Presented at the VB2023 conference in London, 4 - 6 October 2023.
↓ Slides: N/A
↓ Paper: N/A
→ Details: www.virusbulle...
✪ PRESENTED BY ✪
• Amata Anantaprayoon & Patrik Olson (NTT Security Holdings)
✪ ABSTRACT ✪
Ransomware deployment continues to be a popular choice for financially motivated threat actors (TA). One such TA is Magniber, whose emergence dates back to 2017 and has been researched by multiple security vendors. Over the past six months alone they have managed to extort around GBP 370,000 from victims. Over the past six years, this group has actively focused on refining their locker/payload. Notably, the TA recently exploited a zero-day vulnerability in Microsoft SmartScreen (CVE-2023-24880). However, despite their dedication to developing sophisticated payloads, the TA has neglected to invest in securing their infrastructure.
In this talk, we'll take you on a journey of how we discovered multiple mistakes in Magniber's infrastructure. What started with a misconfigured web server and source code disclosure escalated to insights into how the ransomware is delivered and who they target. We delve into a misconfigured log server, revealing data on over 80,000 infected victims and the group's earnings. We also discover RSA private keys essential for decryption, provide a proof-of-concept decryptor and analysis of key exposure rates. Lastly, we offer a clear diagram of Magniber's infrastructure and share key indicators of compromise for public awareness and defence.
Негізгі бет Magniber's missteps because even spiders trip over their own web Amata Anantaprayoon & Patrik Olson
Пікірлер