REvil, the Ransomware Hackers System Identified

Posted on by

Ahead of the three-day Fourth of July weekend, the REvil gang is suspected to be behind a new ransomware attack Friday that affected at least 200 companies in the U.S.

REvil, based in Russia, was likely behind the JBS Meat Packing attack in May, according to the FBI. The Flashpoint Intelligence Platform has suggested that former REvil members were involved in the recent Colonial Pipeline attack earlier this year as well, allegedly done by the DarkSide ransomware group. More here from Newsweek.

Per the FBI’s most recent statement:

Updated July 4, 2021: 

If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov. Please include as much information as possible to assist the FBI and CISA in determining prioritization for victim outreach. Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.

Original statement:

The FBI is investigating this situation and working with Kaseya, in coordination with CISA, to conduct outreach to possibly impacted victims. We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities.

Additionally:

Kaseya had expected that it would be able to patch and restore its VSA software-as-a-service product by today, but technical problems its developers encountered have blocked the rollout. As of 8:00 AM EDT today, the company was still working to resolve the issues it encountered.

Reuters quotes US President Biden as offering, yesterday, a relatively upbeat preliminary assessment of the consequences of the ransomware campaign: “It appears to have caused minimal damage to U.S. businesses, but we’re still gathering information,” Mr. Biden said, adding “I feel good about our ability to be able to respond.”

That said, the US Government is continuing its investigation and is signalling an intention to do something about REvil and other gangs or privateers. Among other things, the US Administration said that it has communicated very clearly to Russian authorities that the US wants the REvil operators brought to book. CBS News reported yesterday that White House press secretary Psaki said that the US had been in touch with Russian officials about the REvil operation, and that if Russia doesn’t take action against its ransomware gangs, “we will” TASS is, of course, authorized to disclose that Russia not only had nothing to do with the attack, and that it knew nothing about it, and that in fact Moscow had heard nothing from Washington about the matter.

But, outside government cyber experts have uncovered the following:

Hat tip source

Resecurity® HUNTER, cyber threat intelligence and R&D unit, identified a strong connection to a cloud hosting and IoT company servicing the domain belonging to cybercriminals.

According to the recent research published by ReSecurity on Twitter, starting January 2021 REVil leveraged a new domain ‘decoder[.]re’ in addition to a ransomware page available in the TOR network.

***

The domain was included within the ransom notes dropped by the recent version of REVil, it came in the form of a text file containing contact and payment instructions.

revil map

Typically, the collaboration between the victim and REVil was organized via a page in TOR, but in the case their victim is not able to access the Onion Network, the group prepared domains available in Clearnet (WWW) acting as a ‘mirror’.

revil
TOR host

 

revil
WWW host (decoder[.]re)

To access the page in WWW or TOR – the victim needs to provide a valid UID (e.g.,”9343467A488841AC”). The researchers acquired a significant number of UIDs and private keys as a result of ransomware samples detonated and through the collaboration with victims globally. The private keys determine if the same functional process is available on both resources confirming, they’re delivering exactly the same content.

Like decryptor[.]cc and decryptor[.]top in previous REvil / Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations. The application hosted on it contains ‘chat’ functionality enabling interactive close to real-time communications between the victim and REVil.

The threat actors also used a disposable temporary e-mail address created via https://guerrillamail.com to anonymously register the domain name, which was later used for name servers too, this also allowed them to park other elements of their infrastructure. Such e-mails could only be used a limited number of times, for example all communications with them would be automatically deleted within 1 hour.

Resecurity was able to collect the available and historical DNS records, then create a visual graph representing the current network infrastructure used by REVil and shared it with the cybersecurity community. According to experts, such a step may facilitate proper legal action against ransomware, as well as outline parties responsible for such malicious activity, as the uncovered details raise significant questions regarding the reaction from hosting providers and law enforcement.

revil map

Based on the network and DNS intelligence collected by experts, the IPs associated with it have been rotated at least 3 times in Q1 2021 and were related to a particular cloud hosting and IoT solutions provider located in Eastern Europe, which continues to service them.

It’s hard to believe such malicious activity has gone unnoticed by certain governments resulting in damage to thousands of enterprises globally.” – said Gene Yoo, Chief Executive Officer of Resecurity.

President Joe Biden has ordered U.S. intelligence agencies to investigate the sophisticated ransomware attack on Kaseya presumably conducted by REVil, a notorious cybercriminal syndicate believed to have ties to Russian-speaking actors that’s previously gone after high-profile targets such as Apple and Acer.

The group is also believed to be behind last month’s successful attack on the world’s largest meat processing company, JBS, that extorted $11 million in ransom. REvil took official responsibility for the attack and released an announcement in their blog which is available in TOR network asking for $70 million payment from Kaseya – the biggest ransom payment demand known in the industry today.

The attack has already affected over 1,000 businesses globally disrupting their operations. One suspected victim of the breach, the Sweden-based retailer Coop, closed at least 800 stores over the weekend after its systems were taken offline.

The White House Press Secretary Jen Psaki said the US will take action against the cybercriminal groups from Russia if the Russian government refuses to do so.

The investigation is still ongoing.

About the author: Gene Yoo, Chief Executive Officer (Resecurity, Inc.)

Factoid: The Biden Admin’s NSA Unmasked Tucker Carlson

Posted on by

So, who exactly ordered the NSA to unmask Tucker Carlson’s emails and leak them is unclear but there is at least one common name that did the same thing against General Flynn…..Susan Rice….ahhh but read on. (Remember former AG Barr called it spying)

Axios:

Tucker Carlson was talking to U.S.-based Kremlin intermediaries about setting up an interview with Vladimir Putin shortly before the Fox News host accused the National Security Agency of spying on him, sources familiar with the conversations tell Axios.

Why it matters: Those sources said U.S. government officials learned about Carlson’s efforts to secure the Putin interview. Carlson learned that the government was aware of his outreach — and that’s the basis of his extraordinary accusation, followed by a rare public denial by the NSA that he had been targeted.

  • Axios has not confirmed whether any communications from Carlson have been intercepted, and if so, why.

The big picture: Carlson’s charges instantly became a cause célèbre on the right, which feasted on the allegation that one of America’s most prominent conservatives might have been monitored by the U.S. intelligence community.

The backstory: Carlson told his roughly 3 million viewers on June 28 that the day before, he had heard “from a whistleblower within the U.S. government who reached out to warn us that the NSA … is monitoring our electronic communications and is planning to leak them in an attempt to take this show off the air.”

  • Carlson said his source, “who is in a position to know, repeated back to us information about a story that we are working on that could have only come directly from my texts and emails.”
  • “It’s illegal for the NSA to spy on American citizens,” Carlson added. “Things like that should not happen in America. But unfortunately, they do happen. And in this case, they did happen.”
  • The NSA said in a tweet the next night, as Carlson’s show went on the air, that his “allegation is untrue.”
  • “Tucker Carlson has never been an intelligence target of the Agency and the NSA has never had any plans to try to take his program off the air,” the statement said.

A Fox News spokesperson gave this response to our reporting: “We support any of our hosts pursuing interviews and stories free of government interference.”

  • And Carlson gave this statement: “As I’ve said repeatedly, because it’s true, the NSA read my emails, and then leaked their contents. That’s an outrage, as well as illegal.”

It is unclear why Carlson, or his source, would think this outreach could be the basis for NSA surveillance or a motive to have his show canceled.

  • Journalists routinely reach out to world leaders — including the leaders of countries that are not allied with the U.S. — to request interviews. And it’s not unusual to first reach out through unofficial intermediaries rather than through the leaders’ official press offices.
  • Numerous American journalists have interviewed Putin in recent years, and none have faced professional repercussions. Quite the contrary: Chris Wallace earned Fox News its first Emmy nomination for his 2018 Putin interview.

On Wednesday, Carlson told Maria Bartiromo on Fox Business that only his executive producer knew about the communications in question and that he didn’t mention it to anybody else, including his wife.

  • But, of course, the recipients of Carlson’s texts and emails also knew about their content. And we don’t know how widely they shared this information.

Between the lines: The NSA’s public statement didn’t directly deny that any Carlson communications had been swept up by the agency.

  • Axios submitted a request for comment to the NSA on Wednesday, asking whether the agency would also be willing to categorically deny that the NSA intercepted any of Carlson’s communications in the context of monitoring somebody he was talking to in his efforts to set up an interview with Putin.
  • An NSA spokesperson declined to comment and referred Axios back to the agency’s earlier, carefully worded, statement. In other words, the NSA is denying the targeting of Carlson but is not denying that his communications were incidentally collected.

What’s next: Experts say there are several plausible scenarios — including legal scenarios — that could apply.

  • The first — and least likely — scenario is that the U.S. government submitted a request to the Foreign Intelligence Surveillance Court to monitor Carlson to protect national security.
  • A more plausible scenario is that one of the people Carlson was talking to as an intermediary to help him get the Putin interview was under surveillance as a foreign agent.
  • In that scenario, Carlson’s emails or text messages could have been incidentally collected as part of monitoring this person, but Carlson’s identity would have been masked in any intelligence reports.
  • In order to know that the texts and emails were Carlson’s, a U.S. government official would likely have to request his identity be unmasked, something that’s only permitted if the unmasking is necessary to understand the intelligence.

In a third scenario, interceptions might not have involved Carlson’s communications. The U.S. government routinely monitors the communications of people in Putin’s orbit, who may have been discussing the details of Carlson’s request for an interview.

  • But under this scenario, too, Carlson’s identity would have been masked in reports as part of his protections as a U.S. citizen, and unmasking would only be permitted if a U.S. government official requested that his identity be unmasked in order to understand the intelligence. And it’s not clear why that would be necessary here.

The intrigue: Two sources familiar with Carlson’s communications said his two Kremlin intermediaries live in the United States, but the sources could not confirm whether both are American citizens or whether both were on U.S. soil at the time they communicated with Carlson.

  • This is relevant because if one of them was a foreign national and on foreign soil during the communications, the U.S. government wouldn’t necessarily have had to seek approval to monitor their communications.

 

Cartel Del Golfo is Operating Stash Houses in Texas

Posted on by

Primer: January 2020 by the Justice Department/ CDG is a violent Mexican criminal organization engaged in the manufacture, distribution, and importation of ton quantities of cocaine and marijuana into the United States. In the late 1990s, the Gulf Cartel recruited an elite group of former Mexican military personnel to join their ranks as security and enforcers who became known as Los Zetas. The Gulf Cartel and Los Zetas operated under the name of “The Company.” Costilla-Sanchez became the leader of The Company for several years following the arrest of Osiel Cardenas in 2003 and before Costilla-Sanchez’s arrest in September 2012. More details here.

***

Mexican Authorities Rescue 47 Kidnap Victims from Cartel ...

So, with that already classified, and with stash houses operating inside the United States, why has it not been declared a domestic terror organization and where are the arrests by Federal agents?

Texas border stash house packed with 108 migrants in searing heat

Nearly 930,000 illegal migrant crossing were reported by CBP through the end of May

A large human smuggling stash house harboring 108 migrants in southeast Texas was uncovered by U.S. Border Patrol agents Monday afternoon.

The migrants were found crammed inside what appeared to be an old car garage, enduring extreme heat and harsh living conditions.

Border Patrol officials told Fox News that smugglers keep migrants in stash houses located near the southern border before dispersing them deeper into the U.S.

The insignia for “Cartel Del Golfo,” which means Gulf Cartel, was spray-painted on one of the interior garage walls – which law enforcement said was the cartel’s method for laying claim to the operation.

 

Border Patrol said the Gulf Cartel is known to be heavily involved in running human smuggling operations across Texas’ southeast border.

Law enforcement initially said 107 migrants were found at the house before upping the count by one.

Officials identified one migrant caretaker during their apprehension near Alton, Texas Monday, but did not confirm whether he was involved in the running of the smuggling operation.

Five unaccompanied children and two-family units with children as young as six years old were uncovered in the stash house, U.S. Customs and Border Protection (CBP) confirmed Tuesday.

The migrants arrived from Mexico, Ecuador, El Salvador, Honduras, and Guatemala.

Stash houses like the garage discovered Monday are not rare sights for Border Patrol agents.

One hour after the stash house in Alton was discovered, CBP reported that a residence near Rio Grande City was found to have been harboring 23 adult migrants.

Fox News could not immediately reach CBP to confirm the number of stash houses found in 2021 but earlier this month local news outlet KGNS reported that over 4,000 migrants had been arrested in more than 200 dismantled stash homes.

CBP has reported nearly 930,000 illegal immigrant encounters at the southern border since January.

More than 180,000 migrants were encountered in May alone.

 

Biden Gives Putin a List of Entities to not Hack

Posted on by

Yup…16 of them. All the other parts of infrastructure is okay or not as important? Does the same list apply to hackers from China, Iran or North Korea? Do they get a copy too?

Primer:

Remember MH17? Just for what context on Russian operatives, it is not just the United States.

Russian hackers compromised the computer systems of the Dutch national police while the latter were conducting a criminal probe into the downing of Malaysia Airlines Flight 17 (MH17), according to a new report. MH17 was a scheduled passenger flight from Amsterdam to Kuala Lumpur, which was shot down over eastern Ukraine on July 17, 2014. All 283 passengers and 15 crew on board, 196 of them Dutch citizens, were killed.

Dutch newspaper De Volkskrant, which revealed this new information last week, said the compromise of the Dutch national police’s computer systems was not detected by Dutch police themselves, but by the Dutch General Intelligence and Security Service (AIVD). The paper said that neither the police nor the AIVD were willing to confirm the breach, but added that it had confirmed the breach took place through multiple anonymous sources.

On July 5, 2017, the Netherlands, Ukraine, Belgium, Australia and Malaysia announced the establishment of the Joint Investigation Team (JIT) into the downing of flight MH-17. The multinational group stipulated that possible suspects of the downing of flight MH17 would be tried in the Netherlands. In September 2017, the AIVD said it possessed information about Russian targets in the Netherlands, which included an IP address of a police academy system. That system turned out to have been compromised, which allowed the attackers to access police systems. According to four anonymous sources, evidence of the attack was detected in several different places.

The police academy is part of the Dutch national police, and non-academy police personnel can access the network using their log-in credentials. Some sources suggest that the Russian Foreign Intelligence Service (SVR) carried out the attack through a Russian hacker group known as APT29, or Cozy Bear. However, a growing number of sources claim the attack was perpetrated by the Main Directorate of the Russian Armed Forces’ General Staff, known commonly as GRU, through a hacker group known as APT28, or Fancy Bear. SVR attackers are often involved in prolonged espionage operations and are careful to stay below the radar, whereas the GRU is believed to be more heavy-handed and faster. The SVR is believed to be partly responsible for the compromise of United States government agencies and companies through the supply chain attack known as the SolarWinds cyber attack, which came to light in late 2020. source

Live blog: Biden, Putin finish Geneva summit, confirms ... source

(notice Victoria Nuland at the table?)

FNC:

President Biden told reporters Wednesday he gave President Vladimir Putin a list of 16 critical infrastructure entities that are “off limits” to a Russian cyberattack.

Those entities include energy, water, health care, emergency, chemical, nuclear, communications, government, defense, food, commercial facilities, IT, transportation, dams, manufacturing and financial services.

“We’ll find out whether we have a cybersecurity arrangement that begins to bring some order,” Biden said. Putin, for his part, denied any involvement in a recent spate of cyberattacks that have hit major industries across the U.S.

“I looked at him. I said, ‘How would you feel if ransomware took on the pipelines from your oil fields?’ He said, ‘It would matter.’ This is not about just our self-interest.” the president said.

Biden refused to say if military action was on the table if Russia was found to be responsible for a ransomware attack.

“In terms of the red line you laid down is military response an option for a ransomware attack?” a reporter asked.

“Thank you very much,” Biden said as he abruptly tried to end the shorter-than-expected conference. “No, we didn’t talk about military response,” he said when pressed again.

Biden in another moment had said he didn’t make any threats but rather “simple assertions.”

Biden stressed the need for both nation “to take action against criminals that conduct ransomware activities on their territory.”

Putin, in his own press conference after the meeting, claimed that American sources say that a “majority” of the cyberattacks in the world come from within the U.S.

The number of organizations affected by ransomware has jumped 102% compared to the beginning of 2020 and “shows no sign of slowing down,” according to a research note last month from IT security firm Check Point.

Both Colonial Pipeline and JBS Holdings, a meat-processing company, have been subject to major cyberattacks, where against the guidance of the FBI they paid millions of dollars in ransom to resume operation. The Colonial Pipeline attack was linked back to a Russian hacking group.

 

 

Is the Federal Reserve About to Remake the U.S. Dollar? Going Crypto

Posted on by

Seems so…

Politico: The Federal Reserve is taking what may be the first significant step toward launching its own virtual currency, a move that could shake up banks, give millions of low-income Americans access to the financial system and fortify the dollar’s status as the world’s reserve currency.

The idea of creating a fully digital version of the U.S. dollar, which was unthinkable just a few years ago, has gained bipartisan interest from lawmakers as diverse as Sens. Elizabeth Warren (D-Mass.) and John Kennedy (R-La.) because of its potential benefits for consumers who don’t have bank accounts. But it’s also sparking strong pushback from those with the most to lose: banks.

“The United States should not implement a [central bank digital currency] simply because we can or because others are doing so,” the American Bankers Association said in a statement to lawmakers this week. The benefits “are theoretical, difficult to measure, and may be elusive,” while the negative consequences “could be severe,” the group wrote.

The explosive rise of private cryptocurrencies in recent years motivated the Fed to start considering a digital dollar to be used alongside the traditional paper currency. The biggest driver of concern was a Facebook-led effort, launched in 2019, to build a global payments network using crypto technology. Though that effort is now much narrower, it demonstrated how the private sector could, in theory, create a massive currency system outside government control.

Now, central banks around the world have begun exploring the idea of issuing their own digital currencies — a fiat version of a cryptocurrency that would operate more like physical cash — that would have some of the same technological benefits as other cryptocurrencies.

That could provide unwelcome competition for banks by giving depositors another safe place to put their money. A person or a business could keep their digital dollars in a virtual “wallet” and then transfer them directly to someone else without needing to use a bank account. Even if the wallet were operated by a bank, the firm wouldn’t be able to lend out the cash. But unlike other crypto assets like Bitcoin or Ether, it would be directly backed and controlled by the central bank, allowing the monetary authorities to use it, like any other form of the dollar, in its policies to guide interest rates.

The Federal Reserve Bank of Boston and the Massachusetts Institute of Technology’s Digital Currency Initiative are aiming next month to publish the first stage of their work to determine whether a Fed virtual currency would work on a practical level — an open-source license for the most basic piece of infrastructure around creating and moving digital dollars.

But it will likely be up to Congress to ultimately decide whether the central bank should formally pursue such a project, as Fed Chair Jerome Powell has acknowledged. Lawmakers on both sides of the aisle are intrigued, particularly as they eye China’s efforts to build its own central bank digital currency, as well as the global rise of cryptocurrencies, both of which could diminish the dollar’s influence.

Sen. Elizabeth Warren speaks.

Sen. Elizabeth Warren speaks.
Sen. Elizabeth Warren, D-Mass., speaks during a Senate Finance Committee hearing on the IRS budget request on Capitol Hill in Washington, Tuesday, June 8, 2021. (Evelyn Hockstein/Pool via AP) | Evelyn Hockstein/AP Photo

Democrats have especially been skeptical about crypto assets because there are fewer consumer protections and the currencies can be used for illicit activity. There are also environmental concerns posed by the sheer amount of electricity used to unlock new units of digital currencies like Bitcoin.

Warren suggested the Fed project could resolve some of those concerns.

“Legitimate digital public money could help drive out bogus digital private money, while improving financial inclusion, efficiency, and the safety of our financial system — if that digital public money is well-designed and efficiently executed,” she said at a hearing on Wednesday, which she convened as chair of the Senate Banking Committee’s economic policy subcommittee.

Other senators highlighted the potential for central bank digital wallets to be used to deliver government aid more directly to people who don’t have bank accounts. A digital dollar could also be designed to have more high-tech benefits of some cryptocurrencies, like facilitating “smart contracts” where a transaction is completed once certain conditions are met.

Neha Narula, who’s leading the effort at MIT to work with the Boston Fed on a central bank digital currency, called the project “a once-in-a-century opportunity to redesign the dollar” in a way that supports innovation much like the internet did.

Still, there are a slew of unanswered policy questions around how a digital dollar would be designed, such as how people would get access to the money, or how much information the government would be able to see about individual transactions. The decision is also tied to a far more controversial policy supported by Democrats like Warren and Senate Banking Chair Sherrod Brown to give regular Americans accounts at the Fed.

“What problem is a central bank digital currency trying to solve? In other words, do we need one? It’s not clear to me yet that we do,” Sen. Pat Toomey (R-Pa.) said. “In my view, turning the Fed into a retail bank is a terrible idea.”

And, “the fact that China is creating a digital currency does not mean it’s inevitable that the yuan would displace the U.S. dollar as the world’s reserve currency,” he said.

Jerome Powell

Jerome Powell
WASHINGTON, DC – MAY 01: Federal Reserve Board Chairman Jerome Powell speaks during a news conference on May 1, 2019 in Washington, DC. Powell said the Fed will not raise interest rates this quarter and no rate hikes are likely anytime soon. (Photo by Mark Wilson/Getty Images) | Mark Wilson/Getty Images

For their part, banks fear a Fed-issued digital currency could make it easier for customers to pull out large amounts of deposits and convert them to digital dollars during a crisis — the virtual equivalent of a bank run — putting financial stress on their institutions and making less money available to provide credit for people, businesses and markets.

It could also potentially deprive them of customers, something the lenders say would interfere with lawmakers’ vision of increased financial inclusion.

“While it is true that deposit accounts are often the first step towards inclusion, the benefits of a long-term banking relationship go well beyond a deposit account,” the ABA said in its statement. “The same is not true of a [central bank digital currency] account with the Federal Reserve, which would not grow into a lending or investing relationship.”

The Bank Policy Institute, which represents large banks, has also argued that many of the benefits of a digital dollar are “mutually exclusive (because they are predicated on different program designs) or effectively non-existent (because the program design that produces them comes with costs that are for other reasons unbearable).”

“The decision on whether to adopt a central bank digital currency in the United States is appropriately a long way off,” BPI President and CEO Greg Baer said. “There are also complex and serious costs that will need to be considered.”

But many lawmakers think it’s worth the effort to look into it.

“The Federal Reserve should continue to explore a digital [currency]; nearly every other country is doing that,” Sen. Bill Hagerty (R-Tenn.) said at the hearing, citing the risk for the U.S. to lose its ability to deploy economic sanctions as effectively with decreased usage of the dollar.