A joint advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) provided information on the Maui ransomware used by North Korean state-sponsored threat actor groups as early as May 2021 to target healthcare organizations in the US. Multiple Maui ransomware incidents have been observed and responded by the FBI where attempts were made to encrypt systems responsible for electronic health records services, diagnostics services, imaging services, and intranet services. The initial access vector for these incidents remains unknown and in some of the cases services were disrupted for a prolonged period.
The Maui ransomware is a lesser-known family of ransomware and stands out from the prominent RaaS groups due to the lack of several key features. According to researchers who performed technical analysis on the Maui sample, the ransomware seems to be designed for manual execution by a remote attacker where a command-line interface is used to interact with the malware to identify files to be encrypted. It also lack the usual embedded ransom note that is leveraged by RaaS groups to provide recovery instructions, payment information, etc. The researchers also suspect that Maui has been developed privately as no public offering has been observed so far.
In comparison to other prominent ransomware gangs of current times, the victim count of the Lorenz ransomware group appears relatively lower, But the attacks are highly targeted with ransom demand ranging from USD 500,000 to USD 700,000. The Lorenz ransomware attacks were first observed in the spring of 2021, and as per the analysis from security researchers, the Lorenz ransomware code appears to resemble the old ThunderCrypt and SZ40 families.
Similar to the extortion strategy of other ransomware groups such as Conti, the Lorenz ransomware operators also first make the exfiltrated data available on their dedicated leak site (DLS) for sale to potential buyers. As the ransom payment gets delayed, the ransomware operators resort to publishing parts of the data as time goes on. Ultimately, if no ransom is paid and the data is not purchased, the data is released to the public for free for anyone to download.
At the end of June 2021, researchers released a free decryptor tool as part of the No More Ransom Project initiative that is capable of decrypting (non-corrupted) affected files in some cases and supports Microsoft Office documents, PDF files, and certain media types.
In early March 2022, researchers came across a new variant of the Lorenz ransomware which dates back to March 2, 2022. The files encrypted by this variant differ from the previous versions of Lorenz and other noticeable differences were observed by researchers. The new variant now has a simple text file ‘HELP.TXT’ as the ransom note, whereas in the previous one, it used to be an HTML document called ‘HELP_SECURITY_EVENT.html.’ Another difference is the string encryption where the strings were embedded in binary plain text. The variant spotted by researchers used a simpler algorithm where XOR encryption is performed using the single-byte key 0x6B and then Base64-encoded.
Mangatoon – a platform for the popular Manga comics has recently fallen victim to a data breach. The breach resulted in the exposure of information related to more than 23 million user accounts due to a poorly secured database. As per reports, Mangatoon does not seem to be responding to messages about the breach from researchers.
Source: Surface Web
According to researchers, the breach was a result of an Elasticsearch server with a weak password being exploited by a well-known threat actor who goes by the alias ‘pompompurin.’ While speaking to researchers the threat actor revealed “it was ES, they had credentials on it but it was just “password”, they changed the credentials after I emailed telling them but they never notified their customers and never replied.”
Source: Surface Web
The database has also been updated on the popular data breach checking service “Have I Been Pwned?” where Mangatoon users can check if their email addresses have been compromised in this breach.
Source: Surface Web
Insights:
Source: Underground Forums
A security researcher Zhenpeng Lin and Ph.D. student from Northwestern University has recently discovered a zero-day vulnerability on the Google Pixel 6, and users are at risk even after they have updated their mobile devices to the latest July 2022 security update. The vulnerability with public CVE ID as of now affects the kernel in Android. It allows an attacker to gain arbitrary read/write access, root privilege, and the authority to disable SELinux which may lead to tampering with the operating system, built-in security routines manipulations, and other malicious actions on an affected device.
In a demonstration, the bug was exploited on Google Pixel 6, and other current-generation Android devices are also said to be affected including Google Pixel 6 Pro and the Samsung Galaxy S22 family. According to the researcher, the bug affects all Android devices that run on Linux kernel version 5.10.
Source: Surface Web
While Google has been informed about the issue, the precise details about the vulnerability have not been released to the public and are expected to be presented in Black Hat USA 2022. According to researchers, the attack vector is generalized, but more powerful when compared with the Dirty Pipe vulnerability in the Linux kernel that recently made headlines. The researcher also highlights that it is not a remote code execution where exploitation can take place without user interaction.
