Skip links

LockBit’s contested claim of fresh ransom payment suggests it’s been well hobbled

Infosec in brief The infamous LockBit ransomware gang has been busy in the ten days since an international law enforcement operation took down many of its systems. But despite its posturing, the gang might have suffered more than it’s letting on.

While there have been plenty of revelations – and disappointments – since law enforcement seized LockBit’s website and disrupted its operations on February 20, the gang has done anything but vanish.

LockBit quickly set up a new website and updated it with a list of forthcoming victim ransom deadlines – one of which included data allegedly stolen from Fulton County, Georgia. Among that data, LockBit claimed, was information about former president Donald Trump’s ongoing court cases in the county, which LockBit claimed could have affected the 2024 presidential election.

But the February 29 deadline for Fulton County to pay the ransom came and went without any data being published. LockBit claimed Fulton County paid the ransom to prevent data being exposed, but Fulton County officials protested they did no such thing – nor did they use an intermediary to pay the group.

Brett Callow, threat analyst with Emsisoft, suggested that rather than the ransom getting paid, it’s more likely whatever data LockBit may have had on Fulton County or Donald Trump was seized by law enforcement earlier this month.

“I think it was a case of them trying to convince their affiliates that they were still in good shape,” Callow told Krebs on Security.

Whether LockBit is just trying to save face and is effectively disabled remains to be seen, but Callow seems to believe that’s the case.

“This is about trying to still affiliates’ nerves, and saying, ‘All is well, we weren’t as badly compromised as law enforcement suggested,'” Callow opined. “But I think you’d have to be a fool to work with an organization that has been so thoroughly hacked as LockBit has.”

Critical vulnerabilities of the week

Not much to report in terms of CVEs with a CVSS rating of 8.0 or higher this week – just a couple of vulnerabilities in Cisco’s NX-OS datacenter operating system.

  • CVSS 8.6 – CVE-2024-20267: NX-OS is improperly handling MPLS traffic, which could allow an unauthenticated remote attacker to cause the netstack process to restart, leading to affected devices not processing network traffic.
  • CVSS 8.6 – CVE-2024-20321: NX-OS’s eBGP implementation is mapping traffic to a shared hardware rate-limiter queue, which means an attacker could cause DoS by bombarding a vulnerable device with traffic.

Patches are available for both issues, so get those installed ASAP.

Ivanti vuln mitigations might not work, warns CISA

All those Ivanti vulnerabilities under active exploit might be harder to detect and mitigate than what Ivanti has led its customers to believe, according to CISA and its partner agencies.

In a cyber security advisory published on February 29th, CISA explained that Ivanti’s Integrity Checker Tool (ICT) released publicly in response to the vulnerabilities reported early last month may not only fail to detect compromise, but a factory reset might not eliminate root-level persistence gained by an attacker.

Ivanti, meanwhile, told us that it wants customers to be aware that the CISA notice didn’t include any new vulnerabilities, and that it’s not aware of any instances of a threat actor gaining persistence following installation of security updates and a factory reset.

Ivanti recommends that customers follow patching guidance and run the ICT. CISA, on the other hand, says Ivanti users should consider its latest warning “when determining whether to continue operating these devices.”

The next SolarWinds incident could start in the cloud

The devastating compromise of SolarWinds software in late 2020 led to widespread compromise of affected networks when attackers were able to steal certificates from locally installed ADFS servers and use them to forge SAML tokens. Security researchers are now warning that a similar attack is possible – even against companies using identity providers located in the cloud.

The vulnerability, dubbed Silver SAML by researchers from Semperis, can allow an attacker to forge SAML tokens without any access to ADFS at all. The key to this attack is the use of externally generated SAML signing certificates – like the type used by Microsoft Entra ID and other such services.

Semperis is not aware of any attacks using the newly reported technique, but warns that any organization relying on externally generated certificates is vulnerable. Unfortunately, the only way to protect against such an attack is to protect your certs, lest a future attacker make use of such a method to devastating effect.

“Silver SAML attacks have the potential to be mild – or devastating,” Semperis researchers wrote in their report. “We encourage organizations to take decisive steps now to close gaps and vulnerabilities in these environments.” ®