Feds Seized 2 Cyber Domains of Hackers/SolarWinds

Posted on June 3, 2021June 3, 2021 by Denise Simon

Domain Names Were in Part Used to Control a Cobalt Strike Software Tool that the Actors Implanted on Victim Networks

WASHINGTON – On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”

“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia. “As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”

“Friday’s court-authorized domain seizures reflect the FBI Washington Field Office’s continued commitment to cyber victims in our region,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries.”

“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities. More here.

Solarwinds Management Tools - Full Control Networks source

More details on the backstory of SolarWinds

“This release includes bug fixes, increased stability and performance improvements.”

The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.

Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.

The routine update, it turns out, is no longer so routine.

Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.

“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”

On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.

NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.

By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.

For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.

Beware of Russian Influence on Vaccine Disinformation

Posted on June 1, 2021June 1, 2021 by Denise Simon

It is additional definition of the cyber war…

Operatives at the behest of Moscow have never passed up the opportunity to exploit a crisis in the Western world. It has gone on for years, back to the days of the KGB, now know as the SVR.

Opinion | Operation Infektion: A three-part video series ... Yet, does media keep making the same mistakes?

Readers and researchers must validate the sources, all of them and check them often. Big media has fallen victim as well and some make corrections while others don’t bother.

Even CNN has admitted as much –>

Washington (CNN)Online platforms directed by Russian intelligence are spreading disinformation about two of the coronavirus vaccines being used in the US, a State Department spokesperson confirmed to CNN on Sunday.

The agency’s Global Engagement Center identified three Russian outlets — News Front, New Eastern Outlook and Oriental Review — that are spreading not only misinformation about the virus, but also regarding “international organizations, military conflicts, protests; and any divisive issue that they can exploit,” according to the spokesperson.

“These sites all vary in their reach, tone, and audience — but they all are spreading Russian propaganda and disinformation. The State Department’s finding of a link between these sites and Russian Intelligence is a result of a joint interagency conclusion,” the spokesperson said.

In part:

French and German YouTubers, bloggers and influencers have been offered money by a supposedly UK-based PR agency with apparent Russian connections to falsely tell their followers the Pfizer/BioNTech vaccine is responsible for hundreds of deaths.

Fazze, an “influencer marketing platform … connecting bloggers and advertisers”, claimed to be based at 5 Percy Street in London but is not registered there. On Tuesday, it temporarily closed its website and made its Instagram account private.

The agency contacted several French health and science YouTubers last week and asked them, in poor English, to “explain … the death rate among the vaccinated with Pfizer is almost 3x higher than the vaccinated by AstraZeneca”.

The influencers were told to publish links on YouTube, Instagram or TikTok to reports in Le Monde, on Reddit and on the Ethical Hacker website about a leaked report containing data that supposedly substantiates the claim.

The article in Le Monde is about data reportedly stolen by Russian hackers from the European Medicines Agency and later published on the Dark Web. It contains no information on mortality rates. The pages on the other two sites have been deleted.

The influencers were asked to tell their subscribers that “the mainstream media ignores this theme”, and to ask: “Why some governments actively purchasing Pfizer vaccine, which is dangerous to the health of the people?”

The brief also included requests to “act like you have the passion and interest in this topic”, and to avoid using the words “advertising” or “sponsored” in posts or videos because “the material should be presented as your own independent view”.

Screen shots of the emails were posted on Twitter by Léo Grasset, a popular French science YouTuber with nearly 1.2m subscribers. Grasset said the campaign had a “colossal budget” but that the agency refused to identify its client.

The French investigative news site Numerama also published extracts from the exchanges, including Fazze’s exhortation to “encourage viewers to draw their own conclusions, take care of themselves and their loved ones”.

Mirko Drotschman, a German YouTuber and podcaster with 1.5 million subscribers, also posted a screenshot of an email asking him to take part in an “information campaign” about “a significant number of deaths” after the Pfizer shot.

“Please send us statistics on the age of your subscribers … and how much it would cost,” the mail concluded. The French investigative website Fact&Furious posted a mail describing Fazze’s budget as “considerable” and the fee as “the rate you wish”.

According to LinkedIn, Fazze’s management come from Moscow and have worked for an agency reportedly founded by a Russian entrepreneur.

French media have pointed to the similarities between Fazze’s message and the official Twitter account of Russia’s Sputnik V – a viral vector vaccine like AstraZeneca – which has repeatedly claimed “real world data” shows they are “safer and more efficient” than mRNA vaccines.

An EU study last month accused Russian and Chinese media of “state-sponsored disinformation” aimed at sowing mistrust in western vaccines by sensationalising safety concerns, making “unfounded links between shots and deaths in Europe”, and promoting Russian and Chinese vaccines as superior.

Anyone Notice the Battle for the Arctic?

Posted on May 18, 2021May 18, 2021 by Denise Simon

The Pentagon has a civilian advisory committee where retired flag officers meet and discuss global and domestic conflicts, research them and then present those items to key Pentagon personnel. The question is, do any discussions include the battle for the Arctic?

When General Lloyd Austin, Secretary of Defense says that climate change and white supremacy are the biggest existential threat to the homeland…others for sure are arguing other real threats and that includes the Arctic.

Back in March of 2018, testimony was presented the Senate Armed Services Committee by commanders of the U.S. Pacific Fleet, the U.S. European Command and the Coast Guard Commandant that the Russian footprint in the Arctic has robustly surpassed that of the United States.

In part:

The U.S. lacks abilities
Despite a change in rhetoric, the facts on the ground remain the same: The U.S. is falling further and further behind in the region, operating a single aging polar-class icebreaker.

“The Arctic is the only theater of operations where the U.S. Navy is outclassed by a peer competitor. Russian surface warships have demonstrated the ability to carry out complex combined operations in the High North, while the American Navy maintains a policy that only submarines operate above the Bering Strait. Are submarines enough of a deterrence? Probably. But I don’t think they provide the real presence needed to assert the U.S.’ rights to the opening Arctic,” Holland explains.

Any reaction by the U.S. to catch up in the Arctic comes about 10 years to late, says Huebert. “Yes, as the current ICEX military exercise shows U.S. submarines have the capability of patrolling the Arctic and surfacing through the ice, but what is lacking are the constabulary capabilities in the form of surface vessels and icebreakers.”

Is the U.S. Waking up?
After more than a decade of lobbying by the U.S. Coast Guard to secure funds to construct a new icebreaker, the agency may finally make progress on this front. Congress’ upcoming appropriations bill is likely to include funding to design and construct a new icebreaker. Still, this falls way short of what would be needed, says Holland. “That is good, but it is late, and there’s no commitment to build the three to five more [icebreakers] that is estimated we’ll need. Nor is there any thought about designing the Navy’s ships of the future so they can operate in the High North.”

Holland hopes that the change in rhetoric marks a newfound seriousness by America’s military leadership about the rapidly growing challenges in the Arctic. This also includes China’s emergence as an Arctic power and its desire to utilize the NSR as its own Polar Silk Road as laid out in its newly-released Arctic strategy.

“These countries have a clear strategic vision for what they want out of the Arctic. As do European Arctic states. It’s time for the U.S. to stand up for its rights and responsibilities as an Arctic nation.” More here.

Why is this even a topic for real?

President Vladimir Putin in recent years has made Russia’s Arctic region a strategic priority and ordered investment in military infrastructure and mineral extraction.

Moscow: Russian Foreign Minister Sergei Lavrov on Monday warned Western countries against staking claims in the Arctic ahead of this week’s Arctic Council meeting in Reykjavik.

The Arctic in recent years has become the site of geopolitical competition between the countries that form the Arctic Council (Russia, the United States, Canada, Norway, Denmark, Sweden, Finland and Iceland) as global warming makes the region more accessible.

A ministerial meeting of the eight-country council will take place on Wednesday and Thursday.

“It has been absolutely clear for everyone for a long time that this is our territory, this is our land,” Lavrov said at a press conference in Moscow.

“We are responsible for ensuring our Arctic coast is safe,” he said.

“Let me emphasise once again — this is our land and our waters,” he added.

“But when NATO tries to justify its advance into the Arctic, this is probably a slightly different situation and here we have questions for our neighbours like Norway who are trying to justify the need for NATO to come into the Arctic.”

The United States in February sent strategic bombers to train in Norway as part of Western efforts to bolster its military presence in the region.

For the first time since the 1980s, the US Navy deployed an aircraft carrier in the Norwegian Sea in 2018.

President Vladimir Putin in recent years has made Russia’s Arctic region a strategic priority and ordered investment in military infrastructure and mineral extraction.

As ice cover in the Arctic decreases, Russia is hoping to make use of the Northern Sea Route shipping channel to export oil and gas to overseas markets.

Lavrov will meet with his US counterpart Antony Blinken on the sidelines of the Arctic Council ministerial meeting in a test of Moscow’s strained relationship with Washington.

Despite mounting tensions, Russia and the United States during climate negotiations earlier this year noted the Arctic as an area of cooperation.

Three Russian ballistic missile submarines participated in Arctic training drills near the North Pole, and the Russian Ministry of Defense shared footage on Friday of the submarines bursting through the ice.

The drills entailed Russian submarines breaching the ice and Russian troops conducting cold-weather ground maneuvers on the open ice. A pair of MiG-31 Foxhound jet interceptors also flew over the Arctic, with support from an Il-78 aerial refueling tanker. According to Russia’s Navy, about 600 Russian military personnel and civilian personnel were present and about 200 models of Russian weapons and military equipment were involved. Source

An officer speaks on walkie-talkie as the Bastion anti-ship missile systems take positions on the Alexandra Land island near Nagurskoye, Russia, Monday, May 17, 2021. Bristling with missiles and radar, Russia’s northernmost military base projects the country’s power and influence across the Arctic from a remote, desolate island amid an intensifying international competition for the region’s vast resources. Russia’s northernmost military outpost sits on the 80th parallel North, projecting power over wide swathes of Arctic amid an intensifying international rivalry over the polar region’s vast resources. (AP Photo/Alexander Zemlianichenko)

For a scary photo essay of the Russians in the Arctic, click here.

So while it appears that nobody is really heeding these warnings, yet another discussion was held in 2019 at the Aspen Security Conference. Here the Pentagon released a new Arctic strategy document challenging and addressing the gains made by China and Russia in the Arctic region.

Moscow is deploying more resources northwards and investing in Arctic-capable forces, while Beijing has declared itself a “near-Arctic” power. The U.S. is moving to meet this challenge and give the region more prominence in its strategic planning.

Schultz said the U.S. “should be concerned about Russia, who is way ahead of us in this game, and the emerging aggressive China, who is pushing into the game.” He noted that while Americans may “think about the Arctic as a very faraway place,” the “Russian world view is very much based on the Arctic.”

A “polar security cutter” is currently under construction for the Coast Guard, effectively a militarized ice breaker. Its order demonstrates the U.S military pivot towards the Arctic and an effort to close the gap with its rivals, particularly Russia. More here.

In part of that released strategy document is the following:

NDS goals and priorities guide DoD’s strategic approach to the Arctic.The Joint Force must be able to deter, and if necessary, defeat great power aggression. DoD must prioritize efforts to address the central problem the NDS identifies–i.e., the Joint Force’s eroding competitive edge against China and Russia,and the NDS imperative to ensure favorable regional balances of power in the Indo–Pacific and Europe. Developing a more lethal, resilient, agile, and ready Joint Force will ensure that our military sustains its competitive advantages, not only for these key regions of strategic competition, but globally as well.Maintaining a credible deterrent for the Arctic region requires DoD to understand and shape the Arctic’s geo–strategic landscape for future operations and to respond effectively to contingencies in the Arctic region, both independently and in cooperation with others. DoD’s strategic approach seeks to do so by implementing three ways in support of thedesired Arctic end–state(each described in detail in this document):

•Building Arctic awareness;

•Enhancing Arctic operations;and

•Strengthening the rules–based order in the Arctic

Read the full 19 page document here.

Looks Like Law Enforcement Actually Shutdown DarkSide

Posted on May 15, 2021May 15, 2021 by Denise Simon

A big hat tip to the work of law enforcement but which agency remains unknown at this point.

Shutting down the servers of DarkSide is a great achievement but not before there were other victims such as Toshiba.

A Toshiba Corp (6502.T) unit said it was hacked by the DarkSide ransomware group, overshadowing an announcement of a strategic review for the Japanese conglomerate under pressure from activist shareholders to seek out suitors.

Toshiba Tec Corp (6588.T), which makes products such as bar code printers and is valued at $2.3 billion, was hacked by DarkSide – the group widely believed to be behind the recent Colonial Pipeline attack, its French subsidiary said.

From Krebs:

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.

“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.

The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.

The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.

The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the community would no longer allow discussion threads about ransomware moneymaking programs.

“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”

In a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week.

“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”

***

“The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.” reported TheRecord.

The news was revealed by a member of REvil ransomware gang, known as ‘UNKN,’ in a forum post on the Exploit hacking forum. The post was first spotted by Recorded Future researcher Dmitry Smilyanets, it includes a message allegedly from DarkSide explaining how the gang lost access to their blog, payment servers, and DDoS servers as a result of an action conducted by law enforcement action. source

“Since the first version, we have promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:

Blog.

Payment server.

DOS servers.”

reads the post from UNKN. “Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information “at the request of law enfocement agencies”, does not provide any other information.”

Biden Leaving Troops in Afghanistan Past the May Deadline

Posted on February 1, 2021February 1, 2021 by Denise Simon

For many many months, the Trump administration was negotiating a peace deal with the Taliban. Frankly, all that the Taliban has agreed to, they have violated. Trump also issued a schedule to lower troop levels in Afghanistan to only a small tight residual number in May of 2021 along with contractors. With the new possible threat(s) of the Taliban and their growing connection to al Qaeda, Biden has decided to leave troop levels in the region at the present level with an increase in Syria and possibly Iraq. All the while, Iran just hosted a Taliban leader for talks where the topic(s) are unknown. Further, Taliban officials have been meeting in Moscow with Russian officials. Those details are found here.

President Biden also has another immediate issue before him and that is the release of a U.S. contractor that went missing in Afghanistan about a year ago. Mark Frerichs, a navy veteran went missing about a year ago while he was working as a contractor on an engineering project. It is thought he is in the custody of the Haqqani network. The U.S. State Department is offering a $5 million reward that leads to Frerichs’ return.

So, it is rather fitting that just this week, a very old FOIA request for former Defense Secretary Donald Rumsfeld documents have been released. Frankly, the questions which were referred to at the Pentagon as ‘snowflakes’ reflects his frustration of the layers of bureaucracy within the Department of Defense and his anger at getting real answers and challenging the quality of intelligence reports. Sound familiar? It is clearly a problem that after 20+ years has not found a quality solution. Just read a few of his snowflakes and judge for your self.

*** Donald H. Rumsfeld - U.S. PRESIDENTIAL HISTORY

35 of the most notable items from the new collection is below from the National Archives.

A follow-on DNSA publication covering the rest of Rumsfeld’s tenure as secretary will appear through ProQuest later in 2021.

One such snowflake was written on March 3, 2003. At 8:16 AM, Rumsfeld wrote to Senior Military Assistant LTG Bantz J. Craddock and Department of Defense General Counsel William Haynes with the subject “KSM”. He wanted to know, “Do we know where the information to find Khalid Sheikh Mohammed came from? Was it from GTMO detainees?” There is no response from either Craddock or Haynes in the DOD release to the Archive, though Rumsfeld’s question is likely a push back to the false claims made by CIA Director George Tenet that the Agency’s resort to torture of Abu Zubaydah led to the capture of Khalid Sheikh Mohammed.

The Senate Select Committee on Intelligence torture report would later reveal that key intelligence on KSM as the mastermind of the 9/11 attacks came from the FBI’s non-coercive, rapport-building interrogation of Abu Zubaydah.[1] This success was prior to the CIA’s contract psychologists, James Mitchell and Bruce Jessen, taking over the interrogation at the CIA “Detention Site Green” in Thailand, which was created to house Zubaydah in 2002. Their approach to Zubaydah would include 83 water board sessions yet fail to produce any valuable intelligence. CIA clandestine services chief Jose Rodriguez (and perhaps Gina Haspel, who would later become DCI, though CIA redactions of documents continue to obscure her role) ordered the destruction of the torture videotapes, commenting that “the heat from destoying [sic] is nothing compared to what it would be if the tapes ever got into public domain.”

Later on March 3, under the subject “Contingencies”, Rumsfeld wrote to Under Secretary of Defense for Policy Doug Feith, stating, “We need to plan what we will do if Saddam Hussein is captured. We need to plan what we will do if we catch an imposter.” There is no record of Feith’s answer in the DOD release to the Archive.

Throughout Rumsfeld’s tenure, his snowflakes circulated daily through the highest levels of the Pentagon. With scant limitations on their subject matter, the all-encompassing documents are sometimes an hourly paper trail inside the Office of the Secretary of Defense during six years of tremendous consequence for U.S. foreign policy. The declassified documents also provide an account that at times contradicts DOD public statements. For example, The Washington Post published a selection of the memos in the six part series “The Afghanistan Papers” in September 2019 revealing that officials misled the American public about the war in Afghanistan.

The entire corpus of snowflakes also details many aspects of the day-to-day operations of the Pentagon, the modernization of the U.S. armed forces, and Rumsfeld’s personal agenda against bureaucracy. “Bureaucracy is driving people nuts,” he wrote in an April 8, 2002, memo at 7:41AM. “If we can take two or three layers out of this place, we will be a lot better off.” In a separate April 8 letter, the secretary suggested cutting all major Pentagon programs by at least 20 percent. (The DOD budget increased by 37.54 percent between FY2001 and FY2006.) On March 11, 2002, Rumsfeld wrote to colleagues, “I am getting tired of seeing the word ‘joint’ everywhere.”

Rumsfeld, Snowflake by Snowflake - Open Source with ...