Coming up this week on Breaking Badness. Exclu-se You, Let Me Speak To Your Hypervisor, and Two Truths and a Lie.
Here are a few highlights from each article we discussed:
Exclu-se You
- The Dutch police announced this past Friday that they dismantled the Exclu encrypted communications platform after hacking into the service to monitor the activities of criminal organizations.
- What exactly is the Exclu platform?
- At its core, Exclu is a European encrypted messaging app with some other bells and whistles.
- It claimed an ability to remotely wipe devices, along with exchanging the usual range of messages – texts, notes, voice memos, and videos
- It cost over one hundred euros per month, which is kind of eye-watering to regular consumers, and is at least implicitly indicative of the kind of customers Exclu oriented itself towards
- Itâs used by many – not just bad actors, but folks in sensitive fields like lawyers, doctors, and notaries
- There is some indication that other users engaged with it for legitimate privacy and sensitivity reasons – weâre guessing thatâs where a chunk of the Dutch user base comes from
- Between the cost of the service and its relative size (which is about 3,000 users) weâre a little surprised folks on the straight-and-narrow would use it
- There may be some intricacies around privacy and having the servers in the Netherlands that made it more attractive in context, compared to larger services that may have US-based complications
- At its core, Exclu is a European encrypted messaging app with some other bells and whistles.
- What efforts were made to bring these cybercriminals to justice?
- It looks like a series of overlapping investigations by European law enforcement eventually came together, including a Dutch investigation on the service and its owners and employees, and a German investigation on service users
- But it looks much wider than just that, with Belgium, Italy, Sweden, and France involved at least
- Dutch law enforcement in particular are incredibly sophisticated (and, frankly, fun to watch) when it comes to cybercrime investigations, and it looks like they were able to fully compromise the system amidst the takedown – they now have five months of messaging data to keep searching through
- Alongside the raids aimed at Exclu itself, theyâve made dozens of other arrests and dismantled at least three drug labs
- This isnât the first instance of a crypto-phone platform takedown either, is it?
- Nope! Itâs become a favorite pastime of law enforcement, in fact
- EncroChat, which was a lot bigger and more robust, got taken down last July in what looks like a similar operation
- And then thereâs our personal favorite, ANOM, which was a law enforcement operation from the start, a joint operation between the US FBI and Australian Federal Police to create a fake end-to-end platform from scratch so they could monitor it. Even the people working for ANOM didnât know that, which makes for a fascinating story
- Whatâs next for this investigation?
- We expect the raids will continue while European police continue to go through the five months of messages they have
- And the intelligence seized from those, along with cooperating defendants, will probably lead to more raids not directly connected with Exclu
- And bad guys sweating it out until the knock on their door often leads them to make more mistakes too
- Whenever you seize a platform, if you work the investigation right it can be just a huge watershed event with follow-on effects for years. Weâre gonna need more popcorn
Let Me Speak To Your Hypervisor
- Cybercriminals are actively exploiting a two-year-old VMware vulnerability as part of a ransomware campaign targeting thousands of organizations worldwide
- This is emerging and new articles are being published on this as we speak
- Letâs start with what VMware is
- They are a virtualization software provider and has been around almost as long as everyone in the game
- They help you take big computers and turn them into small computers that can be used to do just about anything you want
- ESXi is installed directly onto a server and then divided up into smaller computer and can vary based on operating system (OS)
- They were bought by BroadCom not too long ago
- This is an unpatched bug, so does that mean the organization knew about it previously?
- VMware being around as long as it’s been, theyâve put out many versions of ESXi – itâs one of those things where youâre continually evolving with operating systems as they upgrade
- As the OS market evolves, the hypervisor market also has to evolve, so youâll find bugs
- Folks are pointing at these bugs saying theyâre used to gain control of a machine and ransomware follows not too long after, but no one has really come out with the full exploit chain – right now it looks like it could be compromised – but itâs an emerging thing
- These vulnerabilities are known and there are patches, but itâs tricky to patch a hypervisor because there will be downtime and the level of support for your OS can be diminished
- This ransomware variant is known as ESXiArgs and we donât know whoâs being targeted, is that a fair statement?
- Itâs very much ongoing, so yes
- Thereâs been a few generations of this as well, so the initial encryptions behind this were designed by someone who doesnât seem super familiar with ESXi
- The attackers are using a triple extortion technique – what is this?
- Single extortion would be, âI have your files, you have to pay me.â
- Double extortion would be, âI will post your files and sell them,â so you can get money from the victim and money for selling them to another party
- Triple extortion is, âok now I will sell the data back to the victims.â
- Weâre trying to figure out how to get to a fourth, but weâre not totally sure and we donât want to find out :)
- Is patching the only mitigation for this attack?
- Itâs really tricky sometimes to do the patches, as we mentioned earlier
- Obviously, make sure your ESXi hosts canât talk to the Internet – that would be really helpful, but even then thatâs still tricky
- If you look at CISA, theyâve posted some scripts to hopefully help recover some files – that might be an avenue to restore data
- Patching and upgrading off of old version can open a Pandoraâs box that might not be supported by other vendors – itâs a bit of a mess
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
Current Scoreboard
This Weekâs Hoodie/Goodie Scale
Exclu-se You
[Taylor]: 5.5/10 Goodies
[Ian]: 2.5/10 Hoodies
Let Me Speak To Your Hypervisor
[Taylor]: 3.5/10 Hoodies
[Ian]: 0/10 Hoodies
Thatâs about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
