State Department Offers $10 Million Bounty for Location of DarkSide Gang Leaders
Ukraine Secret Service reveals the identities of Gamaredon members, CMMC 2.0 released, State and Defense depts can't detect Stingrays near facilities, DOJ indicts PlugWalkJoe for currency theft, more
The State Department announced a $10 million bounty for information on the location of leaders of the DarkSide ransomware gang and $5 million for information that leads to the arrest or conviction of any group affiliates. The Department is offering the reward under its Transnational Organized Crime Rewards Program (TOCRP).
The DarkSide group’s most high-profile attack was the Colonial Pipeline Company ransomware infection last May. (Tonya Riley / Cyberscoop)
FBI @FBI#Breaking: The @StateDept is offering rewards of up to $10 million for information that leads to the identification, arrest, or conviction of leaders of (or participants in) the DarkSide ransomware transnational organized crime group. https://t.co/6WrtKHb8vS https://t.co/jr6qIeDLL7
The Ukrainian Security Service (SSU) revealed the real identities of five members of a group it calls Armageddon but is more widely known in cybersecurity circles as Gamaredon, linking its members to the Crimean branch of the Russian Federal Security Service (FSB).
The group operated from Sevastopol, Crimea, but acted on orders from the FSB Center for Information Security (also known as “Center 18”) in Moscow. The five members include Chernykh Mykola Serhiiovych (head of the 4th section of SCO of the FSB Sevastopol branch), Sklianko Oleksandr Mykolaiovych (deputy chief of the 4th section of SCO of the FSB Sevastopol branch), Starchenko Anton Oleksandrovych (officer of the 4th section of SCO of the FSB Sevastopol branch), Sushchenko Oleh Oleksandrovych (officer of the 4th section of SCO of the FSB Sevastopol branch) and Miroshnychenko Oleksandr Valeriiovych (officer of the 4th section of SCO of the FSB Sevastopol branch).
The SSU also published intercepted phone conversations between two Gamaredon members regarding attacks they were carrying out and complaints about their FSB salaries. (Catalin Cimpanu / The Record)
John Hultquist @JohnHultquistGreat work by Ukraine's SBU attributing the activity of the group best known as Armagedon/Gamaredon, an FSB-tied operation out of occupied Ukraine. We've this crew for a long time, but the FSB rarely gets as much attention as other Russian services. 1/x https://t.co/BRcXpnojPH
Following a nine-month internal review and complaints from vendors over the cost and complexity of the requirements, the Department of Defense issued Cybersecurity Maturity Model Certification (CMMC) 2.0, an updated version of its cybersecurity compliance program for contractors.
Under CMMC 2.0, a third-party assessment will be focused "on companies supporting the highest priority programs," according to the DOD. A new website focused on the updated CMMC says the new version will cut red tape for small and medium-sized businesses, set priorities for protecting DoD information, and reinforce cooperation between the DoD and industry in addressing evolving cyber threats. (Adam Mazmanian / FCW)
Related: Defense.gov, InsideDefense.com, The Record by Recorded Future, Fedscoop, Washington Technology: News and Blogs, Homeland Security Today, InsideCyberSecurity.com, InsideCyberSecurity.com, Business Wire Technology: Security News, Defense.gov, Meritalk, SC Media, CMMC 2.0
Researchers at Check Point say that threat actors are using advertisements in Google Search to promote fake cryptocurrency wallets and DEX platforms to steal user'’ cryptocurrency.
The ads promote sites that install fake Phantom and MetaMask wallets used for Solana and Ethereum and fake decentralized exchange (DEX) platforms, such as PancakeSwap and Uniswap. Google has taken down the ads, but new ones will undoubtedly pop up. (Bill Toulas / Bleeping Computer)
Senator Ron Wyden (D-OR) sent a letter to the director of national intelligence, the heads of the FBI and CISA, and Jessica Rosenworcel, the presumptive next chair of the Federal Communications Commission, about the “abysmal failure” by the U.S. government to defend its employees from unauthorized cellphone surveillance.
Wyden’s complaint focused on cell-site simulators, also known as “IMSI catchers,” which are more commonly known as “stingrays.” These simulators exploit long-standing security vulnerabilities in phones by impersonating a legitimate phone company’s cell towers. Wyden says that the Departments of State and Defense have confirmed “that they lack the technical capacity to detect cell-site simulators in use near their facilities.” Aside from asking that federal workers be required to use end-to-end encryption for messages and calls, Wyden has also asked the FCC to require phone manufacturers to include an easy method whereby consumers can disable their phones’ support for 2G and 3G networks, which are vulnerable to stingray technology. (Dell Cameron / Gizmodo)
Deputy Attorney General Lisa Monaco said that “in the days and weeks to come, you’re going to see more arrests,” more seizures of ransom payments to hackers, and additional law enforcement operations.
Despite stepped-up efforts by the Biden administration to rein in cybercriminals and ransomware attackers, “We have not seen a material change in the landscape. Only time will tell as to what Russia may do on this front,” Monaco said. (Eric Tucker / Associated Press)
France’s Computer Emergency Response Team (CERT) released details about the tools and tactics used by a ransomware affiliate group, now tracked as Lockean.
According to the CERT, the group has compromised the networks of at least eight French companies, stealing data and deploying malware from multiple ransomware-as-a-service (RaaS) operations. (Ionut Ilascu / Bleeping Computer)
Related: Security Affairs
The Justice Department indicted a suspected Twitter hacker, Joseph O'Connor, also known as 'PlugWalkJoe' for stealing $784,000 worth of cryptocurrency using SIM swap attacks.
Prosecutors allege that O’Connor and co-conspirators used SIM swaps to gain access to accounts for a Manhattan-based cryptocurrency company to steal $784,000 Bitcoin Cash, Litecoin, Ethereum, and Bitcoin from wallets managed by the company on behalf of clients. The Justice Department previously indicted O’Connor for his alleged involvement in the massive July 2020 Twitter hack that allowed threat actors to hijack accounts, including high-profile accounts such as those of Barack Obama, and promote cryptocurrency scams that stole over $120,000 worth of Bitcoin. The U.S. is pursuing the extradition of O'Connor, who is currently in custody in Spain. (Lawrence Abrams / Bleeping Computer)
Researchers at SentinelLabs discovered a critical heap-overflow security vulnerability in the Transparent Inter Process Communication (TIPC) module of the Linux kernel that could allow local exploitation and remote code execution, leading to complete system compromise.
The flaw (CVE-2021-43267) resides in a message type that allows nodes to send cryptographic keys to each other. When received, the keys can be used to decrypt further communications from the sending node. Sentinel recommends that affected Linux users should apply the just-released patch. (Tara Seals / Threatpost)
Cisco has released security updates to address critical security flaws allowing unauthenticated attackers to log in using hard-coded credentials or default SSH keys to take over unpatched devices.
CISA encourages users and administrators to review the relevant Cisco advisories and apply the necessary updates. (Sergiu Gatlan / Bleeping Computer)
Related: US-CERT Current Activity
Researchers released public exploit code and a proof of concept tool to test Bluetooth devices against System-on-a-Chip (SoC) security bugs impacting multiple vendors, including Intel, Qualcomm, Texas Instruments, and Cypress.
CISA asks vendors to patch these vulnerabilities. (Sergiu Gatlan / Bleeping Computer)
Related: US-CERT Current Activity
The npm security team removed all the compromised coa and rc versions to prevent developers from accidentally infecting themselves. (Catalin Cimpanu / The Record)
Scottish cybersecurity startup Lupovis, which has created a dynamic deception solution that leads cyber attackers and ransomware away from high-value assets, raised around $806,000 in a seed investment round.
The funding came from a syndicate co-led by Techstart Ventures and Nauta Capital, with an investment from the University of Strathclyde. (Patricia Allen / EU-Startups)