing 2FA authentication wherever possible.