Looks Like Law Enforcement Actually Shutdown DarkSide

A big hat tip to the work of law enforcement but which agency remains unknown at this point.

Shutting down the servers of DarkSide is a great achievement but not before there were other victims such as Toshiba.

A Toshiba Corp (6502.T) unit said it was hacked by the DarkSide ransomware group, overshadowing an announcement of a strategic review for the Japanese conglomerate under pressure from activist shareholders to seek out suitors.

Toshiba Tec Corp (6588.T), which makes products such as bar code printers and is valued at $2.3 billion, was hacked by DarkSide – the group widely believed to be behind the recent Colonial Pipeline attack, its French subsidiary said.

From Krebs:

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.

“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.

The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.

The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.

The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the community would no longer allow discussion threads about ransomware moneymaking programs.

“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”

In a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week.

“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”

***

“The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.” reported TheRecord.

The news was revealed by a member of REvil ransomware gang, known as ‘UNKN,’ in a forum post on the Exploit hacking forum. The post was first spotted by Recorded Future researcher Dmitry Smilyanets, it includes a message allegedly from DarkSide explaining how the gang lost access to their blog, payment servers, and DDoS servers as a result of an action conducted by law enforcement action. source

Darkside

“Since the first version, we have promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:

  • Blog.
  • Payment server.
  • DOS servers.”

reads the post from UNKN. “Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information “at the request of law enfocement agencies”, does not provide any other information.”

 

More Exact Colonial Pipeline Hack Details

It is prudent to review several sources for the real evidence and details and most often non-government companies are the ‘go-to’ places for that. Government spins stuff but private cyber experts offer up great context and such is the case below.

FBI Confirms Darkside Behind Colonial Pipeline Ransomware ... source

As a primer, CISA is a government agency launched by the Trump administration for all the right reasons.

Alert (AA20-049A)

Ransomware Impacting Pipeline Operations

But read on.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Alert that offers a set of best practices to protect against ransomware-induced business disruptions. The Alert was prompted by the attack against Colonial Pipeline, and it includes in its introductory section the preliminary conclusion that DarkSide ransomware affected Colonial’s IT systems only, and had no direct effect on the company’s OT networks. The best practices CISA advocates are familiar. The Alert closes with a statement strongly discouraging any victim from paying the ransom their attackers demand: “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”

FireEye yesterday published a report on DarkSide that emphasizes the group’s ransomware-as-a-service model. It’s a selective operation (criminal applicants for affiliate status are, for example, interviewed before being given access to DarkSide’s control panel) but it’s also not a monolithic one. FireEye’s Mandiant unit currently tracks five “clusters” of DarkSide threat activity. The affiliate model DarkSide uses shares criminal profits: “Affiliates retain a percentage of the ransom fee from each victim. Based on forum advertisements, this percentage starts at 25 percent for ransom fees less than $500,000 USD and decreases to 10 percent for ransom fees greater than $5M USD.”

Colonial Pipeline’s website came back online late yesterday, newly armored with a reCAPTCHA landing page. The company published an update in which it reported progress toward resumption of refined petroleum deliveries, with some 967,000 barrels delivered to Atlanta, Belton and Spartanburg in South Carolina, Charlotte and Greensboro in North Carolina, Baltimore, and Woodbury and Linden (close to the Port of New York and New Jersey). Some lines have been operated under manual control since Monday, at least, and have been moving existing inventory. As the company prepares to restart deliveries, they’ve taken delivery of an additional two million barrels, which they’ll ship once service is restored.

The company appears also to be addressing some concerns about its pipelines’ physical security, having “increased aerial patrols of our pipeline right of way and deployed more than 50 personnel to walk and drive ~ 5,000 miles of pipeline each day.” (hat tip to CyberWire)

Related reading:

Colonial Pipeline using vulnerable, outdated version of Microsoft Exchange: report
Pipeline operators were warned about potential attacks in 2020

“Energy Sector…developed the 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity…sector’s vision that “by 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber-incident while sustaining critical functions…”

 

A Chinese Freeze Dried Virus Part of Warfare?

“The PLA is engaging in irregular warfare today,” the West Point paper asserts. “China is employing lawfare to achieve strategic aims. The maritime militia is enforcing China’s sovereignty claims in the East and South China Seas against US partners and allies.”

And it has already weaponised international information flows and channels of influence, along with cyber, economic – and psychological – tactics. Source

Primer: Chinese scientists have been preparing for a Third World War fought with biological and genetic weapons including coronavirus for the last six years, according to a document obtained by US investigators.

The bombshell paper, accessed by the US State Department, insists they will be ‘the core weapon for victory’ in such a conflict, even outlining the perfect conditions to release a bioweapon, and documenting the impact it would have on ‘the enemy’s medical system’.

This latest evidence that Beijing considered the military potential of SARS coronaviruses from as early as 2015 has also raised fresh fears over the cause of Covid-19, with some officials still believing the virus could have escaped from a Chinese lab.

***

Before Covid-19, did we actually know who Anthony Fauci was and what he is about? Since 1984, he has been the Director of NIAID. His portfolio says is complete with prevention, diagnosis and treatment(s) of infectious diseases. Remember the Ebola crisis? Did we hear his name back then and did the Obama administration hire Fauci for guidance on the Ebola outbreak? Nah. What about Zika? Remember that one? Still we did not hear from Dr. Fauci. According to his professional profile, Fauci advised and served seven presidents. Really? Did Dr. Fauci even advise presidents on all things pandemic, virus or risks from Wuhan? If so….where is the evidence?

According to the National Institute of Health website going back to 2018, there is a profound ‘Serological Evidence of Bat SARS-Related Coronavirus Infections in Humans, China dissertation complete with references and footnotes.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Notice this is a partial screen shot in case it gets deleted by NIH. But note the dates in the summary. Further in the summary –> We conducted a virus neutralization test for the six positive samples targeting two SARSr-CoVs, WIV1 and WIV16 (Ge et al. ; Yang et al. ). None of them were able to neutralize either virus. These sera also failed to react by Western blot with any of the recombinant RBD proteins from SARS-CoV or the three bat SARSr-CoVs Rp3, WIV1, and SHC014. We also performed viral nucleic acid detection in oral and fecal swabs and blood cells, and none of these were positive.

Further in the study is this notation:

Acknowledgements

This study was jointly funded by the National Natural Science Foundation of China Grant (81290341) to ZLS; the National Institute of Allergy and Infectious Diseases of the National Institutes of Health (Award Number R01AI110964) to PD and ZLS, United States Agency for International Development (USAID) Emerging Pandemic Threats PREDICT project Grant (Cooperative Agreement No. AID-OAA-A-14-00102) to PD; and Singapore NRF-CRP Grant (NRF2012NRF-CRP001–056) and CD-PHRG Grant (CDPHRG/0006/2014) to LFW.

We have some harder questions to ask of Dr. Fauci and a few other U.S. agencies…right? YES.

So, back to the paper originally released by the Australian and the DailyMail:

The authors of the document insist that a third world war ‘will be biological’, unlike the first two wars which were described as chemical and nuclear respectively.

Referencing research which suggested the two atomic bombs dropped on Japan forced them to surrender, and bringing about the end of WWII, they claim bioweapons will be ‘the core weapon for victory’ in a third world war.

The document also outlines the ideal conditions to release a bioweapon and cause maximum damage.

The scientists say such attacks should not be carried out in the middle of a clear day, as intense sunlight can damage the pathogens, while rain or snow can affect the aerosol particles.

Instead, it should be released at night, or at dawn, dusk, or under cloudy weather, with ‘a stable wind direction…so that the aerosol can float into the target area’.

Meanwhile, the research also notes that such an attack would result in a surge of patients requiring hospital treatment, which then ‘could cause the enemy’s medical system to collapse’.

Other concerns include China’s ‘Gain of Function’ research at the Wuhan Institute of Virology – near where the first Covid outbreak was discovered – at which virologists are creating new viruses said to be more transmissible and more lethal.

MP Tom Tugendhat, chairman of the foreign affairs committee, said: ‘This document raises major concerns about the ambitions of some of those who advise the top party leadership. Even under the tightest controls these weapons are dangerous.’

Chemical weapons expert Hamish de Bretton-Gordon said: ‘China has thwarted all attempts to regulate and police its laboratories where such experimentation may have taken place.’

The revelation from the book What Really Happened in Wuhan was reported yesterday.

The document, New Species of Man-Made Viruses as Genetic Bioweapons, says: ‘Following developments in other scientific fields, there have been major advances in the delivery of biological agents.

‘For example, the new-found ability to freeze-dry micro-organisms has made it possible to store biological agents and aerosolise them during attacks.’

It has 18 authors who were working at ‘high-risk’ labs, analysts say.

Australian Strategic Policy ­Institute executive director Peter Jennings also raised concerns over China’s biological research into coronaviruses potentially being weaponised in future.

Additionally in the article :

Only this week, Brazil President Jair Bolsonaro appeared to strongly criticise China by accusing it of creating Covid to spark a chemical ‘warfare.’

The comments were made during a press conference on Wednesday as the hardline leader sought to further distance himself from the growing attacks over his domestic handling of a pandemic that has produced the second-highest death toll in the world.

‘It’s a new virus. Nobody knows whether it was born in a laboratory or because a human ate some animal they shouldn’t have,’ Bolsonaro said.

‘But it is there. The military knows what chemical, bacteriological and radiological warfare. Are we not facing a new war? Which country has grown its GDP the most? I will not tell you.’

Since we can no longer get reliable information from our current government officials, perhaps we should ask Brazil or Australia, right?

Scientists studying bat diseases at China‘s maximum-security laboratory in Wuhan were engaged in a massive project to investigate animal viruses alongside leading military officials – despite their denials of any such links.

Documents obtained by The Mail on Sunday reveal that a nationwide scheme, directed by a leading state body, was launched nine years ago to discover new viruses and detect the ‘dark matter’ of biology involved in spreading diseases.

One leading Chinese scientist, who published the first genetic sequence of the Covid-19 virus in January last year, found 143 new diseases in the first three years of the project alone.

The fact that such a virus-detection project is led by both civilian and military scientists appears to confirm incendiary claims from the United States alleging collaboration between the Wuhan Institute of Virology (WIV) and the country’s 2.1 million-strong armed forces. Continue reading in full here.

What does Canada know?

National Microbiology Lab in Winnipeg gets $5M to expand ...

In part:

In July 2019, a rare event occurred in Canada, whereby a group of Chinese virologists were forcibly dispatched from the Canadian National Microbiology Laboratory (NML) in Winnipeg, a facility they worked in, running parts of the Special Pathogen Programme of Canada’s Public Health Agency.1 Experimental infections – including aerogenic ones – of monkeys with the most lethal viruses found on Planet Earth comprise nearly a routine therein. Four months earlier, a shipment of two exceptionally virulent viruses dealt with in the NML – Ebola and Nipah viruses – was on its way from NML, ended in China, and has thereafter been traced and regarded to be improper, specifically put as “possible policy breaches”, or rather but an “administrative issue”, ostensibly.2

Yet the scope of this incident is much wider, in actuality. The main culprit seems to be Dr. Xiangguo Qiu, an outstanding Chinese scientist, born in Tianjin. Heading until recently the Vaccine Development and Antiviral Therapies section of the Special Pathogens Programme, she primarily received her medical doctor degree from Hebei Medical University in China in 1985 and came to Canada for graduate studies in 1996.3 Later on, she was affiliated with the Institute of Cell Biology and the Department of Pediatrics and Child Health of the University of Manitoba, Winnipeg, not engaged with studying pathogens.4 But a shift took place, somehow. Since 2006,5 she has been studying powerful viruses, Ebola virus foremost, in the NML. The two viruses shipped from the NML to China – Ebola and Nipah – were studied by her in 2014, for instance (together with the viruses Machupo, Junin, Rift Valley Fever, Crimean-Congo Hemorrhagic Fever and Hendra).6 Yet utmost attention has been paid to Ebola, with the highly legitimate aim of developing effective prophylaxis and treatment for infected people. Inevitably, her works included a variety of Ebola wild strains – among them the most virulent one, with 80% lethality rate – and much relied on experimental infections of monkeys, including via the airways.7 Remarkable achievements were attained, indeed, and Dr. Qiu accepted the Governor General’s Innovation Award in 2018. More here.

Even media in India is asking for the same transparency on the Canadian component:

Source: China has been a signatory to the Biological Weapons Convention since 1984, and has repeatedly insisted it is abiding by the treaty that bans developing bio-weapons.

But suspicions have persisted, with the U.S. State Department and other agencies stating publicly as recently as 2009 that they believe China has offensive biological agents.

Though no details have appeared in the open literature, China is “commonly considered to have an active biological warfare program,” says the Federation of American Scientists. An official with the U.S. Army Medical Research Institute of Chemical Defence charged last month China is the world leader in toxin “threats.”

In a 2015 academic paper, Shoham – of Bar-Ilan’s Begin-Sadat Center for Strategic Studies – asserts that more than 40 Chinese facilities are involved in bio-weapon production.

China’s Academy of Military Medical Sciences actually developed an Ebola drug – called JK-05 — but little has been divulged about it or the defence facility’s possession of the virus, prompting speculation its Ebola cells are part of China’s bio-warfare arsenal, Shoham told the National Post.

The Harbinger of the Colonial Pipeline Ransomware

The harbinger is what protections against hacks and ransomware are underway? Stopping oil and gas flow and delivery is how to stop life and economies. Apply some critical thinking here…it goes way beyond cost as supply is crucial. If the FBI was well aware of the DarkSide in 2020….we need to rethink the Bureau completely.

PC Magazine provides this update in part:

The FBI today confirmed that the cyberattack that forced Colonial Pipeline to take its network offline over the weekend is due to ransomware known as DarkSide.

“The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” the agency says. “We continue to work with the company and our government partners on the investigation.”

During a Monday White House press briefing, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, said the FBI has been investigating the DarkSide variant since October 2020, and has determined that it’s a ransomware-as-a-service attack, meaning “criminal affiliates conduct attacks and then share the proceeds with ransomware developers,” she said.

Though news reports have tied DarkSide to Russian operatives, President Biden said Monday that “so far, there’s no evidence…from our intelligence people that Russia is involved, although there is evidence that the actors [behind the ransomware are] in Russia, [so] they have some responsibility to deal with this.”

Colonial Pipeline cyberattack shuts down pipeline that ...

The Chicago Tribune along with other media sources post the notion that this should not last long:

The operator of a major U.S. pipeline hit by a cyberattack said Monday it hopes to have service mostly restored by the end of the week.

Colonial Pipeline offered the update after revealing that it had halted operations because of a ransomware attack the FBI has linked to a criminal gang.

The ransomware attack on the pipeline, which the company says delivers roughly 45% of fuel consumed on the U.S. East Coast, raised concerns that supplies of gasoline, jet fuel and diesel could be disrupted in parts of the region if the disruption continues.

At the moment, though, officials said there is no fuel shortage.

The Colonial Pipeline transports gasoline and other fuel through 10 states between Texas and New Jersey, according to the company.

Colonial is in the process of restarting portions of its network. It said Sunday that its main pipeline remained offline, but that some smaller lines were operational. The company has not said when it would completely restart the pipeline.

“The time of the outage is now approaching critical levels and if it continues to remain down we do expect an increase in East Coast gasoline and diesel prices,” said Debnil Chowdhury, IHS Markit Executive Director. The last time there was an outage of this magnitude was in 2016, he said, when gas prices rose 15 to 20 cents per gallon. But the Northeast had significantly more local refining capacity at that time, potentially intensifying any impact.

The FBI and others got the attribution right on this one and did so very quickly.

The group behind the ransomware that took down Colonial Pipeline late last week has apologized for the “social consequences,” claiming that its goal is to make money, not cause societal problems.

According to Vice, the group’s apology was posted to its dark web site. It reads:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.

Our goal is to make money and not creating problems for society.

From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

According to NYT cybersecurity reporter Nicole Perlroth, DarkSide isn’t necessarily associated with a specific nationstate, but it does tend to avoid holding victims for ransom if their systems are running in certain Russian and Eastern European languages (see embedded tweet below). Bloomberg reports that the group is known to speak Russian.

Source:

Imagine the other worldwide pipeline systems and their respective responses such as all of Europe.

Natural gas pipelines of Europe and surrounding regions ...

 

Facebook Did not Protect 533 Million Users Data

Maybe these spam calls we get on our cell phones are the consequence.

Hackers were reportedly sharing a massive amount of personal Facebook data in January, and now that data appears to have escaped into the wild. According to Business Insider, security researcher Alon Gal has discovered that a user on a hacking forum has made the entire dataset public, exposing details for about 533 million Facebook members. The data includes phone numbers, birth dates, email addresses and locations, among other revealing info.

About 32 million of the users are in the US, while 11 million are from the UK and another 6 million come from India.

 

Gal first spotted the data in January, when Telegram users could pay to search the database. The intruders reportedly took advantage of a flaw that Facebook fixed in August 2019 and reportedly includes information from before that fix. You might not be in trouble if you’re a relative newcomer or have changed key details in the time since the fix, but the breach still leaves many people vulnerable.

We’ve asked Facebook for comment.

As Gal noted, Facebook can only do so much when the data is already in circulation and the related flaw is no longer an issue. The social network could notify affected users, though, and there’s pressure on the company to alert affected users so they can watch for possible spam calls and fraud.

*** Facebook hack affected 7.3 million Australian accounts

From the Facebook News Room:

The Facts on News Reports About Facebook Data

By Mike Clark, Product Management Director

On April 3, Business Insider published a story saying that information from more than 530 million Facebook users had been made publicly available in an unsecured database. We have teams dedicated to addressing these kinds of issues and understand the impact they can have on the people who use our services. It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.

Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this. The methods used to obtain this data set were previously reported in 2019. This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services. As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists. But since there’s still confusion about this data and what we’ve done, we wanted to provide more details here.

What Happened

We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.

When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords.

Keeping Your Account Safe

Scraping data using features meant to help people violates our terms. We have teams across the company working to detect and stop these behaviors.

We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible. While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.

While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly. In this case, updating the “How People Find and Contact You” control could be helpful. We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication.