An Israeli Court is set to deliberate a significant extradition case involving Rostislav Panev, an Israeli citizen alleged to be involved with the notorious LockBit ransomware gang.

According to Israeli news outlet Ynet, a U.S. extradition request was made public Thursday claiming that between 2019 and 2024, Panev served as a software developer for LockBit. During this period, LockBit is alleged to have executed cyberattacks impacting roughly 2,500 victims globally, including U.S. governmental and health care organizations.

The U.S. Department of Justice places LockBit among the most detrimental ransomware groups in operation, responsible for financial losses exceeding $500 million. Moreover, the group purportedly harbored connections with Evil Corp., an erstwhile Russian-based cybercrime syndicate sanctioned by the U.S. government in 2019 for its role in distributing malware and enabling a range of cybercriminal activity.

Documents disclosed in conjunction with the extradition request reveal that Panev was arrested at his Israeli home in August. He is suspected of developing software that placed ransom notes on compromised systems. For his work, he has allegedly made $230,000, largely via cryptocurrency. Law enforcement agencies discovered digital wallets tied to these payments, along with ransom templates, during searches at Panev’s residence.

Panev’s lawyer, Sharon Nahari, told Ynet that Panev was neither aware of nor complicit in the alleged schemes.

The extradition proceedings were instigated by the State Attorney’s Office after Israel’s Minister of Justice signed off on a formal request from the U.S. According to YNet, the U.S. kept the extradition order sealed, fearing that it might tip off other LockBit affiliates, potentially allowing them to escape to Russia.

International law enforcement has been aggressively pursuing those behind LockBit, starting in February with the public unveiling of “Operation Cronos,” the name of the organized international effort led by the U.K.’s National Crime Agency. British authorities seized the website used by LockBit to post targets and share data from targeted entities that refused to pay ransom and used it as the platform to disseminate news about the operation and information about the nearly 200 affiliates working with LockBit at the time, part of both a traditional law enforcement disruption as well as a psychological operation designed to undermine LockBit’s support in the cybercrime community. 

In October, law enforcement agencies announced additional arrests, seizures and sanctions targeting LockBit ransomware infrastructure, and 16 people were either arrested, sanctioned or both by the U.S. or U.K. 

A new zero-day vulnerability in NTLM discovered by researchers at 0patch allows attackers to steal NTLM credentials by having a user view a specially crafted malicious file in Windows Explorer — no need for the user to open the file. These password hashes can be used for authentication relay attacks or for dictionary attacks on the password, both for identity takeover.

NTLM refers to a suite of old authentication protocols from Microsoft that provide authentication, integrity, and confidentiality to users. While NTLM was officially deprecated as of June, our research shows that 64% of Active Directory user accounts regularly authenticate with NTLM — evidence that NTLM is still widely used despite its known weaknesses.

The flaw is exploitable even in environments using NTLM v2, making it a significant risk to enterprises that have not yet moved to Kerberos and are still relying on NTLM. Considering Microsoft may not patch this issue for a while, enterprise defenders should take steps to mitigate the vulnerability in their environments. This Tech Tip outlines how dynamic access policies, a few hardening steps, and multifactor authentication (MFA) can help limit attempts to exploit this vulnerability. Upgrading the protocol, where possible, could eliminate the issue completely.

What Is the NTLM Vulnerability?

When a user views a malicious file in Windows Explorer — whether by navigating to a shared folder, inserting a USB drive containing the malicious file, or just viewing a file in the Downloads folder that was automatically downloaded from a malicious Web page — an outbound NTLM connection is triggered. This causes Windows to automatically send NTLM hashes of the currently logged-in user to a remote attacker-controlled share.

These NTLM hashes can then be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. Attackers can also potentially use the exposed passwords to access the organization’s software-as-a-service (SaaS) environment due to the high rates of synced users.

The issue impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

The fundamental problem with NTLM lies in its outdated protocol design. NTLM transmits password hashes instead of verifying plaintext passwords, making it vulnerable to interception and exploitation. Even with NTLM v2, which uses stronger encryption, the hashes can still be captured and relayed by attackers. NTLM’s reliance on weak cryptographic practices and lack of protection against relay attacks are key weaknesses that make it highly exploitable. Moreover, NTLM authentication does not support modern security features, such as MFA, leaving systems open to a variety of credential theft techniques, such as pass-the-hash and hash relaying.

What Defenders Need to Do

To mitigate this vulnerability, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) on LDAP, Active Directory Certificate Services (AD CS), and Exchange Server. On Windows Server 2022 and 2019, administrators can manually enable EPA for AD CS and channel binding for LDAP. There are scripts provided by Microsoft to activate EPA manually on Exchange Server 2016. Where possible, update to the latest Windows Server 2025 as it ships with EPA and channel binding enabled by default for both AD CS and LDAP.

Some organizations may still be dependent on NTLM due to legacy systems. Those teams should consider additional authentication layers, such as dynamic risk-based policies, for protecting existing NTLM legacy systems against exploitations.

Harden LDAP configurations. Configure LDAP to enforce channel binding and monitor for legacy clients that may not support these settings.

Check impact on SaaS. If you are unsure whether there are applications or clients in your environment that rely on NTLMv2, you can use Group Policy to enable the Network Security: Restrict NTLM: Audit incoming NTLM traffic policy setting. This will not block NTLMv2 traffic but will log all attempts to authenticate using NTLMv2 in the Operations Log. By analyzing these logs, you can identify which client applications, servers, or services still rely on NTLMv2, so you can make targeted adjustments or updates.

Using Group Policy to limit or disable NTLM authentication via the Network Security: Restrict NTLM setting will reduce the risk of fallback scenarios where NTLM is unintentionally used.

Monitor SMB traffic. Enabling SMB signing and encryption can help prevent attackers from impersonating legitimate servers and triggering NTLM authentication. Blocking outbound SMB traffic to untrusted networks will also reduce the risk of NTLM credential leakage to rogue servers. Implement network monitoring and alerting for unusual SMB traffic patterns, particularly outbound requests to unknown or untrusted IP addresses.

Leave NTLM behind. NTLM has been deprecated. Administrators should audit NTLM usage to identify which systems still rely on NTLM. Organizations should prioritize transitioning those systems away from NTLM to more modern authentication protocols, such as Kerberos. Once a more modern protocol is in place, implement MFA to add an additional layer of protection.

Taking these steps will help organizations address the fundamental flaws in NTLM and improve their security posture.

Google is using artificial intelligence to power a new Chrome scam protection feature that analyzes brands and the intent of pages as you browse the web.

As spotted by Leo on X, a new flag in Chrome Canary enables a feature called “Client Side Detection Brand and Intent for Scam Detection” that uses an LLM, or Large Language Model. to analyze web pages on your device.

“Enables on device LLM output on pages to inquire for brand and intent of the page,” reads the Google Chrome flag’s description.

This feature is believed to help the scam detection service detect the brand and purpose (intent) of a webpage, making it easier to identify potential scams. It works on Mac, Windows, and Linux.

It’s unclear how the feature works, but it could issue warnings when you visit an obvious scam website.

For example, if you visit a fake Microsoft tech support page claiming your computer is infected and urging you to call a number, Chrome’s AI could analyze the promoted brand or language used on the page. If it detects scam tactics like fake urgency or suspicious domains, it could display a warning alerting you to avoid interacting with the page or sharing personal information.

This new tool is being tested in Chrome Canary and could be related to Chrome’s built-in Enhanced Protection feature, which now also uses artificial intelligence.

Chrome’s Enhanced Protection is now powered by AI.

Google says the updated Enhanced Protection feature uses AI to provide real-time protection against dangerous sites, downloads, and extensions.

Before October, Enhanced Protection didn’t use AI. It was described as “proactive protection,” but it has since been updated to “AI-powered protection.”

Google is likely using pre-trained data to understand web content and warn users about scams or dangerous sites.

The company is still testing these AI-powered security and privacy features in Chrome, and it’s unclear when more details will be shared.

A dual Russian and Israeli national has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation since its inception in or around 2019 through at least February 2024.

Rostislav Panev, 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a statement. Based on fund transfers to a cryptocurrency wallet owned by Panev, he allegedly earned approximately $230,000 between June 2022 and February 2024.

“Rostislav Panev for years built and maintained the digital weapons that enabled his LockBit co-conspirators to wreak havoc and cause billions of dollars in damage around the world,” U.S. Attorney Philip R. Sellinger said.

LockBit, which was one of the most prolific ransomware groups, had its infrastructure seized in February 2024 as part of an international law enforcement operation called Cronos. It gained notoriety for targeting more than 2,500 entities in at least 120 countries around the world, including 1,800 in the U.S. alone.

Victims of LockBit’s attacks included individuals and small businesses to multinational corporations, such as hospitals, schools, nonprofit organizations, critical infrastructure, government, and law enforcement agencies. The RaaS is believed to have netted the group at least $500 million in illicit profits.

Court documents show that Panev’s computer analyzed following his arrest had administrator credentials for an online repository that was hosted on the dark web and contained source code for multiple versions of the LockBit builder, which affiliates used to create custom builds of the ransomware.

Also discovered were access credentials for the LockBit control panel and a tool called StealBit, which allowed the affiliate actors to exfiltrate sensitive data from compromised hosts prior to initiating the encryption process.

Panev, besides writing and maintaining the LockBit malware code as well as offering technical guidance to the e-crime group, is also accused of exchanging direct messages with Dmitry Yuryevich Khoroshev, the primary administrator who also went by online alias LockBitSupp, discussing development work related to the builder and control panel.

“In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work,” the DoJ said.

“Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network.”

With the latest arrest, a total of seven LockBit members – Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, Mikhail Pavlovich Matveev – have been charged in the U.S.

Despite these operational setbacks, the LockBit operators appear to be plotting a comeback, with a new version LockBit 4.0 scheduled for release in February 2025. However, it remains to be seen if the extortion gang can successfully stage a return in light of the ongoing wave of takedowns and charges.

Second Netwalker Ransomware Affiliate Gets 20 Years in Prison

The development comes as Daniel Christian Hulea, a 30-year-old Romanian affiliate of the NetWalker ransomware operation, was sentenced to 20 years in prison and ordered to forfeit $21,500,000 and his interests in an Indonesian company and a luxury resort property that was financed with ill-gotten proceeds from the attacks.

Hulea previously pleaded guilty in the U.S. to charges of computer fraud conspiracy and wire fraud conspiracy back in June 2024. He was arrested in Romania on July 11, 2023, and subsequently extradited to the U.S.

“As part of his plea agreement, Hulea admitted to using NetWalker to obtain approximately 1,595 bitcoin in ransom payments for himself and a co-conspirator, valued at approximately $21,500,000 at the time of the payments,” the DoJ said.

The NetWalker ransomware operation particularly singled out the healthcare sector during the height of the COVID-19 pandemic. It was dismantled online in January 2021 when U.S. and Bulgarian authorities seized the dark web sites used by the group. In October 2022, a Canadian affiliate, Sebastien Vachon-Desjardins, was sentenced to 20 years in prison.

Raccoon Stealer Developer Sentenced to 5 Years in Prison

In related law enforcement news, the DoJ also announced the sentencing of Mark Sokolovsky, a Ukrainian national accused of being the primary developer of the Raccoon Stealer malware, to 60 months in federal prison for one count of conspiracy to commit computer intrusion.

The 28-year-old conspired to offer the Raccoon infostealer as a malware-as-a-service (MaaS) to other criminal actors for $200 a month, who then deployed the malware on victims’ systems using various ruses such as email phishing in order to steal sensitive data. The harvested information was used to commit financial crimes or sold to others on underground forums.

Sokolovsky, who was extradited from the Netherlands in February 2024, pleaded guilty to the crime in early October and agreed to forfeit $23,975 and pay at least $910,844.61 in restitution.

“Mark Sokolovsky was a key player in an international criminal conspiracy that victimized countless individuals by administering malware which made it cheaper and easier for even amateurs to commit complex cybercrimes,” said U.S. Attorney Jaime Esparza for the Western District of Texas.

The U.S. Federal Bureau of Investigation (FBI) has set up a website where users can check whether their email address shows up in the data stolen by the Raccoon stealer malware. The MaaS operation was taken offline in March 2022 concurrent with Sokolovsky’s arrest by Dutch authorities.

NYC Man Gets Nearly 6 Years in Prison for Credit Card Trafficking and Money Laundering

The latest actions also follow the sentencing of a 32-year-old New York City man, Vitalii Antonenko, to time served plus days for his involvement in a criminal scheme that infiltrated systems with SQL injection attacks in order to steal credit card and personal information and offer the data for sale on online criminal marketplaces.

“Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control,” the DoJ noted in May 2020. “The conspiracy’s victims included a hospitality business and non-profit scientific research institution, both located in eastern Massachusetts.”

Antonenko was arrested in March 2019 on his return to the U.S. from Ukraine carrying “computers and other digital media that held hundreds of thousands of stolen payment card numbers.”

In September 2024, he pleaded guilty to one count of conspiracy to gain unauthorized access to computer networks and to traffic in unauthorized access devices, and one count of money laundering conspiracy.

Press freedom advocates are urging Apple to ditch an “immature” generative AI system that incorrectly summarized a BBC news notification that incorrectly related that suspected UnitedHealthcare CEO shooter Luigi Mangione had killed himself.

Reporters Without Borders (RSF) said this week that Apple’s AI kerfuffle, which generated a false summary as “Luigi Mangione shoots himself,” is further evidence that artificial intelligence cannot reliably produce information for the public. Apple Intelligence, which launched in the UK on December 11, needed less than 48 hours to make the very public mistake. 

“This accident highlights the inability of AI systems to systematically publish quality information, even when it is based on journalistic sources,” RSF said. “The probabilistic way in which AI systems operate automatically disqualifies them as a reliable technology for news media that can be used in solutions aimed at the general public.”

Because it isn’t reliably accurate, RSF said AI shouldn’t be allowed to be used for such purposes, and asked Apple to pull the feature from its operating systems. 

“Facts can’t be decided by a roll of the dice,” said Vincent Berthier, head of RSF’s tech and journalism desk. “RSF calls on Apple to act responsibly by removing this feature.

“The automated production of false information attributed to a media outlet is a blow to the outlet’s credibility and a danger to the public’s right to reliable information on current affairs,” Berthier added.

It’s unknown if or how Apple plans to address the issue. The BBC has filed its own complaint, but Apple declined to comment to the British broadcaster publicly on the matter. 

According to the BBC, this doesn’t even appear to be the first time Apple’s AI summaries have falsely reported news. The beeb pointed to an Apple AI summary from November shared by a ProPublica reporter that attributed news of Israeli prime minister Benjamin Netanyahu’s arrest (which hasn’t happened) to the New York Times, suggesting Apple Intelligence might be a serial misreader of the daily headlines. 

Google’s AI search results have also been tricked into surfacing scam links, and have also urged users to glue cheese to pizza and eat rocks.  

Berthier stated, “The European AI Act – despite being the most advanced legislation in the world in this area – did not classify information-generating AIs as high-risk systems, leaving a critical legal vacuum. This gap must be filled immediately.”

The Register has reached out to Apple to learn about what it might do to address the problem of its AI jumping to conclusions about the news, and RSF to see if it’s heard from Apple, but we haven’t heard back from either. ®

The U.S. Department of Justice revealed charges Friday against Rostislav Panev, a dual Russian and Israeli national, for his alleged role as a developer in the notorious LockBit ransomware group. Panev was arrested in Israel following a U.S. provisional arrest request and is currently awaiting extradition.

Authorities allege that Panev has been an instrumental figure in LockBit’s operations since its inception in 2019. As a developer, Panev is accused of designing malware code and maintaining the infrastructure used by gang members and its affiliates to conduct its attacks. LockBit has been tied to over 2,500 attacks in 120 countries, extracting more than $500 million in ransom payments and causing billions in losses to victims, including businesses, hospitals, and government agencies.

The arrest is part of a broader campaign by international law enforcement agencies to dismantle LockBit. In February, a coordinated operation led by the U.K.’s National Crime Agency in cooperation with the FBI and the U.S. Justice Department disrupted LockBit’s infrastructure, seizing websites and servers critical to its operations. These efforts significantly curtailed the group’s ability to launch further attacks and extort victims.

Panev is one of several individuals charged in connection with LockBit. Alongside him, other key figures have been indicted, including Dmitry Khoroshev, alleged to be “LockBitSupp,” the group’s primary creator and administrator. Khoroshev, still at large, is accused of developing the ransomware and coordinating attacks on an international scale. The State Department has offered a reward of up to $10 million for his capture.

Meanwhile, numerous members linked to LockBit remain fugitives, such as Russian nationals Artur Sungatov and Ivan Kondratyev, each facing charges for deploying ransomware against multiple industries globally. Mikhail Matveev, another alleged LockBit affiliate, is also at large, with a $10 million reward for his capture. Matveev was recently charged with computer crimes in Russia. 

“As alleged by the complaint, Rostislav Panev for years built and maintained the digital weapons that enabled his LockBit coconspirators to wreak havoc and cause billions of dollars in damage around the world,” said Philip Sellinger, the U.S. Attorney for the District of New Jersey. “But just like the six other LockBit members previously identified and charged by this office and our FBI and Criminal Division partners, Panev could not remain anonymous and avoid justice indefinitely. He must now answer for his crimes. Today’s announcement represents another blow struck by the United States and our international partners against the LockBit organization, and our efforts will continue relentlessly until the group is fully dismantled and its members brought to justice.”

Panev’s lawyer, Sharon Nahari, told Israeli news outlet Ynet earlier this week that Panev was neither aware of nor complicit in the alleged schemes. An extradition hearing for Panev will be held in Israel next month. 

You can read the full criminal complaint against Panev here.

NEWS BRIEF

Operational technology (OT) and Industrial control systems (ICS) are increasingly exposed to compromise through engineering workstations. A new malware developed to kill stations running Siemens systems joins a growing list of botnets and worms working to infiltrate industrial networks through these on-premises, Internet-connected attack vectors.

Forescout researchers reported the discovery of the Siemens malware, which they called “Chaya_003.” But that’s hardly an isolated case. The researchers also found two Mitsubishi engineering workstations compromised by the Ramnit worm, they explained in a new report.

“Malware in OT/ICS is more common than you think — and engineering workstations connected to the Internet are targets,” the Forescout team warned.

Researchers from SANS said engineering workstation compromise accounts for more than 20% of OT cybersecurity incidents, the report noted. Botnets targeting OT systems, which the report said includes Aisuru, Kaiten, and Gafgyt, rely on Internet-connected devices to infiltrate networks.

Engineering workstations make excellent targets for cyberattack because they are on-premises stations running traditional operating systems as well as specialized software tools provided by vendors such as the Siemens TIA portal or Mitsubishi GX Works, the Forescout team wrote.

To defend against these campaigns, OT/ICS network operators should ensure engineering workstations are protected and that there is adequate network segmentation, and implement an ongoing threat monitoring program.

The report acknowledges malware developed specifically for OT environments is relatively rare compared with efforts put behind enterprise compromises, “but there’s little room to sleep easily if you’re a security operator in OT or manage industrial control system security,” the researchers added.

​The Alliance for Creativity and Entertainment (ACE) has taken down one of the world’s largest live sports streaming piracy rings, with over 821 million visits last year.

ACE says the Markkystreams Vietnam-based operation was the largest illegal sports streaming service it has shut down to date. 

The piracy ring primarily targeted audiences across the United States and Canada, streaming sports events daily from all the U.S. sports leagues and global leagues of every category. ACE says this operation affected all its members, including sports tier members DAZN, beIN Sports, and Canal+.

“The shutdown of this globally notorious live sports piracy ring is a huge victory in our campaign against the piracy of live sports programs and follows other recent successful actions by ACE and law enforcement in Vietnam,” said Larissa Knapp, Executive Vice President at the Motion Picture Association (MPA), on Thursday.

“ACE’s live sports members face a unique threat when it comes to digital piracy, as live sports broadcasts lose substantial commercial value once the game ends. The takedown serves as a warning to piracy operators everywhere – including operators in live sports piracy – that ACE will identify and shut down their illegal operations.”

The anti-piracy group says the ring’s Hanoi-based operators handed over control to 138 domains, including the bestsolaris[dot]com, streameast[dot]to, markkystreams[dot]com, crackstreams[dot]dev, and weakspell[dot]to domains.

“This website is no longer available due to copyright infringement. Do not put yourself at risk by using or subscribing to illegal streaming services,” a banner displayed on the seized websites reads.

​ACE is a coalition of over 50 media and entertainment companies, including the world’s largest film studios and television networks, focused on shuttering illegal streaming services since June 2017.

Its governing board includes Amazon, Apple TV+, Universal Studios, The Walt Disney Studios, Netflix, Paramount Global, Sony Pictures, and Warner Bros. Discovery.

Since its launch, ACE has taken down a long list of piracy platforms, including the Openload and Streamango streaming providers in October 2019, the pirate IPTV service Beast IPTV in December 2020, the 123movies.la streaming site in May 2021, and the world’s largest anime pirate site Zoro.to in July 2023.

ACE also works with law enforcement organizations like the U.S. Department of Justice, Europol, and Interpol in operations targeting large-scale illegal streaming rings.

Since the start of the year, it helped shutter a pirate TV streaming network that made millions of dollars since its launch in 2015, convict five men linked to the Jetflicks illegal streaming service, and, most recently, dismantle a pirate streaming service with over 22 million users worldwide that was making over €250 million ($263M) each month.

Dec 20, 2024Ravie LakshmananMalware / Supply Chain Attack

The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware.

Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8.

“They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts,” software supply chain security firm Socket said in an analysis.

Rspack is billed as an alternative to the webpack, offering a “high performance JavaScript bundler written in Rust.” Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others.

The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145,000, respectively, indicative of their popularity.

An analysis of the rogue versions of the two libraries has revealed that they incorporate code to make calls to a remote server (“80.78.28[.]72”) in order to transmit sensitive configuration details such as cloud service credentials, while also collecting IP address and location details by making an HTTP GET request to “ipinfo[.]io/json.”

In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran.

The end goal of the attacks is to trigger the download and execution of an XMRig cryptocurrency miner on compromised Linux hosts upon installation of the packages by means of a postinstall script specified in the “package.json” file.

“The malware is executed via the postinstall script, which runs automatically when the package is installed,” Socket said. “This ensures the malicious payload is executed without any user action, embedding itself into the target environment.”

Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities. An investigation into the root cause of the token theft is underway.

“This attack highlights the need for package managers to adopt stricter safeguards to protect developers, like enforcing attestation checks, to prevent updating to unverified versions,” Socket said. “But it’s not totally bullet-proof.”

“As seen in the recent Ultralytics supply chain attack in the Python ecosystem, attackers may still be able to publish versions with attestation by compromising GitHub Actions through cache poisoning.”

Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.

Araneida Scanner.

Cyber threat analysts at Silent Push said they recently received reports from a partner organization that identified an aggressive scanning effort against their website using an Internet address previously associated with a campaign by FIN7, a notorious Russia-based hacking group.

But on closer inspection they discovered the address contained an HTML title of “Araneida Customer Panel,” and found they could search on that text string to find dozens of unique addresses hosting the same service.

It soon became apparent that Araneida was being resold as a cloud-based service using a cracked version of Acunetix, allowing paying customers to conduct offensive reconnaissance on potential target websites, scrape user data, and find vulnerabilities for exploitation.

Silent Push also learned Araneida bundles its service with a robust proxy offering, so that customer scans appear to come from Internet addresses that are randomly selected from a large pool of available traffic relays.

The makers of Acunetix, Texas-based application security vendor Invicti Security, confirmed Silent Push’s findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key.

“We have been playing cat and mouse for a while with these guys,” said Matt Sciberras, chief information security officer at Invicti.

Silent Push said Araneida is being advertised by an eponymous user on multiple cybercrime forums. The service’s Telegram channel boasts nearly 500 subscribers and explains how to use the tool for malicious purposes.

In a “Fun Facts” list posted to the channel in late September, Araneida said their service was used to take over more than 30,000 websites in just six months, and that one customer used it to buy a Porsche with the payment card data (“dumps”) they sold.

Araneida Scanner’s Telegram channel bragging about how customers are using the service for cybercrime.

“They are constantly bragging with their community about the crimes that are being committed, how it’s making criminals money,” said Zach Edwards, a senior threat researcher at Silent Push. “They are also selling bulk data and dumps which appear to have been acquired with this tool or due to vulnerabilities found with the tool.”

Silent Push also found a cracked version of Acunetix was powering at least 20 instances of a similar cloud-based vulnerability testing service catering to Mandarin speakers, but they were unable to find any apparently related sales threads about them on the dark web.

Rumors of a cracked version of Acunetix being used by attackers surfaced in June 2023 on Twitter/X, when researchers first posited a connection between observed scanning activity and Araneida.

According to an August 2023 report (PDF) from the U.S. Department of Health and Human Services (HHS), Acunetix (presumably a cracked version) is among several tools used by APT 41, a prolific Chinese state-sponsored hacking group.

THE TURKISH CONNECTION

Silent Push notes that the website where Araneida is being sold — araneida[.]co — first came online in February 2023. But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018.

A search in the threat intelligence platform Intel 471 shows a user by the name Araneida promoted the scanner on two cybercrime forums since 2022, including Breached and Nulled. In 2022, Araneida told fellow Breached members they could be reached on Discord at the username “Ornie#9811.”

According to Intel 471, this same Discord account was advertised in 2019 by a person on the cybercrime forum Cracked who used the monikers “ORN” and “ori0n.” The user “ori0n” mentioned in several posts that they could be reached on Telegram at the username “@sirorny.”

Orn advertising Araneida Scanner in Feb. 2023 on the forum Cracked. Image: Ke-la.com.

The Sirorny Telegram identity also was referenced as a point of contact for a current user on the cybercrime forum Nulled who is selling website development services, and who references araneida[.]co as one of their projects. That user, “Exorn,” has posts dating back to August 2018.

In early 2020, Exorn promoted a website called “orndorks[.]com,” which they described as a service for automating the scanning for web-based vulnerabilities. A passive DNS lookup on this domain at DomainTools.com shows that its email records pointed to the address ori0nbusiness@protonmail.com.

Constella Intelligence, a company that tracks information exposed in data breaches, finds this email address was used to register an account at Breachforums in July 2024 under the nickname “Ornie.” Constella also finds the same email registered at the website netguard[.]codes in 2021 using the password “ceza2003” [full disclosure: Constella is currently an advertiser on KrebsOnSecurity].

A search on the password ceza2003 in Constella finds roughly a dozen email addresses that used it in an exposed data breach, most of them featuring some variation on the name “altugsara,” including altugsara321@gmail.com. Constella further finds altugsara321@gmail.com was used to create an account at the cybercrime community RaidForums under the username “ori0n,” from an Internet address in Istanbul.

According to DomainTools, altugsara321@gmail.com was used in 2020 to register the domain name altugsara[.]com. Archive.org’s history for that domain shows that in 2021 it featured a website for a then 18-year-old Altuğ Şara from Ankara, Turkey.

Archive.org’s recollection of what altugsara dot com looked like in 2021.

LinkedIn finds this same altugsara[.]com domain listed in the “contact info” section of a profile for an Altug Sara from Ankara, who says he has worked the past two years as a senior software developer for a Turkish IT firm called Bilitro Yazilim.

Neither Altug Sara nor Bilitro Yazilim responded to requests for comment.

Invicti’s website states that it has offices in Ankara, but the company’s CEO said none of their employees recognized either name.

“We do have a small team in Ankara, but as far as I know we have no connection to the individual other than the fact that they are also in Ankara,” Invicti CEO Neil Roseman told KrebsOnSecurity.

Researchers at Silent Push say despite Araneida using a seemingly endless supply of proxies to mask the true location of its users, it is a fairly “noisy” scanner that will kick off a large volume of requests to various API endpoints, and make requests to random URLs associated with different content management systems.

What’s more, the cracked version of Acunetix being resold to cybercriminals invokes legacy Acunetix SSL certificates on active control panels, which Silent Push says provides a solid pivot for finding some of this infrastructure, particularly from the Chinese threat actors.

Further reading: Silent Push’s research on Araneida Scanner.