News

A 20-year-old Russian National Magomedovich Astamirov was arrested in Arizona and had his initial appearance in court yesterday. The arrest and charges come after a lengthy investigation into the Ransomware as a Service Group, LockBit. This is the second arrest in six months related to the group’s activities with a third warrant/indictment issued for another individual, Mikhail Pavlovich Matveev, who is still at large. According to the DOJ press release Astamirov is suspected of conspiring with other LockBit members to attack multiple organizations in the US and around the globe. Astamirov is believed to have managed various IP and Email addresses used for ransomware deployment and communication with the victims of attacks.

Here we are with another story about MOVEit and just how bad things have gotten for the Managed File Transfer application and their parent company Progress Software. The group behind the attack, Cl0p ransomware gang, has started to extort the companies that they stole data from. They have listed the names of companies on their data leak site, in the same manner they would for ransomware victims after failing to pay. We know that someone (Cl0p has taken credit) was able to finally exploit a zero-day in the software after about a year of tinkering with the flaw and months of access.

On Wednesday Microsoft’s threat group unveiled information about a new Russian Threat Group with ties to the GRU. As part of the announcement, they also noted that the group has a low success rate and poor operational security. The group, which Microsoft is now tracking under the name Cadet Blizzard seems to focus on service disruption, destructive campaigns and information gathering. Microsoft noted that they appear to be a combination of technically skilled, but lacking direction and sophistication.

If there is one thing you can say about modern threat groups, it is that they are clever. The new tactics and techniques they identify, and implement are impressive. A recent technique identified is the use of abandoned S3 buckets. The attackers search for and locate S3 buckets that are no longer in use and claim them as their own. If the bucket happens to be part of an existing or previous deployment workflow, so much the better. Checkmarx recently identified a supply chain attack that involved this type of scenario. The attackers took claimed an abandoned S3 bucket for an NPM package called bignum.