The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Conti’s malware who refuse to negotiate a ransom payment are added to Conti’s victim shaming blog, where confidential files stolen from victims may be published or sold. But sometime over the past 48 hours, the cybercriminal syndicate updated its victim shaming blog to indicate that it is now selling access to many of the organizations it has hacked.

“We are looking for a buyer to access the network of this organization and sell data from their network,” reads the confusingly worded message inserted into multiple recent victim listings on Conti’s shaming blog.

It’s unclear what prompted the changes, or what Conti hopes to gain from the move. It’s also not obvious why they would advertise having hacked into companies if they plan on selling that access to extract sensitive data going forward. Conti did not respond to requests for comment.

“I wonder if they are about to close down their operation and want to sell data or access from an in-progress breach before they do,” said Fabian Wosar, chief technology officer at computer security firm Emsisoft. “But it’s somewhat stupid to do it that way as you will alert the companies that they have a breach going on.”

The unexplained shift comes as policymakers in the United States and Europe are moving forward on efforts to disrupt some of the top ransomware gangs. Reuters recently reported that the U.S. government was behind an ongoing hacking operation that penetrated the computer systems of REvil, a ransomware affiliate group that experts say is about as aggressive and ruthless as Conti in dealing with victims. What’s more, REvil was among the first ransomware groups to start selling its victims’ data.

REvil’s darknet victim shaming site remains offline. In response, a representative for the Conti gang posted a long screed on Oct. 22 to a Russian language hacking forum denouncing the attack on REvil as the “unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.”

“Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action?” reads the Conti diatribe. “Is server hacking suddenly legal in the United States or in any of the US jurisdictions? Suppose there is such an outrageous law that allows you to hack servers in a foreign country. How legal is this from the point of view of the country whose servers were attacked? Infrastructure is not flying there in space or floating in neutral waters. It is a part of someone’s sovereignty.”

Conti’s apparent new direction may be little more than another ploy to bring victim companies to the negotiating table, as in “pay up or someone will pay for your data or long-term misery if you don’t.”

Or maybe something just got lost in the translation from Russian (Conti’s blog is published in English). But by shifting from the deployment of ransomware malware toward the sale of stolen data and network access, Conti could be aligning its operations with many competing ransomware affiliate programs that have recently focused on extorting companies in exchange for a promise not to publish or sell stolen data.

However, as Digital Shadows points out in a recent ransomware roundup, many ransomware groups are finding it difficult to manage data-leak sites, or hosting stolen data on the dark web for download.

After all, when it takes weeks to download one victim’s data via Tor — if indeed the download succeeds at all — the threat of leaking sensitive data as a negotiation tactic loses some of its menace. It’s also a crappy user experience. This has resulted in some ransomware groups exposing data using public file-sharing websites, which are faster and more reliable but can be taken down through legal means quite quickly.

Data leak sites also can offer investigators a potential way to infiltrate ransomware gangs, as evidenced by the recent reported compromise of the REvil gang by U.S. authorities.

“On 17 Oct 2021, a representative of the REvil ransomware gang took it to a Russian-speaking criminal forum to reveal that their data-leak sites had been ‘hijacked’,” Digital Shadows’ Ivan Righi wrote. “The REvil member explained that an unknown individual accessed the hidden services of REvil’s website’s landing page and blog using the same key owned by the developers. The user believed that the ransomware gang’s servers had been compromised and the individual responsible for the compromise was ‘looking for’ him.”

A recent report by Mandiant revealed that FIN12 — the group believed to be responsible for both Conti and the Ryuk ransomware operation — has managed to conduct ransomware attacks in less than 3 days, compared to more than 12 days for attacks involving data exfiltration.

Seen through those figures, perhaps Conti is merely seeking to outsource more of the data exfiltration side of the business (for a fee, of course) so that it can focus on the less time-intensive but equally profitable racket of deploying ransomware.

“As Q4 comes near, it will be interesting to see if issues relating to managing data leak sites will discourage new ransomware groups [from pursuing] the path of data-leak sites, or what creative solutions they will create to work around these issues,” Righi concluded. “The Ryuk ransomware group has proven itself to remain effective and a top player in the ransomware threat landscape without the need for a data-leak site. In fact, Ryuk has thrived by not needing a data leak site and data exfiltration.”

On Wednesday, the St. Louis Post-Dispatch ran a story about how its staff discovered and reported a security vulnerability in a Missouri state education website that exposed the Social Security numbers of 100,000 elementary and secondary teachers. In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

The Post-Dispatch says it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials, and that more than 100,000 SSNs were available. The Missouri state Department of Elementary and Secondary Education (DESE) reportedly removed the affected pages from its website Tuesday after being notified of the problem by the publication (before the story on the flaw was published).

The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code.

The Post-Dispatch reported that it wasn’t immediately clear how long the Social Security numbers and other sensitive information had been vulnerable on the DESE website, nor was it known if anyone had exploited the flaw.

But in a press conference Thursday morning, Gov. Parson said he would seek to prosecute and investigate the reporter and the region’s largest newspaper for “unlawfully” accessing teacher data.

“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said. “It is unlawful to access encoded data and systems in order to examine other peoples’ personal information. We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter, the Missouri State Highway Patrol’s Digital Forensics Unit will also be conducting an investigation of all of those involved. This incident alone may cost Missouri taxpayers as much as $50 million.”

While threatening to prosecute the reporters to the fullest extent of the law, Parson sought to downplay the severity of the security weakness, saying the reporter only unmasked three Social Security numbers, and that “there was no option to decode Social Security numbers for all educators in the system all at once.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson continued. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson said the person who reported the weakness was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.”

“We will not let this crime against Missouri teachers go unpunished, and refuse to let them be a pawn in the news outlet’s political vendetta,” Parson said. “Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”

In a statement shared with KrebsOnSecurity, an attorney for the St. Louis Post-Dispatch said the reporter did the responsible thing by reporting his findings to the DESE so that the state could act to prevent disclosure and misuse.

“A hacker is someone who subverts computer security with malicious or criminal intent,” the attorney Joe Martineau said. “Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

Aaron Mackey is a senior staff attorney at the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in San Francisco. Mackey called the governor’s response “vindictive, retaliatory, and incredibly short-sighted.”

Mackey noted that Post-Dispatch did everything right, even holding its story until the state had fixed the vulnerability. He said the governor also is attacking the media — which serves a crucial role in helping give voice (and often anonymity) to security researchers who might otherwise remain silent under the threat of potential criminal prosecution for reporting their findings directly to the vulnerable organization.

“It’s dangerous and wrong to go after someone who behaved ethically and responsibly in the disclosure sense, but also in the journalistic sense,” he said. “The public had a right to know about their government’s own negligence in building secure systems and addressing well-known vulnerabilities.”

Mackey said Gov. Parson’s response to this incident also is unfortunate because it will almost certainly give pause to anyone who might otherwise find and report security vulnerabilities in state websites that unnecessarily expose sensitive information or access. Which also means such weaknesses are more likely to be eventually found and exploited by actual criminals.

“To characterize this as a hack is just wrong on the technical side, when it was the state agency’s own system pulling that SSN data and making it publicly available on their site,” Mackey said. “And then to react in this way where you don’t say ‘thank you’ but actually turn on the reporter and researchers and go after them…it’s just weird.”

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.

Coinbase is the world’s second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue — coinbase.com.password-reset[.]com — was targeting Italian Coinbase users (the site’s default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.

Holden’s team managed to peer inside some poorly hidden file directories associated with that phishing site, including its administration page. That panel, pictured in the redacted screenshot below, indicated the phishing attacks netted at least 870 sets of credentials before the site was taken offline.

Holden said each time a new victim submitted credentials at the Coinbase phishing site, the administrative panel would make a loud “ding” — presumably to alert whoever was at the keyboard on the other end of this phishing scam that they had a live one on the hook.

In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app.

“These guys have real-time capabilities of soliciting any input from the victim they need to get into their Coinbase account,” Holden said.

Pressing the “Send Info” button prompted visitors to supply additional personal information, including their name, date of birth, and street address. Armed with the target’s mobile number, they could also click “Send verification SMS” with a text message prompting them to text back a one-time code.

SIFTING COINBASE FOR ACTIVE USERS

Holden said the phishing group appears to have identified Italian Coinbase users by attempting to sign up new accounts under the email addresses of more than 2.5 million Italians. His team also managed to recover the username and password data that victims submitted to the site, and virtually all of the submitted email addresses ended in “.it”.

But the phishers in this case likely weren’t interested in registering any accounts. Rather, the bad guys understood that any attempts to sign up using an email address tied to an existing Coinbase account would fail. After doing that several million times, the phishers would then take the email addresses that failed new account signups and target them with Coinbase-themed phishing emails.

Holden’s data shows this phishing gang conducted hundreds of thousands of halfhearted account signup attempts daily. For example, on Oct. 10 the scammers checked more than 216,000 email addresses against Coinbase’s systems. The following day, they attempted to register 174,000 new Coinbase accounts.

In an emailed statement shared with KrebsOnSecurity, Coinbase said it takes “extensive security measures to ensure our platform and customer accounts remain as safe as possible.” Here’s the rest of their statement:

“Like all major online platforms, Coinbase sees attempted automated attacks performed on a regular basis. Coinbase is able to automatically neutralize the overwhelming majority of these attacks, using a mixture of in-house machine learning models and partnerships with industry-leading bot detection and abuse prevention vendors. We continuously tune these models to block new techniques as we discover them. Coinbase’s Threat Intelligence and Trust & Safety teams also work to monitor new automated abuse techniques, develop and apply mitigations, and aggressively pursue takedowns against malicious infrastructure. We recognize that attackers (and attack techniques) will continue to evolve, which is why we take a multi-layered approach to combating automated abuse.”

Last month, Coinbase disclosed that malicious hackers stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature.

“To conduct the attack, Coinbase says the attackers needed to know the customer’s email address, password, and phone number associated with their Coinbase account and have access to the victim’s email account,” Bleeping Computer’s Lawrence Abrams wrote. “While it is unknown how the threat actors gained access to this information, Coinbase believes it was through phishing campaigns targeting Coinbase customers to steal account credentials, which have become common.”

This phishing scheme is another example of how crooks are coming up with increasingly ingenious methods for circumventing popular multi-factor authentication options, such as one-time passwords. Last month, KrebsOnSecurity highlighted research into several new services based on Telegram-based bots that make it relatively easy for crooks to phish OTPs from targets using automated phone calls and text messages.These OTP phishing services all assume the customer already has the target’s login credentials through some means — such as through a phishing site like the one examined in this story.

Savvy readers here no doubt already know this, but to find the true domain referenced in a link, look to the right of “http(s)://” until you encounter the first slash (/). The domain directly to the left of that first slash is the true destination; anything that precedes the second dot to the left of that first slash is a subdomain and should be ignored for the purposes of determining the true domain name.

In the phishing domain at issue here — coinbase.com.password-reset[.]com — password-reset[.]com is the destination domain, and the “coinbase.com” is just an arbitrary subdomain of password-reset[.]com. However, when viewed in a mobile device, many visitors to such a domain may only see the subdomain portion of the URL in their mobile browser’s address bar.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages or other media. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Also, never provide any information in response to an unsolicited phone call. It doesn’t matter who claims to be calling: If you didn’t initiate the contact, hang up. Don’t put them on hold while you call your bank; the scammers can get around that, too. Just hang up. Then you can call your bank or wherever else you need.

By the way, when was the last time you reviewed your multi-factor settings and options at the various websites entrusted with your most precious personal and financial information? It might be worth paying a visit to 2fa.directory (formerly twofactorauth[.]org) for a checkup.

Microsoft today issued updates to plug more than 70 security holes in its Windows operating systems and other software, including one vulnerability that is already being exploited. This month’s Patch Tuesday also includes security fixes for the newly released Windows 11 operating system. Separately, Apple has released updates for iOS and iPadOS to address a flaw that is being actively attacked.

Firstly, Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability (CVE-2021-30883) that is being leveraged in active attacks targeting iPhone and iPad users. Lawrence Abrams of Bleeping Computer writes that the flaw could be used to steal data or install malware, and that soon after Apple patched the bug security researcher Saar Amar published a technical writeup and proof-of-concept exploit that was derived from reverse engineering Apple’s patch.

Abrams said the list of impacted Apple devices is quite extensive, affecting older and newer models. If you own an iPad or iPhone — or any other Apple device — please make sure it’s up to date with the latest security patches.

Three of the weaknesses Microsoft addressed today tackle vulnerabilities rated “critical,” meaning that malware or miscreants could exploit them to gain complete, remote control over vulnerable systems — with little or no help from targets.

One of the critical bugs concerns Microsoft Word, and two others are remote code execution flaws in Windows Hyper-V, the virtualization component built into Windows. CVE-2021-38672 affects Windows 11 and Windows Server 2022; CVE-2021-40461 impacts both Windows 11 and Windows 10 systems, as well as Server versions.

But as usual, some of the more concerning security weaknesses addressed this month earned Microsoft’s slightly less dire “important” designation, which applies to a vulnerability “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

The flaw that’s under active assault — CVE-2021-40449 — is an important “elevation of privilege” vulnerability, meaning it can be leveraged in combination with another vulnerability to let attackers run code of their choice as administrator on a vulnerable system.

CVE-2021-36970 is an important spoofing vulnerability in Microsoft’s Windows Print Spooler. The flaw was discovered by the same researchers credited with the discovery of one of two vulnerabilities that became known as PrintNightmare — the widespread exploitation of a critical Print Spooler flaw that forced Microsoft to issue an emergency security update back in July. Microsoft assesses CVE-2021-36970 as “exploitation more likely.”

“While no details have been shared publicly about the flaw, this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating PrintNightmare into their affiliate playbook,” said Satnam Narang, staff research engineer at Tenable. “We strongly encourage organizations to apply these patches as soon as possible.”

CVE-2021-26427 is another important bug in Microsoft Exchange Server, which has been under siege lately from attackers. In March, threat actors pounced on four separate zero-day flaws in Exchange that allowed them to siphon email from and install backdoors at hundreds of thousands of organizations.

This month’s Exchange bug earned a CVSS score of 9.0 (10 is the most dangerous). Kevin Breen of Immersive Labs points out that Microsoft has marked this flaw as less likely to be exploited, probably because an attacker would already need access to your network before using the vulnerability.

“Email servers will always be prime targets, simply due to the amount of data contained in emails and the range of possible ways attackers could use them for malicious purposes. While it’s not right at the top of my list of priorities to patch, it’s certainly one to be wary of.”

Also today, Adobe issued security updates for a range of products, including Adobe Reader and Acrobat, Adobe Commerce, and Adobe Connect.

For a complete rundown of all patches released today and indexed by severity, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center, and the Patch Tuesday data put together by Morphus Labs. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com frequently has the lowdown on any patches that are causing problems for Windows users.

On that note, before you update please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Facebook and its sister properties Instagram and WhatsApp are suffering from ongoing, global outages. We don’t yet know why this happened, but the how is clear: Earlier this morning, something inside Facebook caused the company to revoke key digital records that tell computers and other Internet-enabled devices how to find these destinations online.

Doug Madory is director of internet analysis at Kentik, a San Francisco-based network monitoring company. Madory said at approximately 11:39 a.m. ET today (15:39 UTC), someone at Facebook caused an update to be made to the company’s Border Gateway Protocol (BGP) records. BGP is a mechanism by which Internet service providers of the world share information about which providers are responsible for routing Internet traffic to which specific groups of Internet addresses.

In simpler terms, sometime this morning Facebook took away the map telling the world’s computers how to find its various online properties. As a result, when one types Facebook.com into a web browser, the browser has no idea where to find Facebook.com, and so returns an error page.

In addition to stranding billions of users, the Facebook outage also has stranded its employees from communicating with one another using their internal Facebook tools. That’s because Facebook’s email and tools are all managed in house and via the same domains that are now stranded.

“Not only are Facebook’s services and apps down for the public, its internal tools and communications platforms, including Workplace, are out as well,” New York Times tech reporter Ryan Mac tweeted. “No one can do any work. Several people I’ve talked to said this is the equivalent of a ‘snow day’ at the company.”

The mass outage comes just hours after CBS’s 60 Minutes aired a much-anticipated interview with Frances Haugen, the Facebook whistleblower who recently leaked a number of internal Facebook investigations showing the company knew its products were causing mass harm, and that it prioritized profits over taking bolder steps to curtail abuse on its platform — including disinformation and hate speech.

We don’t know how or why the outages persist at Facebook and its other properties, but the changes had to have come from inside the company, as Facebook manages those records internally. Whether the changes were made maliciously or by accident is anyone’s guess at this point.

Madory said it could be that someone at Facebook just screwed up.

“In the past year or so, we’ve seen a lot of these big outages where they had some sort of update to their global network configuration that went awry,” Madory said. “We obviously can’t rule out someone hacking them, but they also could have done this to themselves.”

In the meantime, several different domain registration companies listed the domain Facebook.com as up for sale. There’s no reason to believe this domain will actually be sold as a result, but it’s fun to consider how many billions of dollars this domain could fetch on the open market.

This is a developing story and will likely be updated throughout the day.