MEGANews: The Most Important Cybersecurity Events of March

This month: Russia’s Roskomnadzor throttled Twitter, “in-the-wild” Spectre exploits were found online, hacker forums suffered breaches and leaks, companies lost billions to cyberattacks, and numerous vulnerabilities were once again discovered in sex toys.

Spectre Exploits Discovered

French cybersecurity specialist Julien Voisin discovered that in early February 2021, someone uploaded Spectre (CVE-2017-5715) exploits to VirusTotal. This is the first time a “real-world” exploit for this vulnerability has become public.

Background: The original Spectre vulnerability was found in 2018 alongside Meltdown. These fundamental flaws in modern processor architecture allow attackers to easily break address space isolation, read passwords, encryption keys, credit card numbers, and arbitrary data from system and user applications, bypassing all security measures on any OS.

Three years ago, these issues forced CPU manufacturers to rethink their design approach, making it clear that focusing solely on performance at the expense of security is unacceptable.

In 2018, shortly after Meltdown and Spectre were discovered, security experts noted that malware authors were actively experimenting with these vulnerabilities, and traces of this activity could be found online and on VirusTotal. However, no real evidence of exploitation was found at the time.

Now, according to Voisin, things have changed. He found new, previously unseen Spectre exploits—one for Windows and one for Linux. The Linux version, for example, can dump the contents of the /etc/shadow file, which stores user account information. This is clearly malicious behavior, but there is no evidence yet that the exploit has been used in the wild, as it may have been uploaded by a pentester.

Voisin hinted in his article that he knows who created these exploits, suggesting the attribution is obvious. Security experts on Twitter and HackerNews quickly realized the new Spectre exploit could be a module for the CANVAS pentesting tool by Immunity Inc. Former Immunity head Dave Aitel also hinted at this, noting the company advertised this module back in February 2018.

Recently, a hacked version of Immunity CANVAS v7.26 and cracked copies of White Phosphorus and D2 (two CANVAS exploit packs) were published on the RAID hacker forum. Among the vulnerabilities was an exploit for CVE-2017-5715.

These cracked tools have been circulating in private Telegram channels since at least October 2020 and likely served as the source for the exploits uploaded to VirusTotal.

Also this month, Google engineers published their own JavaScript exploit demonstrating the effectiveness of Spectre in browsers for accessing memory information. This PoC works across a wide range of architectures, operating systems, and hardware generations, proving that browser security mechanisms (like site isolation, Cross-Origin, and Cross-Origin Read Blocking) are largely ineffective.

Google recommends developers use new security mechanisms to protect against Spectre and other cross-site attacks, including:

• Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers
• Cross-Origin Opener Policy (COOP)
• Cross-Origin Embedder Policy (COEP)

Ransom Demand for 500 Bitcoins

Tether (USDT) developers warned that unknown individuals demanded 500 bitcoins (about $24 million at the time) in exchange for not releasing allegedly stolen data. While screenshots of supposedly stolen Tether data circulated on Twitter, the company stated the leak was fake and the documents were forgeries.

Twitter Throttled in Russia

Starting March 10, 2021, Twitter’s speed in Russia was throttled 100% on mobile devices and 50% on desktops by order of Roskomnadzor. The agency claims Twitter failed to remove content promoting suicide among minors, child pornography, and information about drug use since 2017. The throttling affects only photo and video content, not text messages.

Since February 1, 2021, Russian law requires social networks to independently detect and block prohibited content. In early March, Roskomnadzor accused Twitter of “gross violations” of Russian law, stating that over 28,000 requests for removal of illegal content had been sent since 2017, but 3,168 items remained, including 2,569 promoting suicide among minors, 450 with child pornography, and 149 about drug use.

Twitter responded: “We have a zero-tolerance policy regarding child sexual exploitation, and encouragement or glorification of suicide and self-harm is strictly against our rules. We prohibit using Twitter for any illegal activities, including buying and selling drugs. We remain committed to an open internet for the world and are deeply concerned about increasing attempts to block and restrict public discussion online.”

Roskomnadzor later stated it may consider a full block of Twitter if the company does not comply with Russian law.

Interview with REvil (Sodinokibi) Representative

A representative of the REvil ransomware group, known as Unknown, gave an interview to The Record. He said the group has big plans for 2021 and noted, “There’s never too much money, but there’s always a risk of not having enough.”

• On ransomware as a weapon: “At least a few of our clients have access to ballistic missile systems, a US Navy cruiser, a nuclear power plant, and a weapons factory. It’s possible to start a war, but it’s not worth it—the consequences are not profitable.”
• On the pandemic: “Victims can’t pay as much as before, except for pharmaceutical companies. They’re doing fine. We should ‘help’ them.”
• On his background: “As a child, I dug through trash and smoked cigarette butts. I walked ten kilometers to school. I wore the same clothes for six months. In my youth, I sometimes didn’t eat for two or three days. Now I’m a millionaire.”

Hackers Hacking Hackers

Maza Forum

Flashpoint experts discovered a data leak from the closed Russian-language hacker forum Maza (aka Mazafaka), one of the oldest of its kind, operating since 2003. The attackers posted a warning on the forum: “This forum was hacked. Your data was leaked.” About 3,000 users’ data was compromised, including user IDs, usernames, emails, messenger links (Skype, MSN, AIM), and both hashed and obfuscated passwords.

The breach came soon after another Russian-language hacker forum, Verified, was compromised in January 2021. New Verified admins later announced a change of ownership and began deanonymizing previous operators, collecting nearly 3.8 million IP addresses.

Carding Mafia

Have I Been Pwned (HIBP) reported a leak of user data from the Carding Mafia forum. The dump includes data on 297,744 users (the forum has about 500,000 users), including emails, IP addresses, usernames, and MD5-hashed passwords. HIBP’s Troy Hunt confirmed the dump’s authenticity.

“Another story of hackers hacking hackers,” Hunt commented.

IT Professionals Forced to Stay Silent

Kaspersky Lab surveyed 5,266 IT specialists from 31 countries, including Russia, and found that two-thirds of Russian IT companies prohibit their analysts from sharing cyberthreat data with the professional community.

• 68% of Russian threat analysts are members of professional communities.
• 69% of these employees are not allowed to share research results due to company policy.
• Most communicate on specialized forums and blogs (55%), dark web forums (26%), and social media groups (14%). Only 19% share their findings.
• If company rules allow sharing, nearly half (49%) do so; if not, only about 5% break the rules.

FluBot Botnet

Authorities in Barcelona arrested four suspects in connection with the Android-based FluBot botnet, which has infected over 60,000 devices—97% of victims were in Spain. FluBot is a banking trojan that overlays fake login screens to steal banking credentials and payment card data. It spreads via SMS spam, using victims’ contact lists to propagate.

Swiss firm PRODAFT reported that over 11 million phone numbers were collected from infected devices (about 25% of Spain’s population), and at least 71,000 spam messages were tracked. Four men aged 19–27 were arrested; two are considered group leaders and remain in custody.

Despite the arrests, FluBot remains active and continues to spread.

Ursnif Trojan Attacks 100+ Banks

The Ursnif banking trojan continues to target users worldwide, spreading via phishing emails in various languages. It can steal banking data, access emails and browsers, and even reach cryptocurrency wallets. Avast reports that Italian banks and their clients are currently the main targets, with over 1,700 credentials stolen for a single payment operator.

Bitsquatting and Windows.com

Independent security researcher Remy discovered that Microsoft domains are vulnerable to bitsquatting. For example, windows.com could become windnws.com or windo7s.com due to bit flips. Bitsquatting exploits variations of legitimate domains caused by single-bit errors, which can occur due to cosmic rays, power fluctuations, or temperature changes.

Remy found 32 valid domain names resulting from bit flips, 14 of which were unregistered and available for takeover. He registered them all for about $126. He also intercepted traffic intended for time.windows.com and other Microsoft services, including Windows Push Notification Services and SkyDrive (now OneDrive).

To defend against bitsquatting, companies should register possible bit-flipped domains. For example, time.apple.com is protected, unlike time.windows.com. ECC memory can also help protect devices from bit-flip issues.

Microsoft stated they are aware of industry-wide social engineering methods that can direct users to malicious sites and advised caution when clicking links or opening unknown files.

Telegram Sells Bonds

Telegram successfully sold over $1 billion in bonds to investors worldwide. Founder Pavel Durov clarified that owning Telegram Group bonds does not give investors any control or influence over the messenger’s policies or development. Bonds are simply a form of debt, unlike shares, which grant voting rights and board seats.

Tracking Without JavaScript

Researchers from Ben-Gurion University (Israel), University of Adelaide (Australia), and University of Michigan (USA) published a study titled “Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses.” They demonstrated that side-channel attacks on browsers are still possible, even in privacy-focused browsers like Tor, Chrome with Chrome Zero, and Firefox with DeterFox, and even with JavaScript completely disabled.

The attack, based solely on HTML and CSS, can leak enough data to identify and track users, such as determining which sites a person has visited. The attacks were tested not only on Intel-based systems but also on Samsung Exynos, AMD Ryzen, and Apple’s new M1 chip—making this the first side-channel attack to work against Apple M1.

The researchers notified Intel, AMD, Apple, Chrome, and Mozilla engineers before publication. Google Chrome developers have acknowledged that side-channel attacks cannot be fully blocked, even with Site Isolation, and that future attacks may rely solely on CSS.

Billions Lost to Hackers

The FBI published its annual Internet Crime Report, showing a record number of cybercrimes in 2020. The agency received 791,790 complaints—a 69% increase from 467,361 in 2019. Total reported losses exceeded $4.2 billion, up 20% from $3.5 billion in 2019.

As in previous years, the most significant losses were due to EAC and BEC scams (Email Account Compromise and Business Email Compromise), accounting for $1.8 billion (about 43% of all losses). Ransomware attacks increased by 225%, with losses exceeding $29.1 million, compared to $8.9 million in 2019.