The Good, the Bad and the Ugly in Cybersecurity – Week 46

The Good | FBI Takes Down IPStorm Botnet

A botnet that had been running since 2019 infecting thousands of internet-connected devices around the world has been taken down, the FBI said this week. IPStorm was operated by Sergei Manikin, a Russian and Moldovan national, who has also pleaded guilty to three counts of computer fraud.

Unlike traditional botnets, IPStorm used a peer-to-peer network protocol known as Interplanetary File System (IPFS) to store and share data in a distributed file system, making it more resilient and harder to disrupt. Infected devices were turned into proxies for malicious activity by clients that Manikin sold access to through his public websites proxx.io and proxx.net.

By routing their internet traffic through the botnet, clients could conduct malicious activities anonymously. According to the FBI, customers paid hundreds of dollars a month to rent access to the botnet. Manikin is thought to have had over 23,000 paying customers and admitted to banking at least half a million dollars from the scheme.

ipstorm botnet

Initially targeting Windows systems, over the years IPStorm expanded to targeting most major platforms, including macOS, Linux and Android devices across Asia, Europe and both North and South America, infecting at least 13,500 devices.

In announcing the take down, the FBI said that it had dismantled Manikin’s infrastructure, but their actions did not extend to informing victims or removing the botnet malware from infected devices.

The Bad | Citrix Bleed Vulnerability Exploited By Lockbit Ransomware Group

This week, LockBit ransomware affiliates targeted large organizations by exploiting the critical-level “Citrix Bleed” vulnerability (tracked as CVE-2023-4966), despite Citrix having released fixes for it over a month ago. The buffer overflow flaw affects Citrix’s NetScaler ADC and Gateway products, allowing unauthorized access to sensitive device information after bypassing password requirements and multi-factor authentication (MFA).

Thousands of internet-exposed endpoints are still running vulnerable appliances. So far, the attacks have been observed against high-profile targets such as Boeing, DP World, Allen & Overy, and the Industrial and Commercial Bank of China (ICBC). These attacks were found to be linked to exposed Citrix servers vulnerable to the Citrix Bleed vulnerability.

In a joint security advisory by various law enforcement agencies, LockBit ransomware affiliates are known for conducting attacks against organizations ranging from multiple critical infrastructure such education, energy, financial, government, healthcare, and manufacturing organizations of all sizes. LockBit, being one of the largest Ransomware-as-a-Services (RaaS), operates through numerous affiliates that have discretion in how they breach networks.

As of this writing, over 10,400 Citrix servers remain vulnerable to CVE-2023-4966, with the majority located in the United States. Despite the critical nature of the flaw (CVSS score 9.4)  and its initial public disclosure on October 10, numerous servers in large and critical organizations globally remain unpatched.

Earlier in the month, the Citrix Bleed flaw was confirmed in attacks against legal, technical, and government entities, spanning the Americas, Europe, Africa, and the Asia-Pacific region. Via security bulletin, Citrix admins have been urged to patch to the latest versions of NetScaler AD and Gateway immediately. CISA has also mandated federal agencies to secure their systems against active exploitation and added CVE-2023-4966 to its Known Exploited and Vulnerabilities (KEV) Catalog.

The Ugly | ALPHV Files SEC Complaint Against Victim

Ransomware actor ALPHV has taken extortion to the next level by filing a complaint against one of its victims with the Securities and Exchange Commission (SEC), MeridianLink, whose data is listed on the ALPHV leak site.

According to reports, representatives of ALPHV say they breached MeridianLink on November 7th, in a data theft operation without ransomware. The attackers say the victim became aware of the breach the same day, but did not inform the SEC within 4 days – a new requirement that has yet to come into force. MeridianLink has since stated that the attack only came to light three days later on November 10th.

It seems unlikely that the complaint – filed under Item 1.05 of Form 8-K – will be upheld. Aside from the fact that MeridianLink disputes the date when it became aware of the breach, the rules are not set to come into effect until December.

It has been reported that MeridianLink was quick to patch the vulnerability used in the breach but has not proceeded with any ransom negotiations to date. The filing of the SEC complaint may be an attempt to generate more publicity about the breach, putting pressure on the victim by way of raising concerns about the stolen data among its clients and partners.

The incident underscores the lengths threat actors will go to achieve a payout. Extortion of businesses that fail to adequately secure their networks has developed rapidly since the initial phase of ransomware as simple file lockers. Data exfiltration and double extortion through leveraging public perception is the new playbook. Bringing regulatory compliance into the mix may be a little premature in this case, but the message to businesses should be clear: prevention is the primary cure in enterprise security.