SolarWinds Strikes Again and Again

Posted on June 1, 2021June 1, 2021 by Denise Simon

Primer: The House Oversight and Government Reform Committee, chaired by Carolyn Maloney (D-NY) only held one meeting on SolarWinds and none related to the DarkSide both of which have caused major interruptions in the supply chain and national security. It was last February that the committee hosted a session via WebEx with a few witnesses of which nothing was determined or solved.

The cyberattackers responsible for the SolarWinds hack targeted U.S. organizations again last week, Microsoft said.

The Russian hackers that U.S. intelligence says are behind the SolarWinds breach that previously compromised government networks went last week after government agencies, think tanks, consultants, and non-governmental organizations, said Microsoft Corporate Vice President Tom Burt.

“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Mr. Burt wrote on Microsoft’s blog. “While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work.” More here.

***

Solarwinds Management Tools - Full Control Networks source details

New details are emerging from a cyberattack that hit about 3,000 email accounts and 150 government agencies and think tanks spanning 24 countries, including the U.S., this week.

Microsoft on Thursday evening announced that Nobelium, a Russian group of threat actors that targetted software company SolarWinds in 2020 as part of a months-long hacking campaign, recently attacked more U.S. and foreign government agencies using an email marketing account of the U.S. Agency for International Development (USAID).

USAID is aware of the attack, and a “forensic investigation into this security incident is ongoing,” USAID acting spokesperson Pooja Jhunjhunwala said in a statement to FOX Business. “USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” Jhunjhunwala said.

***

Source: The revelation caused a stir, highlighting as it did Russia’s ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia, in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.

“I don’t think it’s an escalation; I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred, and I don’t think they’re likely to be deterred.”

Russia’s latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia’s SVR foreign intelligence agency, could send out specially crafted spearphishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.

While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft’s corporate vice president for customer security and trust, Tom Burt, wrote in a blog post on Thursday that the company views the activity as “sophisticated” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week’s targeting.

“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.

But the tactics in this latest phishing campaign also reflect Nobelium’s general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It’s a spy agency; this is what it does as a matter of course.

“If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”

As Microsoft points out, there’s also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.

“NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years.“

Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it’s likely that Nobelium still haunts at least some of the systems it compromised during that effort.

“I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”

Which is just the reality of digital espionage. It doesn’t stop and start based on public shaming. Nobelium’s activity is certainly unwelcome, but it doesn’t in itself portend some great escalation.

Biden’s Connection to no-bid Contract for Endeavor

Posted on June 1, 2021June 1, 2021 by Denise Simon

Hat tip: On January 20th, 2021, the very day President Joe Biden took the oath of office, Endeavors put out a news release announcing the hiring of Andrew Lorenzen-Strait, a former Immigrations and Customs Enforcement (ICE) official who also served as a Biden transition advisor on Homeland Security issues.

Andrew Lorenzen-Strait landed his job at Endeavors (formerly Family Endeavors) in January straight off the Biden transition team following a stint with one regional Lutheran refugee contractor, and a little over six months at LIRS, the national organization.

He had spent years in the federal government, at ICE in fact, before hitting on this likely lucrative gig.

FranchiseBlast works with nonprofit Endeavors to enhance ...

EXCLUSIVE: The Department of Homeland Security’s Inspector General’s office is evaluating a multi-million dollar contract awarded to a Texas company that employs a former Biden transition official, multiple sources with the probe confirm to Fox News.

A DHS IG official tells Fox News the contract, with the San Antonio-based nonprofit Endeavors, is the subject of an ongoing evaluation to look at how “ICE plans to house migrant families in hotels, and how ICE selected a contractor to implement these plans.” The Formal title of the probe is, “ICE’s Contract to House Migrants in Hotels.”

Tens of thousands of migrants are crossing the southern border every month, with nearly 180,000 encountered by Customs and Border Patrol along the Southwestern Border in April 2021.

Thousands of those migrants are now being housed in hotels, thanks to Endeavors. The company recently landed a couple of massive government contracts worth upwards of a half-billion dollars.

On January 20th, 2021, the very day President Joe Biden took the oath of office, Endeavors put out a news release announcing the hiring of Andrew Lorenzen-Strait, a former Immigrations and Customs Enforcement (ICE) official who also served as a Biden transition advisor on Homeland Security issues.

STEPHEN MILLER CALLS OUT BIDEN FOR $87M MIGRANT HOTEL CONTRACT: THIS ‘LOOKS CORRUPT’

Less than two months after Lorenzen-Strait’s arrival, federal records show endeavors entered into a no-bid contract with the Department of Health and Human Services for up to $579 million and another no-bid with Homeland Security for $87 million.

“This is a no-bid contract, and those should be used in only the most extraordinary circumstances,” said Tom Jones of the American Accountability Foundation, a conservative-leaning watchdog organization. “It’s typical and it’s terrible. Both sides do it. It’s why we have a massive budget deficit and a debt going through the roof…There’s scumminess and swampiness on both sides of this but we need to root that out.”

Endeavors declined to answer questions about the contracts but in a statement to Fox News called Lorenzen-Strait “a valued leader on the Endeavors team. He is a recognized expert in migrant child and family welfare who consulted with a variety of for-profit and nonprofit organizations after he left his career in federal government in May 2019”

Immigration and Customs Enforcement declined to answer our specific questions about the scope of its contract with Endeavors but wrote: “The border is not open, and individuals continue to be expelled under the Centers for Disease Control and Prevention’s (CDC) public health authority. The families that come into ICE custody will be housed in a manner consistent with legal requirements for the safety and well-being of children and their parents or guardians.”

The Republicans on the House Oversight Committee sent a letter to Health and Human Services Secretary Xavier Becerra over concerns about the no-bid nature of the contract, for Endeavors, which is sometimes referred to as Family Endeavors.

Zuckerberg Infected Voting Integrity

Posted on June 1, 2021June 1, 2021 by Denise Simon

Founderscode wrote about this December of 2020 in detail.

RCP, in part: In the months leading up to November’s election, voting officials in major cities and counties worked with a progressive group funded by Facebook founder Mark Zuckerberg and its allies to create ballots, strategically target voters and develop “cure” letters in situations where mail-in ballots were in danger of being tossed out.

The Center for Tech and Civic Life, or CTCL, provided millions of dollars in private funding for the elections that came from a $350 million donation from Zuckerberg and his wife, Priscilla Chan. The CTCL gave “COVID-19 response” grants of varying amounts to 2,500 municipalities in 49 states.

Facebook's Mark Zuckerberg pledges $300M to support 'safe ...

In exchange for the money, elections divisions agreed to conduct their elections according to conditions set out by the CTCL, which is led by former members of the New Organizing Institute, a training center for progressive groups and Democratic campaigns.

A CTCL partner, the Center for Civic Design, helped design absentee ballot forms and instructions, crafted voter registration letters for felons and tested automatic voter registration systems in several states, working alongside progressive activist groups in Michigan and directly with elections offices in Georgia and Utah.

Still other groups with a progressive leaning, including the Main Street Alliance, The Elections Group and the National Vote at Home Institute, provided support for some elections offices.

“COVID-19 response” grants of varying amounts to 2,500 municipalities in 49 states.

Center for Tech and Civic Life

Facebook, with the CTCL, was also part of the effort, providing a guide and webinar for election officials on how to engage voters. Included were directions to report “voter interference” to Facebook authorities. The company also provided designated employees in six regions of the U.S. to handle questions. Together, the groups strategically targeted voters and waged a voter assistance campaign aimed at low-income and minority residents who typically shun election participation, helping Democratic candidates win key spots all over the U.S.

The little-explored roles of CTCL and other such groups emerged in emails and other records obtained by RealClearInvestigations and public documents secured by conservative litigants and groups, including the Foundation for Government Accountability, which has filed more than 800 public records requests with elections offices accepting the grants.

Previously, the Zuckerberg-funded effort has been described in generally positive terms, notably when NPR reported in December on “How Private Money From Facebook’s CEO Saved The 2020 Election” — in the face of the coronavirus pandemic, President Trump’s doubts about the legitimacy of the process and “Congress’ neglect.”

In 2018, RCI reported that a New York University School of Law program funded by billionaire Michael Bloomberg had placed environmentally minded lawyers in the offices of Democratic state attorneys general to challenge Trump administration policies. And examples of private efforts to steer cash-strapped public education are numerous, from the Koch charities on the right to more recent race-conscious programs on the left emphasizing the legacy and centrality of white racism in society.

Zuckerberg did not respond to an emailed request from RCI for comment. In a post-election interview, he praised Facebook’s security work during the election and singled out its policing of “misinformation.” He noted working with polling officials to watch for information that might lead to “voter suppression” and said Facebook had strengthened its enforcement “against militias and conspiracy networks like Q-Anon.”

Facebook has banned Trump from its platform and has delisted individuals – many of them conservatives — for espousing views about the election that it insists are “misinformation.”

***

All of this and more is the reason Florida Governor, Ron DeSantis and other governors are reworking voter integrity law. Texas is the most recent to address the issue and may call a special legislative session to establish new voting laws.

Biden’s Covid Relief: Waste, Fraud and Abuse Globally

Posted on May 24, 2021May 24, 2021 by Denise Simon

Hair on FIRE!

FNC/Chaffetz: President Biden’s COVID relief is quickly devolving into shocking stories of waste, fraud and abuse, along with a dose of misdirection and political spin.

Biden bellowed on COVID relief, “This historic legislation is about rebuilding the backbone of this country and giving people in this nation, working people, middle-class folks, people who built the country, a fighting chance.” That was the promise, but that is not the reality.

What Biden didn’t tell Americans is their money is actually being sent overseas for projects bearing little relation to the public health crisis. Scuba gear in Uruguay, gas turbine engines in Canada, HIV research in Ukraine, and management consulting services in Fiji are all part of what Democrats consider urgent emergency relief. Even “Disinformation and fake news, TV, radio and multimedia project for PD” in South America via the Department of State.

These are just some of the grants listed at pandemicoversight.gov, where the government’s independent inspectors general have created an important resource for Americans to monitor government aid.

In just a few minutes, I was able to learn that Democrats have budgeted to build two gazebos at Guantanamo Bay, Cuba. The budget for the 20-foot by 30-foot and 16-foot by 20-foot structures, ordered from The Cedar Store, is $600,000 for two gazebos.

Roughly $5 million went to Russia for “civil society” grants. $24 million went to Syria to encourage them to wash their hands.

In Gabon, the U.S. Department of Defense received more than $180,000 for ejection seat repairs on a T-38C airplane.

The Pandemic Response Accountability Committee (PRAC), chaired by DOJ Inspector General Michael Horowitz, created the website to reveal “who received pandemic funding, how much they received, and how they’re spending the money.” The PRAC urges Americans to use the site to report fraud, waste, abuse and mismanagement of the funding going forward.

Sifting through the data, I repeatedly find expenses that should be part of our regular budget disguised as COVID relief.

There was $363 million for the planning of the building of the USS Boise (evidently they appear to have received $11 million more than the modified existing contract). Paying the full bill for an attack submarine for the Department of Defense is hardly what the Democrats promised was COVID relief.

source

Though government waste is a sad fact of life – and a reason many of us prefer to keep the role of government limited – the unprecedented volume of COVID relief aid makes it a prime target for fraud.

Already we’ve seen multiple cases of fraud prosecuted with regard to CARES Act funding. A man in Massachusetts recently pled guilty to filing four fraudulent Paycheck Protection Program (PPP) applications worth hundreds of thousands of dollars. A Florida couple has been charged in federal court in a scheme to collect $4 million from the Economic Impact Disaster Loan program. These are likely the tip of the iceberg.

In March the Department of Justice reported it had charged nearly 500 people in criminal schemes to collect pandemic aid money. And that’s the low-hanging fruit. Those are the people here in the United States who are applying for funds. What happens when that money is being scattered abroad in countries over which American law enforcement has no jurisdiction?

Fiji is seeing daily cases in the single digits, yet they’re getting $61 million in emergency relief funding. What is that really for? Particularly when you consider that India, which has seen a massive spike since April, originally got just $17 million in emergency aid.

It’s as if the pandemic is nothing more than a pretext to spend money Democrats can’t justify through the regular (such as it is) budget process. Who knows what else we’ll find relief funds buying in the coming years.

Transparency is going to be more important than ever. Horowitz and his fellow inspectors general have a huge job to do if they want to trace how budgeted money ultimately got spent. The job is made even bigger by the fact that so many media outlets, who would normally be counted on to report waste, fraud and abuse, have become cheerleaders for the party in power.

It is incumbent upon American citizens and responsible media to watch closely where these emergency dollars end up and to hold accountable those who perpetuate waste, fraud and abuse because what we are being told is not what is actually happening.

Jason Chaffetz is a Fox News contributor who was the chairman of the U.S. House Oversight Committee when he served as a Republican representative from Utah. He is the author of the upcoming book “They Never Let a Crisis Go to Waste: The Truth About Disaster Liberalism.”

Get the recap of top opinion commentary and original content throughout the week.

Arrives Daily

Subscribe

The Finer Details of the DarkSide, Hackers of the Colonial Pipeline

Posted on May 24, 2021May 24, 2021 by Denise Simon

Primer: Five months before DarkSide attacked the Colonial pipeline, two researchers discovered a way to rescue its ransomware victims. Then an antivirus company’s announcement alerted the hackers.

Colonial Pipeline hack is latest example of cybersecurity ...

Related reading

On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”

DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast—quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations. Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.

Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal.

The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals, and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out. During World War II, when the British secret service learned from decrypted communications that the Gestapo was planning to abduct and murder a valuable double agent, Johnny Jebsen, his handler wasn’t allowed to warn him for fear of cluing in the enemy that its cipher had been cracked. Today, ransomware hunters like Wosar and Gillespie try to prolong the attackers’ ignorance, even at the cost of contacting fewer victims. Sooner or later, as payments drop off, the cybercriminals realize that something has gone wrong.

Whether to tout a decryption tool is a “calculated decision,” said Rob McLeod, senior director of the threat response unit for cybersecurity firm eSentire. From the marketing perspective, “You are singing that song from the rooftops about how you have come up with a security solution that will decrypt a victim’s data. And then the security researcher angle says, ‘Don’t disclose any information here. Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors.’”

In a post on the dark web, DarkSide thanked Bitdefender for identifying a flaw in the gang’s ransomware. (Highlight added by ProPublica.)

Wosar said that publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept. In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn’t determine how their code was broken unless the flaw was specifically pointed out to them.

Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable,” he said. “That’s how they gain entrance to these oftentimes highly secured networks in the first place. They download the decryptor, they disassemble it, they reverse-engineer it, and they figure out exactly why we were able to decrypt their files. And 24 hours later, the whole thing is fixed. Bitdefender should have known better.”

It wasn’t the first time Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to. Gillespie had broken the code of a ransomware strain called GoGoogle, and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020. Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.

Bogdan Botezatu, director of threat research at Bucharest, Romania–based Bitdefender, said the company wasn’t aware of the earlier success in unlocking files infected by DarkSide.

Regardless, he said, Bitdefender decided to publish its tool “because most victims who fall for ransomware do not have the right connection with ransomware support groups and won’t know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search.”

Bitdefender has provided free technical support to more than a dozen DarkSide victims, and “we believe many others have successfully used the tool without our intervention,” Botezatu said. Over the years, Bitdefender has helped individuals and businesses avoid paying more than $100 million in ransom, he said.

Bitdefender recognized that DarkSide might correct the flaw, Botezatu said: “We are well aware that attackers are agile and adapt to our decryptors.” But DarkSide might have “spotted the issue” anyway. “We don’t believe in ransomware decryptors made silently available. Attackers will learn about their existence by impersonating home users or companies in need, while the vast majority of victims will have no idea that they can get their data back for free.”

The attack on Colonial Pipeline, and the ensuing chaos at the gas pumps throughout the Southeast, appears to have spurred the federal government to be more vigilant. President Joe Biden issued an executive order to improve cybersecurity and create a blueprint for a federal response to cyberattacks. DarkSide said it was shutting down under US pressure, although ransomware crews have often disbanded to avoid scrutiny and then re-formed under new names, or their members have launched or joined other groups.

“As sophisticated as they are, these guys will pop up again, and they’ll be that much smarter,” said Aaron Tantleff, a Chicago cybersecurity attorney who has consulted with 10 companies attacked by DarkSide. “They’ll come back with a vengeance.”

At least until now, private researchers and companies have often been more effective than the government in fighting ransomware. Last October, Microsoft disrupted the infrastructure of Trickbot, a network of more than 1 million infected computers that disseminated the notorious Ryuk strain of ransomware, by disabling its servers and communications. That month, ProtonMail, the Swiss-based email service, shut down 20,000 Ryuk-related accounts.

Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.

By contrast, the FBI rarely decrypts ransomware or arrests the attackers, who are typically based in countries like Russia or Iran that lack extradition agreements with the US. DarkSide, for instance, is believed to operate out of Russia. Far more victims seek help from the Hunting Team, through websites maintained by its members, than from the FBI.

The US Secret Service also investigates ransomware, which falls under its purview of combating financial crimes. But, especially in election years, it sometimes rotates agents off cyber assignments to carry out its better-known mission of protecting presidents, vice presidents, major-party candidates, and their families. European law enforcement, especially the Dutch National Police, has been more successful than the US in arresting attackers and seizing servers.

Similarly, the US government has made only modest headway in pushing private industry, including pipeline companies, to strengthen cybersecurity defenses. Cybersecurity oversight is divided among an alphabet soup of agencies, hampering coordination. The Department of Homeland Security conducts “vulnerability assessments” for critical infrastructure, which includes pipelines.

It reviewed Colonial Pipeline in around 2013 as part of a study of places where a cyberattack might cause a catastrophe. The pipeline was deemed resilient, meaning that it could recover quickly, according to a former DHS official. The department did not respond to questions about any subsequent reviews.

Five years later, DHS created a pipeline cybersecurity initiative to identify weaknesses in pipeline computer systems and recommend strategies to address them. Participation is voluntary, and a person familiar with the initiative said that it is more useful for smaller companies with limited in-house IT expertise than for big ones like Colonial. The National Risk Management Center, which oversees the initiative, also grapples with other thorny issues such as election security.

Ransomware has skyrocketed since 2012, when the advent of Bitcoin made it hard to track or block payments. The criminals’ tactics have evolved from indiscriminate “spray and pray” campaigns seeking a few hundred dollars apiece to targeting specific businesses, government agencies and nonprofit groups with multimillion-dollar demands.

Attacks on energy businesses in particular have increased during the pandemic—not just in the US but in Canada, Latin America, and Europe. As the companies allowed employees to work from home, they relaxed some security controls, McLeod said.

Continue reading here.