Category Archives: Whistleblower

REvil, the Ransomware Hackers System Identified

Posted on by

Ahead of the three-day Fourth of July weekend, the REvil gang is suspected to be behind a new ransomware attack Friday that affected at least 200 companies in the U.S.

REvil, based in Russia, was likely behind the JBS Meat Packing attack in May, according to the FBI. The Flashpoint Intelligence Platform has suggested that former REvil members were involved in the recent Colonial Pipeline attack earlier this year as well, allegedly done by the DarkSide ransomware group. More here from Newsweek.

Per the FBI’s most recent statement:

Updated July 4, 2021: 

If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov. Please include as much information as possible to assist the FBI and CISA in determining prioritization for victim outreach. Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.

Original statement:

The FBI is investigating this situation and working with Kaseya, in coordination with CISA, to conduct outreach to possibly impacted victims. We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities.

Additionally:

Kaseya had expected that it would be able to patch and restore its VSA software-as-a-service product by today, but technical problems its developers encountered have blocked the rollout. As of 8:00 AM EDT today, the company was still working to resolve the issues it encountered.

Reuters quotes US President Biden as offering, yesterday, a relatively upbeat preliminary assessment of the consequences of the ransomware campaign: “It appears to have caused minimal damage to U.S. businesses, but we’re still gathering information,” Mr. Biden said, adding “I feel good about our ability to be able to respond.”

That said, the US Government is continuing its investigation and is signalling an intention to do something about REvil and other gangs or privateers. Among other things, the US Administration said that it has communicated very clearly to Russian authorities that the US wants the REvil operators brought to book. CBS News reported yesterday that White House press secretary Psaki said that the US had been in touch with Russian officials about the REvil operation, and that if Russia doesn’t take action against its ransomware gangs, “we will” TASS is, of course, authorized to disclose that Russia not only had nothing to do with the attack, and that it knew nothing about it, and that in fact Moscow had heard nothing from Washington about the matter.

But, outside government cyber experts have uncovered the following:

Hat tip source

Resecurity® HUNTER, cyber threat intelligence and R&D unit, identified a strong connection to a cloud hosting and IoT company servicing the domain belonging to cybercriminals.

According to the recent research published by ReSecurity on Twitter, starting January 2021 REVil leveraged a new domain ‘decoder[.]re’ in addition to a ransomware page available in the TOR network.

***

The domain was included within the ransom notes dropped by the recent version of REVil, it came in the form of a text file containing contact and payment instructions.

revil map

Typically, the collaboration between the victim and REVil was organized via a page in TOR, but in the case their victim is not able to access the Onion Network, the group prepared domains available in Clearnet (WWW) acting as a ‘mirror’.

revil
TOR host

 

revil
WWW host (decoder[.]re)

To access the page in WWW or TOR – the victim needs to provide a valid UID (e.g.,”9343467A488841AC”). The researchers acquired a significant number of UIDs and private keys as a result of ransomware samples detonated and through the collaboration with victims globally. The private keys determine if the same functional process is available on both resources confirming, they’re delivering exactly the same content.

Like decryptor[.]cc and decryptor[.]top in previous REvil / Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations. The application hosted on it contains ‘chat’ functionality enabling interactive close to real-time communications between the victim and REVil.

The threat actors also used a disposable temporary e-mail address created via https://guerrillamail.com to anonymously register the domain name, which was later used for name servers too, this also allowed them to park other elements of their infrastructure. Such e-mails could only be used a limited number of times, for example all communications with them would be automatically deleted within 1 hour.

Resecurity was able to collect the available and historical DNS records, then create a visual graph representing the current network infrastructure used by REVil and shared it with the cybersecurity community. According to experts, such a step may facilitate proper legal action against ransomware, as well as outline parties responsible for such malicious activity, as the uncovered details raise significant questions regarding the reaction from hosting providers and law enforcement.

revil map

Based on the network and DNS intelligence collected by experts, the IPs associated with it have been rotated at least 3 times in Q1 2021 and were related to a particular cloud hosting and IoT solutions provider located in Eastern Europe, which continues to service them.

It’s hard to believe such malicious activity has gone unnoticed by certain governments resulting in damage to thousands of enterprises globally.” – said Gene Yoo, Chief Executive Officer of Resecurity.

President Joe Biden has ordered U.S. intelligence agencies to investigate the sophisticated ransomware attack on Kaseya presumably conducted by REVil, a notorious cybercriminal syndicate believed to have ties to Russian-speaking actors that’s previously gone after high-profile targets such as Apple and Acer.

The group is also believed to be behind last month’s successful attack on the world’s largest meat processing company, JBS, that extorted $11 million in ransom. REvil took official responsibility for the attack and released an announcement in their blog which is available in TOR network asking for $70 million payment from Kaseya – the biggest ransom payment demand known in the industry today.

The attack has already affected over 1,000 businesses globally disrupting their operations. One suspected victim of the breach, the Sweden-based retailer Coop, closed at least 800 stores over the weekend after its systems were taken offline.

The White House Press Secretary Jen Psaki said the US will take action against the cybercriminal groups from Russia if the Russian government refuses to do so.

The investigation is still ongoing.

About the author: Gene Yoo, Chief Executive Officer (Resecurity, Inc.)

Factoid: The Biden Admin’s NSA Unmasked Tucker Carlson

Posted on by

So, who exactly ordered the NSA to unmask Tucker Carlson’s emails and leak them is unclear but there is at least one common name that did the same thing against General Flynn…..Susan Rice….ahhh but read on. (Remember former AG Barr called it spying)

Axios:

Tucker Carlson was talking to U.S.-based Kremlin intermediaries about setting up an interview with Vladimir Putin shortly before the Fox News host accused the National Security Agency of spying on him, sources familiar with the conversations tell Axios.

Why it matters: Those sources said U.S. government officials learned about Carlson’s efforts to secure the Putin interview. Carlson learned that the government was aware of his outreach — and that’s the basis of his extraordinary accusation, followed by a rare public denial by the NSA that he had been targeted.

  • Axios has not confirmed whether any communications from Carlson have been intercepted, and if so, why.

The big picture: Carlson’s charges instantly became a cause célèbre on the right, which feasted on the allegation that one of America’s most prominent conservatives might have been monitored by the U.S. intelligence community.

The backstory: Carlson told his roughly 3 million viewers on June 28 that the day before, he had heard “from a whistleblower within the U.S. government who reached out to warn us that the NSA … is monitoring our electronic communications and is planning to leak them in an attempt to take this show off the air.”

  • Carlson said his source, “who is in a position to know, repeated back to us information about a story that we are working on that could have only come directly from my texts and emails.”
  • “It’s illegal for the NSA to spy on American citizens,” Carlson added. “Things like that should not happen in America. But unfortunately, they do happen. And in this case, they did happen.”
  • The NSA said in a tweet the next night, as Carlson’s show went on the air, that his “allegation is untrue.”
  • “Tucker Carlson has never been an intelligence target of the Agency and the NSA has never had any plans to try to take his program off the air,” the statement said.

A Fox News spokesperson gave this response to our reporting: “We support any of our hosts pursuing interviews and stories free of government interference.”

  • And Carlson gave this statement: “As I’ve said repeatedly, because it’s true, the NSA read my emails, and then leaked their contents. That’s an outrage, as well as illegal.”

It is unclear why Carlson, or his source, would think this outreach could be the basis for NSA surveillance or a motive to have his show canceled.

  • Journalists routinely reach out to world leaders — including the leaders of countries that are not allied with the U.S. — to request interviews. And it’s not unusual to first reach out through unofficial intermediaries rather than through the leaders’ official press offices.
  • Numerous American journalists have interviewed Putin in recent years, and none have faced professional repercussions. Quite the contrary: Chris Wallace earned Fox News its first Emmy nomination for his 2018 Putin interview.

On Wednesday, Carlson told Maria Bartiromo on Fox Business that only his executive producer knew about the communications in question and that he didn’t mention it to anybody else, including his wife.

  • But, of course, the recipients of Carlson’s texts and emails also knew about their content. And we don’t know how widely they shared this information.

Between the lines: The NSA’s public statement didn’t directly deny that any Carlson communications had been swept up by the agency.

  • Axios submitted a request for comment to the NSA on Wednesday, asking whether the agency would also be willing to categorically deny that the NSA intercepted any of Carlson’s communications in the context of monitoring somebody he was talking to in his efforts to set up an interview with Putin.
  • An NSA spokesperson declined to comment and referred Axios back to the agency’s earlier, carefully worded, statement. In other words, the NSA is denying the targeting of Carlson but is not denying that his communications were incidentally collected.

What’s next: Experts say there are several plausible scenarios — including legal scenarios — that could apply.

  • The first — and least likely — scenario is that the U.S. government submitted a request to the Foreign Intelligence Surveillance Court to monitor Carlson to protect national security.
  • A more plausible scenario is that one of the people Carlson was talking to as an intermediary to help him get the Putin interview was under surveillance as a foreign agent.
  • In that scenario, Carlson’s emails or text messages could have been incidentally collected as part of monitoring this person, but Carlson’s identity would have been masked in any intelligence reports.
  • In order to know that the texts and emails were Carlson’s, a U.S. government official would likely have to request his identity be unmasked, something that’s only permitted if the unmasking is necessary to understand the intelligence.

In a third scenario, interceptions might not have involved Carlson’s communications. The U.S. government routinely monitors the communications of people in Putin’s orbit, who may have been discussing the details of Carlson’s request for an interview.

  • But under this scenario, too, Carlson’s identity would have been masked in reports as part of his protections as a U.S. citizen, and unmasking would only be permitted if a U.S. government official requested that his identity be unmasked in order to understand the intelligence. And it’s not clear why that would be necessary here.

The intrigue: Two sources familiar with Carlson’s communications said his two Kremlin intermediaries live in the United States, but the sources could not confirm whether both are American citizens or whether both were on U.S. soil at the time they communicated with Carlson.

  • This is relevant because if one of them was a foreign national and on foreign soil during the communications, the U.S. government wouldn’t necessarily have had to seek approval to monitor their communications.

 

Cartel Del Golfo is Operating Stash Houses in Texas

Posted on by

Primer: January 2020 by the Justice Department/ CDG is a violent Mexican criminal organization engaged in the manufacture, distribution, and importation of ton quantities of cocaine and marijuana into the United States. In the late 1990s, the Gulf Cartel recruited an elite group of former Mexican military personnel to join their ranks as security and enforcers who became known as Los Zetas. The Gulf Cartel and Los Zetas operated under the name of “The Company.” Costilla-Sanchez became the leader of The Company for several years following the arrest of Osiel Cardenas in 2003 and before Costilla-Sanchez’s arrest in September 2012. More details here.

***

Mexican Authorities Rescue 47 Kidnap Victims from Cartel ...

So, with that already classified, and with stash houses operating inside the United States, why has it not been declared a domestic terror organization and where are the arrests by Federal agents?

Texas border stash house packed with 108 migrants in searing heat

Nearly 930,000 illegal migrant crossing were reported by CBP through the end of May

A large human smuggling stash house harboring 108 migrants in southeast Texas was uncovered by U.S. Border Patrol agents Monday afternoon.

The migrants were found crammed inside what appeared to be an old car garage, enduring extreme heat and harsh living conditions.

Border Patrol officials told Fox News that smugglers keep migrants in stash houses located near the southern border before dispersing them deeper into the U.S.

The insignia for “Cartel Del Golfo,” which means Gulf Cartel, was spray-painted on one of the interior garage walls – which law enforcement said was the cartel’s method for laying claim to the operation.

 

Border Patrol said the Gulf Cartel is known to be heavily involved in running human smuggling operations across Texas’ southeast border.

Law enforcement initially said 107 migrants were found at the house before upping the count by one.

Officials identified one migrant caretaker during their apprehension near Alton, Texas Monday, but did not confirm whether he was involved in the running of the smuggling operation.

Five unaccompanied children and two-family units with children as young as six years old were uncovered in the stash house, U.S. Customs and Border Protection (CBP) confirmed Tuesday.

The migrants arrived from Mexico, Ecuador, El Salvador, Honduras, and Guatemala.

Stash houses like the garage discovered Monday are not rare sights for Border Patrol agents.

One hour after the stash house in Alton was discovered, CBP reported that a residence near Rio Grande City was found to have been harboring 23 adult migrants.

Fox News could not immediately reach CBP to confirm the number of stash houses found in 2021 but earlier this month local news outlet KGNS reported that over 4,000 migrants had been arrested in more than 200 dismantled stash homes.

CBP has reported nearly 930,000 illegal immigrant encounters at the southern border since January.

More than 180,000 migrants were encountered in May alone.

 

Biden Gives Putin a List of Entities to not Hack

Posted on by

Yup…16 of them. All the other parts of infrastructure is okay or not as important? Does the same list apply to hackers from China, Iran or North Korea? Do they get a copy too?

Primer:

Remember MH17? Just for what context on Russian operatives, it is not just the United States.

Russian hackers compromised the computer systems of the Dutch national police while the latter were conducting a criminal probe into the downing of Malaysia Airlines Flight 17 (MH17), according to a new report. MH17 was a scheduled passenger flight from Amsterdam to Kuala Lumpur, which was shot down over eastern Ukraine on July 17, 2014. All 283 passengers and 15 crew on board, 196 of them Dutch citizens, were killed.

Dutch newspaper De Volkskrant, which revealed this new information last week, said the compromise of the Dutch national police’s computer systems was not detected by Dutch police themselves, but by the Dutch General Intelligence and Security Service (AIVD). The paper said that neither the police nor the AIVD were willing to confirm the breach, but added that it had confirmed the breach took place through multiple anonymous sources.

On July 5, 2017, the Netherlands, Ukraine, Belgium, Australia and Malaysia announced the establishment of the Joint Investigation Team (JIT) into the downing of flight MH-17. The multinational group stipulated that possible suspects of the downing of flight MH17 would be tried in the Netherlands. In September 2017, the AIVD said it possessed information about Russian targets in the Netherlands, which included an IP address of a police academy system. That system turned out to have been compromised, which allowed the attackers to access police systems. According to four anonymous sources, evidence of the attack was detected in several different places.

The police academy is part of the Dutch national police, and non-academy police personnel can access the network using their log-in credentials. Some sources suggest that the Russian Foreign Intelligence Service (SVR) carried out the attack through a Russian hacker group known as APT29, or Cozy Bear. However, a growing number of sources claim the attack was perpetrated by the Main Directorate of the Russian Armed Forces’ General Staff, known commonly as GRU, through a hacker group known as APT28, or Fancy Bear. SVR attackers are often involved in prolonged espionage operations and are careful to stay below the radar, whereas the GRU is believed to be more heavy-handed and faster. The SVR is believed to be partly responsible for the compromise of United States government agencies and companies through the supply chain attack known as the SolarWinds cyber attack, which came to light in late 2020. source

Live blog: Biden, Putin finish Geneva summit, confirms ... source

(notice Victoria Nuland at the table?)

FNC:

President Biden told reporters Wednesday he gave President Vladimir Putin a list of 16 critical infrastructure entities that are “off limits” to a Russian cyberattack.

Those entities include energy, water, health care, emergency, chemical, nuclear, communications, government, defense, food, commercial facilities, IT, transportation, dams, manufacturing and financial services.

“We’ll find out whether we have a cybersecurity arrangement that begins to bring some order,” Biden said. Putin, for his part, denied any involvement in a recent spate of cyberattacks that have hit major industries across the U.S.

“I looked at him. I said, ‘How would you feel if ransomware took on the pipelines from your oil fields?’ He said, ‘It would matter.’ This is not about just our self-interest.” the president said.

Biden refused to say if military action was on the table if Russia was found to be responsible for a ransomware attack.

“In terms of the red line you laid down is military response an option for a ransomware attack?” a reporter asked.

“Thank you very much,” Biden said as he abruptly tried to end the shorter-than-expected conference. “No, we didn’t talk about military response,” he said when pressed again.

Biden in another moment had said he didn’t make any threats but rather “simple assertions.”

Biden stressed the need for both nation “to take action against criminals that conduct ransomware activities on their territory.”

Putin, in his own press conference after the meeting, claimed that American sources say that a “majority” of the cyberattacks in the world come from within the U.S.

The number of organizations affected by ransomware has jumped 102% compared to the beginning of 2020 and “shows no sign of slowing down,” according to a research note last month from IT security firm Check Point.

Both Colonial Pipeline and JBS Holdings, a meat-processing company, have been subject to major cyberattacks, where against the guidance of the FBI they paid millions of dollars in ransom to resume operation. The Colonial Pipeline attack was linked back to a Russian hacking group.

 

 

Hunter Gets Big Money for his Paintings Likely Due to his Shady Art Dealer

Posted on by

Any officials investigating for criminal activity other than the strident journalists at the New York Post? (rhetorical)

Hat tip:

As federal prosecutors continue their criminal probes into Hunter Biden’s taxes and international business dealings, the President’s son — shuttling between Washington DC and a sprawling Los Angeles home — is lying low, consulting with lawyers and focusing on his new career in art.Hunter1.The Georges Berges Gallery at 462 West Broadway in Soho.

Helayne Seidman

Biden, who turns 51 next week, is prepping a solo show with Soho art dealer Georges Berges, who currently represents Sylvester Stallone. Berges was once arrested for “terrorist threats” and assault with a deadly weapon in California and has strong ties to China.

Biden, who continues to hold business interests in a billion-dollar Chinese investment firm, recently moved to a sprawling Venice Beach rental with his wife Melissa Cohen and 10 month old son, according to the Daily Mail. He was previously living in a Hollywood Hills home where he had set up an art studio.hollywood-hills-hunter-biden-3 source

That home is connected to Shane Khoh, a Los Angeles-based entrepreneur and real estate investor who is CEO of SXU Investment Holdings LLC, the California company that has owned the $3.8 million property since 2011, according to public records. Khoh, an American who is fluent in Chinese, sits on the board of Siong Heng Realty Pte Ltd., a Singapore-based real estate holding company, according to his LinkedIn profile. He is also listed as a “venture partner” of Diverse Communities Impact Fund, a private-equity group that features former Democratic New Mexico Gov. Bill Richardson on its board of advisors.

The house was featured in a New York Times profile of Biden as an emerging abstract painter last year. Last year Khoh told The Washington Examiner that Biden was paying $12,000 a month for the property, which features a pool house that Biden has turned into an art studio. Khoh denied any prior relationship with Biden to the newspaper.

But when The Post asked this week about his arrangements with his tenant, Khoh clammed up: “I have nothing to say about Hunter Biden. I have no comment.”

Biden and his family have since moved into a $5.4 million Venice Beach home owned by Sweetgreen co-founder and CEO Jonathan Neman, according to the Daily Mail report.

Others in Biden’s orbit were even more reticent.

Calls to Lunden Alexis Roberts, an Arkansas stripper who sued Biden for paternity and child support after the birth of their 2-year-old daughter, refused comment, as did her lawyer. It is not known how much Biden is paying in child support for “Baby Doe,” as she is referred to in court papers. The father of five had initially argued that the child was not his, and repeatedly tried to delay the case. Roberts, who met Biden at a Washington, DC, strip club where she used to work, said in a December 2019 court filing that Biden had not provided any financial support for the child.

Although Biden has divested himself of many of his old business interests, he does not seem to be hard up for cash. He has been seen driving around Los Angeles in a Porsche Panamera, which retails for more than $90,000. He retains control of a limited liability corporation that has a 10 percent stake in BHR Partners, a Chinese private-equity firm with $2 billion in assets and partly owned by the Bank of China, according to reports.

Biden’s stake in the Chinese firm is owned by Skaneateles LLC, a company named for his mother Neilia Hunter Biden’s upstate New York hometown. The company has used the Hollywood Hills home as one of its addresses. Neilia, Joe Biden’s first wife, died in a 1972 car crash in Delaware that also killed Biden’s 1-year-old sister Naomi. Hunter Biden and his older brother Beau, who were toddlers, were injured in the accident.

“It’s like a lottery ticket he has in his hand with a 10 percent stake in a company worth billions,” said a source. “Just imagine if that company is worth $2 billion, Biden takes home $200 million.”

Biden’s convoluted international business dealings became a heated political issue in the final months of the 2020 presidential campaign after The Post revealed a trove of emails from Hunter’s laptop that raised questions about then-candidate Joe Biden’s ties to his son’s foreign business ventures, including Burisma. The Ukrainian energy company reportedly paid Hunter $50,000 a month between 2014 and 2019 to sit on its board of directors. Hunter Biden is also accused of promoting the interests of CEFC China Energy Co, a Chinese conglomerate that was to pay him more than $10 million a year for introductions to officials in Washington.

Last year, a federal watchdog called on the Department of Justice to launch “a full investigation” of Hunter Biden, who they claim did not register under federal Foreign Agent Registration Act rules that govern those lobbying for a foreign entity.

“Hunter Biden’s tangled web of shell companies, LLCs, investment vehicles, and options agreements make it virtually impossible to know where he is getting income from,” said Thomas Anderson, director for the National Legal Policy Center, adding that circumventing the FARA regulations allowed Biden and his associates to operate under the radar.

Selling his abstract artwork to wealthy investors may also be a lucrative way to rake in cash, Anderson said. “We highly doubt, however, a career as an artist will do anything more than act as a vehicle to further shield where that income is coming from,” he said.

But Hunter Biden told The Times he had another reason for turning to art. Painting is “literally keeping me sane right now,” he said, adding that it helped him in his battles with addiction to drugs and alcohol.

“If I didn’t know who it was and I saw it for the first time, I would think it was pretty interesting stuff. He’s got talent,” New York art critic Anthony Haden-Guest told The Post.

The paintings feature pastel bursts of flowers and other shapes made with layers of alcohol ink that he blows with a metallic straw onto Japanese Yupo paper, a smooth synthetic material made from recycled paper.

Biden’s new dealer, who opened his Soho gallery in 2015, is tight-lipped about his galleries in New York and Berlin, which are reportedly frequented by Spike Lee, Dave Chapelle and Susan Sarandon as well as international titans of industry.

“He’s got this Woody Allen look to him … He’s crazy in a good way,” one artist who’s worked with Berges told The Post.

Berges, 44, regularly features works by Chinese artists and told a Chinese network that he was keen to open other art galleries in Beijing and Shanghai in 2015. “The questions that I always had was how’s China changing the world in terms of art and culture,” Berges told the China Daily in 2014.

Berges was accused of defrauding an investor in a 2016 federal lawsuit. Ingrid Arneberg claims she invested $500,000 in Berges’ gallery for a promised expansion, but instead he used the cash to pay off old debts. Berges later countersued Arneberg, and the case was settled in 2018.

In 1998, he was charged with assault with a deadly weapon and making “terrorist threats,” which were dismissed. He pled “no contest” to the assault and received 36 months probation and served 90 days in jail, according to Santa Cruz Superior Court documents — the only information publicly available about the case.

Berges did not return several messages seeking comment. A worker at his gallery in Soho told The Post he didn’t know anything about Hunter Biden’s solo exhibition, which is scheduled for later this year, according to reports.

George Mesires, a lawyer for Hunter Biden did not return The Post’s calls.