International Law Enforcement Operations Take Down Malware Dropper and Huge Botnet; Google Fixes Eighth Chrome Zero0-day This Year

So ends season one of Operation Endgame; season two promises to be exciting - but maybe not for everyone. The Endgame site includes a contact page if you wish to contribute information about suspects in their operation, as well as an ominous warning to think about (y)our next move with a 4.5-day countdown timer. As these sixteen organizations continue to work together to take out botnets and droppers, the implication is the contact link may not only be used to gathering tips but also for criminals to self-report.

It's a one-two punch from law enforcement in this installment of SANS NewsBites. First, the 911 S5 botnet is shuttered and now Operation Endgame. There are similarities between these two criminal enterprises Ð they used free software as bait, and both enabled the larger cybercriminal enterprise. Kudos to international law enforcement for the take-down.

This is the first time I've seen an operation with commercials, trailers, seasons, or episodes. I'm not sure what that was about, but operation-endgame.com is kind of wild. It's trying to send a message to people who are young and online all the time not to do this.

It is becoming clear that cyber law enforcement requires expensive coordination and cooperation but is both necessary and effective.

The "911 S5" botnet was largely built by offering "free" VPN services, which provided the promised services while adding malware, often bundled with other products users were enticed to install. Wang monetized the botnet by selling access to the infected IP addresses. The botnet infected residential systems in nearly 200 countries and was used to facilitate everything from financial fraud and identity theft to child exploitation, including multiple schemes to bypass export controls to make fraudulent purchases or claims using in-country systems. The botnet closed down in July 2022 after being outed in a news story, only to re-emerge ten days later as "Cloud Router," Other brands used by this botnet include MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN and ShineVPN. If you think you may have been part of the botnet, follow the guidance on the FBI's 911-s5 site (httpos://www.fbi.gov/911S5) to identify, shutdown and remove it from your system.

The adage, 'nothing is free' seems appropriate here. Basically, the so-called free VPN service came at a cost. That is, it allowed unsuspecting user devices to be used as a proxy service. What's interesting is that Mr. Wang had been 'outed' almost two years ago - law enforcement works; it just takes a bit of time.

Restart Google Chrome at least once a day, and check chrome://settings/help at least once a week to make sure that your version is up to date.

CVE-2024-52754, Chromium V8 Type Confusion flaw, has a CVSS 3 score of 8.8, and is in the NIST KEV catalog with a due date of June 18th. With the frequency of Chrome/Chromium updates, we're getting pretty good at making sure folks are updating their corporate browsers, don't forget to encourage folks to update their home systems as well, particularly if you're a BYOD shop.

Chrome has been under the vulnerability microscope these past two years. Unless things change, Chrome will end the year well ahead of last year's record for zero-day vulnerabilities. As a reminder, get into the habit of closing your Chrome browser at the end of the day to enable auto-updates.

This incident is odd and interesting for a number of reasons. First of all, it was not talked about much at all when it happened. At least I do not remember hearing about it. Secondly, there are few attacks that have "bricked" modems and routers in the past. Some Mirai variants attempted to, and were called "brickerbot" by some, but a simple reboot or worst case factory reset recovered the device. I can't wait to hear more details from the investigation to find out what the root cause was.

Recovery from Chalubo required hardware replacement of the SOHO routers as it likely corrupted their firmware. To protect SOHO routers, make sure that they are not reliant on default passwords, that management interfaces are not exposed to the internet, firmware is kept updated. If you're not seeing firmware updates, make sure you're still on a supported platform and the update services are properly configured.

The malware in question here has some interesting properties, but I'm a bit lost on how the analysis works.

SOHO Routers continue to be a risk. They require more management than they can be expected to get. However, "bricked" is better than being co-opted into botnets.

Good to hear that NIST is tackling this issue and is getting NVD back on track. The NVD database is one of these underappreciated critical building blocks of too many security programs and tools.

The ever-increasing volume of vulnerabilities which haven't been enriched (analyzed) is distressing when you're trying to assess vulnerabilities. This contract indicates that NIST is not only getting back on track, but also not handing over the reins of the NVD. Beyond this contract, they are also implementing automation to improving process, with an expected date of September 2024 to be back on track. On top of that they are already ingesting CVE 5.0 and 5.1 formatted records hourly. They moved to the 5.0 JSON format back in November and started supporting 5.1 May 20th.

This attack serves as a good reminder that businesses have a responsibility in protecting client data. Often that data is considered PII and likely results in a violation of various data privacy laws. Organizations should revisit their data policies with an eye towards minimal retention of client data.

The RansomHub gang is taking credit for the attack, and they have now entered the "taunting" phase of negotiations as Christie's is determined to not pay a ransom/extortion fee. Christie's states there was a limited amount of personal data about some customers accessed, and no financial data was compromised. They are in the process of notifying regulators, agencies and affected clients.

Ugh eight months to notify customers that their PII had likely been pilfered. Simply put, that's not reasonable even if there were assurances [assume from the ransomware gang] that the data acquired was destroyed and not further disseminated. I guess the good news in all of this is that SAV-RX has NOW instituted a patching cycle and network segmentation.

While the breach happened in October, investigation/restoration wasn't completed until April 30th, after which notifications started. In today's climate eight months is far too long to delay customer notifications. Work with your parties to line up not only response scenarios, but also timelines which include timely notifications. Not only for customer expectations, but also regulators are closing the timelines for reporting a material breach as well.

CVE-2024-24919 has a CVSS 3.0 score of 8.6 and given that this flaw is extremely easy to exploit, I would skip straight to verify vulnerable devices the deploy the hotfix; it will take 5-10 minutes to deploy and requires you to reboot the security gateway. Check Point has a script "check-for-CVED-2024-24919.sh" you can run on your security management server to identify vulnerable gateways. After you've deployed the hotfix, you need to take additional steps including changing local passwords and regenerating HTTPS and SSH certificates.

My understanding of the current risk profile is social engineering, old but un-patched vulnerabilities, with newly discovered vulnerabilities running a distant third. Patching is taking months, not hours or days. While vendors get points for responsibility for quick fixes, they have little impact on global risk.