Technology

Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network. In this post we’ll look at the clues left behind by “Babam,” the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions over the past few years.

Since the beginning of 2020, Babam has set up numerous auctions on the Russian-language cybercrime forum Exploit, mainly selling virtual private networking (VPN) credentials stolen from various companies. Babam has authored more than 270 posts since joining Exploit in 2015, including dozens of sales threads. However, none of Babam’s posts on Exploit include any personal information or clues about his identity.

But in February 2016, Babam joined Verified, another Russian-language crime forum. Verified was hacked at least twice in the past five years, and its user database posted online. That information shows that Babam joined Verified using the email address “operns@gmail.com.” The latest Verified leak also exposed private messages exchanged by forum members, including more than 800 private messages that Babam sent or received on the forum over the years.

In early 2017, Babam confided to another Verified user via private message that he is from Lithuania. In virtually all of his forum posts and private messages, Babam can be seen communicating in transliterated Russian rather than by using the Cyrillic alphabet. This is common among cybercriminal actors for whom Russian is not their native tongue.

Cyber intelligence platform Constella Intelligence told KrebsOnSecurity that the operns@gmail.com address was used in 2016 to register an account at filmai.in, which is a movie streaming service catering to Lithuanian speakers. The username associated with that account was “bo3dom.”

A reverse WHOIS search via DomainTools.com says operns@gmail.com was used to register two domain names: bonnjoeder[.]com back in 2011, and sanjulianhotels[.]com (2017). It’s unclear whether these domains ever were online, but the street address on both records was “24 Brondeg St.” in the United Kingdom. [Full disclosure: DomainTools is a frequent advertiser on this website.]

A reverse search at DomainTools on “24 Brondeg St.” reveals one other domain: wwwecardone[.]com. The use of domains that begin with “www” is fairly common among phishers, and by passive “typosquatting” sites that seek to siphon credentials from legitimate websites when people mistype a domain, such as accidentally omitting the “.” after typing “www”.

A banner from the homepage of the Russian language cybercrime forum Verified.

Searching DomainTools for the phone number in the WHOIS records for wwwecardone[.]com  — +44.0774829141 — leads to a handful of similar typosquatting domains, including wwwebuygold[.]com and wwwpexpay[.]com. A different UK phone number in a more recent record for the wwwebuygold[.]com domain — 44.0472882112 — is tied to two more domains – howtounlockiphonefree[.]com, and portalsagepay[.]com. All of these domains date back to between 2012 and 2013.

The original registration records for the iPhone, Sagepay and Gold domains share an email address: devrian26@gmail.com. A search on the username “bo3dom” using Constella’s service reveals an account at ipmart-forum.com, a now-defunct forum concerned with IT products, such as mobile devices, computers and online gaming. That search shows the user bo3dom registered at ipmart-forum.com with the email address devrian27@gmail.com, and from an Internet address in Vilnius, Lithuania.

Devrian27@gmail.com was used to register multiple domains, including wwwsuperchange.ru back in 2008 (notice again the suspect “www” as part of the domain name). Gmail’s password recovery function says the backup email address for devrian27@gmail.com is bo3*******@gmail.com. Gmail accepts the address bo3domster@gmail.com as the recovery email for that devrian27 account.

According to Constella, the bo3domster@gmail.com address was exposed in multiple data breaches over the years, and in each case it used one of two passwords: “lebeda1” and “a123456“.

Searching in Constella for accounts using those passwords reveals a slew of additional “bo3dom” email addresses, including bo3dom@gmail.com.  Pivoting on that address in Constella reveals that someone with the name Vytautas Mockus used it to register an account at mindjolt.com, a site featuring dozens of simple puzzle games that visitors can play online.

At some point, mindjolt.com apparently also was hacked, because a copy of its database at Constella says the bo3dom@gmail.com used two passwords at that site: lebeda1 and a123456.

A reverse WHOIS search on “Vytautas Mockus” at DomainTools shows the email address devrian25@gmail.com was used in 2010 to register the domain name perfectmoney[.]co. This is one character off of perfectmoney[.]com, which is an early virtual currency that was quite popular with cybercriminals at the time. The phone number tied to that domain registration was “86.7273687“.

A Google search for “Vytautas Mockus” says there’s a person by that name who runs a mobile food service company in Lithuania called “Palvisa.” A report on Palvisa (PDF) purchased from Rekvizitai.vz — an official online directory of Lithuanian companies — says Palvisa was established in 2011 by a Vytautaus Mockus, using the phone number 86.7273687, and the email address bo3dom@gmail.com. The report states that Palvisa is active, but has had no employees other than its founder.

Reached via the bo3dom@gmail.com address, the 36-year-old Mr. Mockus expressed mystification as to how his personal information wound up in so many records. “I am not involved in any crime,” Mockus wrote in reply.

A rough mind map of the connections mentioned in this story.

The domains apparently registered by Babam over nearly 10 years suggest he started off mainly stealing from other cybercrooks. By 2015, Babam was heavily into “carding,” the sale and use of stolen payment card data. By 2020, he’d shifted his focus almost entirely to selling access to companies.

A profile produced by threat intelligence firm Flashpoint says Babam has received at least four positive feedback reviews on the Exploit cybercrime forum from crooks associated with the LockBit ransomware gang.

The ransomware collective LockBit giving Babam positive feedback for selling access to different victim organizations. Image: Flashpoint

According to Flashpoint, in April 2021 Babam advertised the sale of Citrix credentials for an international company that is active in the field of laboratory testing, inspection and certification, and that has more than $5 billion in annual revenues and more than 78,000 employees.

Flashpoint says Babam initially announced he’d sold the access, but later reopened the auction because the prospective buyer backed out of the deal. Several days later, Babam reposted the auction, adding more information about the depth of the illicit access and lowering his asking price. The access sold less than 24 hours later.

“Based on the provided statistics and sensitive source reporting, Flashpoint analysts assess with high confidence that the compromised organization was likely Bureau Veritas, an organization headquartered in France that operates in a variety of sectors,” the company concluded.

In November, Bureau Veritas acknowledged that it shut down its network in response to a cyber attack. The company hasn’t said whether the incident involved ransomware and if so what strain of ransomware, but its response to the incident is straight out of the playbook for responding to ransomware attacks. Bureau Veritas has not yet responded to requests for comment; its latest public statement on Dec. 2 provides no additional details about the cause of the incident.

Flashpoint notes that Babam’s use of transliterated Russian persists on both Exploit and Verified until around March 2020, when he switches over to using mostly Cyrillc in his forum comments and sales threads. Flashpoint said this could be an indication that a different person started using the Babam account since then, or more likely that Babam had only a tenuous grasp of Russian to begin with and that his language skills and confidence improved over time.

Lending credence to the latter theory is that Babam still makes linguistic errors in his postings that suggest Russian is not his original language, Flashpoint found.

“The use of double “n” in such words as “проданно” (correct – продано) and “сделанны” (correct – сделаны) by the threat actor proves that this style of writing is not possible when using machine translation since this would not be the correct spelling of the word,” Flashpoint analysts wrote.

“These types of grammatical errors are often found among people who did not receive sufficient education at school or if Russian is their second language,” the analysis continues. “In such cases, when someone tries to spell a word correctly, then by accident or unknowingly, they overdo the spelling and make these types of mistakes. At the same time, colloquial speech can be fluent or even native. This is often typical for a person who comes from the former Soviet Union states.”

Cloud giant Amazon Web Services may have turned the dial of its annual AWS re:Invent jamboree more towards business executives and less towards the developers who helped propel it to its dominant market position, but that doesn’t mean there wasn’t plenty for software developers to get excited about as we round into 2022.

New CEO Adam Selipsky took to the main stage for a keynote that didn’t seek to ruffle any feathers, nor course correct the near-$60 billion cloud oil tanker. Instead, he focused on shining a spotlight on large customers like Nasdaq, M3, and Goldman Sachs, on knotty enterprise problems like migrating applications off of mainframes, and on the vendor’s latest custom silicon advances.

To read this article in full, please click here

In a follow-up to new compute, network and data service offerings announced by AWS CEO Adam Selipsky earlier this week, Amazon's vice president of AI, Swami Sivasubramanian, pulled the covers off some updates to database, machine learning and serverless offerings.

To read this article in full, please click here

JetBrains has officially launched Compose Multiplatform 1.0, a tool that promises to speed the development of user interfaces for desktop, Android, and web applications, using the company’s Kotlin programming language.

Compose Multiplatform has reached stable status and can be used for building production-level apps, the company said on December 2. The UI framework for Kotlin takes a declarative and reactive approach to building UIs, allowing UI code to be shared across platforms and sparing developers from dealing with UI update logic.

To read this article in full, please click here

A recent survey by Virtana of 350 IT and cloud decision-makers found that 82% have incurred unnecessary cloud costs, 56% lack tools to manage their spending using automation, and 86% can’t easily get a holistic view of all their operational cloud costs.

Gartner predicts that 60% of infrastructure and operations leaders will see cost overruns for public cloud projects. This is assuming migration from traditional systems and cloud-native (net-new) development.

To read this article in full, please click here

Amazon Web Services has announced limited general availability of Amazon SageMaker Canvas, a visual, no-code tool for creating machine learning models aimed at business analysts.

Built as a new capability for the Amazon SageMaker machine learning service, SageMaker Canvas provides a visual interface that accesses data from disparate sources and prepares the data for training machine learning (ML) models. A point-and-click interface enables generation of accurate ML predictions, without requiring ML experience or writing any code. SageMaker Canvas is integrated with with Amazon SageMaker Studio.

To read this article in full, please click here

In January 2021, technology vendor Ubiquiti Inc. [NYSE:UI] disclosed that a breach at a third party cloud provider had exposed customer account credentials. In March, a Ubiquiti employee warned that the company had drastically understated the scope of the incident, and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.

Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January. They allege that in late December 2020, Sharp applied for a job at another technology company, and then abused his privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service and the company’s GitHub accounts to download large amounts of proprietary data.

Sharp’s indictment doesn’t specify how much data he allegedly downloaded, but it says some of the downloads took hours, and that he cloned approximately 155 Ubiquiti data repositories via multiple downloads over nearly two weeks.

On Dec. 28, other Ubiquiti employees spotted the unusual downloads, which had leveraged internal company credentials and a Surfshark VPN connection to hide the downloader’s true Internet address. Assuming an external attacker had breached its security, Ubiquiti quickly launched an investigation.

But Sharp was a member of the team doing the forensic investigation, the indictment alleges.

“At the time the defendant was part of a team working to assess the scope and damage caused by the incident and remediate its effects, all while concealing his role in committing the incident,” wrote prosecutors with the Southern District of New York.

According to the indictment, on January 7 a senior Ubiquiti employee received a ransom email. The message was sent through an IP address associated with the same Surfshark VPN. The ransom message warned that internal Ubiquiti data had been stolen, and that the information would not be used or published online as long as Ubiquiti agreed to pay 25 Bitcoin.

The ransom email also offered to identify a purportedly still unblocked “backdoor” used by the attacker for the sum of another 25 Bitcoin (the total amount requested was equivalent to approximately $1.9 million at the time). Ubiquiti did not pay the ransom demands.

Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp’s Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads.

When FBI agents raided Sharp’s residence on Mar. 24, he reportedly maintained his innocence and told agents someone else must have used his Paypal account to purchase the Surfshark VPN subscription.

Several days after the FBI executed its search warrant, Sharp “caused false or misleading news stories to be published about the incident,” prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti’s systems kept certain logs of user activity in AWS.

“Following the publication of these articles, between Tuesday, March 30, 2021 and Wednesday March 31, [Ubiquiti’s] stock price fell approximately 20 percent, losing over four billion dollars in market capitalization,” the indictment states.

Sharp faces four criminal counts, including wire fraud, intentionally damaging protected computers, transmission of interstate communications with intent to extort, and making false statements to the FBI.

News of Sharp’s arrest was first reported by BleepingComputer, which wrote that while the Justice Department didn’t name Sharp’s employer in its press release or indictment, all of the details align with previous reporting on the Ubiquiti incident and information presented in Sharp’s LinkedIn account. A link to the indictment is here (PDF).

SolidJS is a unique approach to reactive front-end JavaScript. It provides a compact set of reactive “primitives” and leverages those to support higher-order functionality. This sounds somewhat like AngularJS and its use of ReactiveX, but it is quite a different experience. SolidJS feels more like the simplicity of AlpineJS, but delivers a far more ambitious set of capabilities.

SolidJS just hit its 1.0 release. Let’s take a look.

[ Also on InfoWorld: Get a look at the Svelte JavaScript framework ] Setting up SolidJS

First, set up a simple starter project. On your local machine, use the commands in Listing 1 to start something new (this follows the SolidJS docs).

To read this article in full, please click here

minecraft server woes, laptops, lsw, brower wars

‘Do More with R’ offers quick video tips on useful things you can do in the R programming language. Now you can search these R tutorial videos by topics, tasks, and packages in the table below. (Click on the task to go straight to the video content—or in some cases, an article with a video). Most videos are shorter than 10 minutes.

Search Do More With R by task, package, or category Task Category Packages/Software Connect R with Outlook programming, Microsoft Microsoft365R, Microsoft 365, Outlook, Team Remember tidyr pivot_wider and pivot_longer data wrangling tidyr, RStudio Create racing bar charts dataviz ddplot Create interactive visualizations and linked interactive graphics dataviz ggiraph, albersusa Write and run R code in Microsoft Visual Studio Code programming, vscode, Microsoft Visual Studio Code, VSCode How to use R with Google BigQuery data import, big data bigrquery, BigQuery Use the new R 4.1 pipe; run R 4.1 in Docker programming base R Use built-in R colors and external palettes dataviz rcolorutils, scales, tmaptools, paletteer, paletti Send email with blastula programming blastula Install and run Python with Rstudio programming reticulate, python Create interactive plots and graphs dataviz echarts4r Error check when iterating programming purrr Add text labels to your ggplot2 graphs dataviz ggplot2, ggrepel Create an election map in R color coded by winner and victory margin GIS, data analysis leaflet The ultimate R data.table cheat sheet - with tidyverse code too (no video) programming data.table, tidyverse Count and visualize data by groups in R programming, dataviz janitor, vtree, CGPfunctions, ggplot2, dplyr, data.table Create an interactive drilldown graph dataviz highcharter 5 useful fread options and features you might not know data import data.table Preview color-matched parentheses, brackets, and braces in RStudio alpha version programming RStudio Run lengthy scripts as RStudio background jobs programming, Rstudio RStudio Create interactive tables with expandable rows data display reactable R 4.0 new features and running R and Rstudio in a Docker container programming R, RStudio, Docker dplyr's new across function data wrangling dplyr Easier ggplot with ggeasy dataviz, ggplot ggplot2, ggeasy data.table symbols and operators, plus new fcase function data wrangling, data analysis data.table Add color to ggplot2 visualization with the ggtext package dataviz ggplot2, ggtext Twitter: Search, sort, and filter tweets by hashtag with rtweet and reactable programming rtweet, reactable Send text messages with R collaboration twilio What's that ZIP Code? Points in polygons geospatial analysis in R GIS, data analysis sf, tmap, tmaptools Merge data in R 3 ways: base R, dplyr, and data.table data wrangling dplyr, data.table, dtplyr Get data.table speed with dplyr syntax using dtplyr programming dtplyr, dplyr, data.table Intro to data.table data wrangling, data analysis data.table Export data from R to Excel with Excel formatting or multiple sheets data export openxlsx, rio Import API data with httr programming httr Use git and GitHub with R programming usethis, Rstudio Write your own ggplot2 functions programming rlang, ggplot2 Group and summarize with data.table and .SD programming data.table Calculate month-over-month comparisons programming dplyr Send Slack messages with R collaboration slackr Send email with R and Gmail collaboration gmailr Boost R Markdown interactivity data display markdown, shiny Customize ggplot with bbplot dataviz bbplot, ggplot2 Reshape data with tidyr’s new pivot functions data wrangling tidyr Write your own R package programming devtools, usethis, roxygen2 Run Python in R code programming reticulate, python Write your own RStudio addins programming Rstudio Create color-coded calendars dataviz ggcal, ggplot2 Save time with Rstudio addins and keyboard shortcuts programming Rstudio Create lookup tables with named vectors programming base R Keep passwords and tokens secure security, programming keyring Add sparklines to HTML tables dataviz DT, sparkline Make a quick interactive table data display DT Drag-and-drop ggplot dataviz esquisse, ggplot2 Reshape data with tidyr data wrangling tidyr Schedule R scripts on a Mac programming cronR Generate HTML, Word docs and more with R Markdown data display markdown Access nested list items data wrangling purrr Create animations in R dataviz gganimate, ggplot2 Create maps GIS, dataviz sf, tmap, tmaptools, leaflet Iterate without for loops using purrr's map_df programming purrr Save time with RStudio code snippets programming Rstudio Create dashboards dataviz flexdashboard Automated code tests programming, functions testthat Conditional values with case_when data wrangling dplyr Create interactive scatter plots with taucharts dataviz taucharts

To read this article in full, please click here

Red Hat, IBM, and data processing company Celonis have announced general availability of the Celonis Execution Management System (EMS) on Red Hat OpenShift on AWS (ROSA) as a managed cloud service.

Celonis EMS applies real-time process intelligence to system data to diagnose inefficiencies in business processes (sales, customer operations, supply and delivery, payables and collections, etc.) and drive automated action. The intent is to identify and unlock full process execution capacity across organizations and remove cloud infrastructure complexity as a challenge.

To read this article in full, please click here

All Windows applications need to be installed. Sure, you can just wrap your binaries and assets in a zip file and leave installation as an exercise for your users, but that means they’re unlikely to ever come back. That’s where the various Windows packaging and installer tools come in, giving you a way to build executables that place all the various elements of your code in the right place in a Windows install, ensuring that all the necessary dependencies are installed, and icons and shortcuts are in the start menu, ready to go.

How do you go about building an installer? Many of the tools out there take advantage of the standard Windows Installer packaging tools, but getting that configuration right can be hard, especially when you’re making packaging the final part of a CI/CD (continuous integration and continuous delivery) build process. When your code, artifacts, and dependencies change from build to build, you need a scriptable configuration environment that can be managed by your build tools, integrated into your development environment and your code repository.

To read this article in full, please click here

• Picture of the Week.
• "Super Duper Secure Mode"
• 37% of the world's smartphones are vulnerable.
• The RAT Dispenser.
• The Entirely Predictable 0-Day Windows Exploit.
• "The Frontiers Saga: Fringe Worlds"
• Closing the Loop.
• Bogons Begone!

We invite you to read our show notes at https://www.grc.com/sn/SN-847-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• business.eset.com/twit
• plextrac.com/twit
• itpro.tv/securitynow promo code SN30

For anyone expecting the new Amazon Web Services’ CEO Adam Selipsky to beat a new path for the cloud behemoth, Tuesday’s keynote address at AWS’s annual user conference would have come as a disappointment.

The former Tableau CEO—who returned to AWS earlier this year when Andy Jassy ascended to the Amazon CEO throne—was never going to be charged with setting a drastic new direction for the dominant cloud vendor, which maintains a healthy double-digit market share lead over its rivals Microsoft Azure and Google Cloud.

To read this article in full, please click here

In the world of chaos theory, weather forecasting, and science fiction, the “butterfly effect” is a popular way of stating that a small change in one state of a complex system can result in large differences in a later state. This concept has been used to great effect in movies and TV shows, as well as to explain why a snowstorm that was predicted in your hometown resulted in rain instead.

Avoiding the butterfly effect can also be applied to app development, especially when dealing with large, complex and distributed applications written with millions of lines of code. In this case, a typo or other error in one line could result in catastrophic results down the line. Companies have mainly dealt with this through a process of continuous integration (CI) and continuous development (CD), one of the best practices in an agile methodology for DevOps teams.

To read this article in full, please click here

Do-overs, re-do, roll again or mulligans – whatever your preferred usage, these terms all give us a chance to correct our mistakes, such as when you slice your drive on the first tee, or your dice roll off the table in Monopoly. Do-overs can be found in software app development as well, which can mean the difference between a small “oops” and a “giant catastrophe” when deploying configuration updates at scale.

AWS AppConfig, a capability within AWS Systems Manager, gives developers a chance to avoid having to do “do-overs” in the form of automated safety controls that monitor the deployment of configuration changes, as well as the ability to roll back to a previous configuration if errors are discovered. The system also includes validation tools that check the configuration changes before deployment begins, lowering the chances for a big mistake that would require a do-over in the first place.

To read this article in full, please click here

Weaveworks is making its first enterprise-grade Gitops platform generally available today. Called Weave GitOps Enterprise, the proprietary platform aims to automate continuous application delivery and Kubernetes operations tasks across any environment, to help organizations adopt Gitops principles at enterprise scale.

Since being coined in 2017 by the Weaveworks founder Alexis Richardson, Gitops has emerged as a natural evolution of modern software development practices like devops, infrastructure as code, and CI/CD.

To read this article in full, please click here

YellowDog, a cloud workload management specialist based in the United Kingdom, assembled a virtual supercomputer using many cloud-based servers. At its peak, which lasted about 10 minutes, the system had leveraged more than 3.2 million virtual CPUs. To be more precise, 33,333 AWS 96-core C5 24xlarge (bare metal) instances. This is one of several instances used during the run and costs $1.6013 per hour, which they used for a six-hour run time.

The reason for the tossed-together, widely distributed supercomputer was to run a drug discovery application as a single cluster, solving many problems quickly. All for about $60K.

[ InfoWorld’s 2021 Technology of the Year Award winners: The best software development, cloud computing, data analytics, and machine learning products ]

If you think this sounds excessive, high-performance computing geeks like me who used supercomputers back in the ’80s and ’90s were looking at a total bill of many millions of dollars, at a minimum, to do about a tenth of what they are doing here. By using this on-demand cloud-based supercomputer, the researchers were able to analyze 337 million compounds in just six hours.

To read this article in full, please click here

PHP 8.1, billed as a major update to the popular scripting language for web development, has been released with capabilities ranging from enums and read-only properties to first-class callable syntax.

PHP 8.1 was released on November 25. Source code and Windows binaries can be downloaded from php.net.

[ Also on InfoWorld: Complexity is killing software developers ]

Enums, or enumerations, allow developers to define a custom type that is limited to a discrete number of possible values. This can be helpful when defining a domain model by “making invalid states unrepresentable,” according to PHP documentation. In PHP, enum cases are valid objects that can be used anywhere an object may be used, including type checks.

To read this article in full, please click here

User expectations for software applications keep rising. Nowadays, services are expected to be highly reliable and perform well 24/7. Any kind of downtime is going to result in frustrated users and hurt your business long-term.

A key component in improving reliability is monitoring your application. While setting up basic monitoring is easy, having the ability to scale monitoring efficiently as traffic to your service grows is a major challenge. You also want visibility into every important metric for your service and the ability to make the data you are collecting useful and actionable with the ability to query and analyze it efficiently in real time on demand.

To read this article in full, please click here