State Department Offers $10 Million Bounty for Location of DarkSide Gang Leaders

Ukraine Secret Service reveals the identities of Gamaredon members, CMMC 2.0 released, State and Defense depts can't detect Stingrays near facilities, DOJ indicts PlugWalkJoe for currency theft, more

Nov 5

The State Department announced a $10 million bounty for information on the location of leaders of the DarkSide ransomware gang and $5 million for information that leads to the arrest or conviction of any group affiliates. The Department is offering the reward under its Transnational Organized Crime Rewards Program (TOCRP).

The DarkSide group’s most high-profile attack was the Colonial Pipeline Company ransomware infection last May. (Tonya Riley / Cyberscoop)

@mikko @mikko

This is the same reward the U.S. State Department is offering for information on several al-Qaida and ISIS leaders. This is how seriously the U.S. authorities are now taking the ransomware threat. https://t.co/YUPSQBJRgc

FBI @FBI

#Breaking: The @StateDept is offering rewards of up to $10 million for information that leads to the identification, arrest, or conviction of leaders of (or participants in) the DarkSide ransomware transnational organized crime group. https://t.co/6WrtKHb8vS https://t.co/jr6qIeDLL7

The Ukrainian Security Service (SSU) revealed the real identities of five members of a group it calls Armageddon but is more widely known in cybersecurity circles as Gamaredon, linking its members to the Crimean branch of the Russian Federal Security Service (FSB).

The group operated from Sevastopol, Crimea, but acted on orders from the FSB Center for Information Security (also known as “Center 18”) in Moscow. The five members include Chernykh Mykola Serhiiovych (head of the 4th section of SCO of the FSB Sevastopol branch), Sklianko Oleksandr Mykolaiovych (deputy chief of the 4th section of SCO of the FSB Sevastopol branch), Starchenko Anton Oleksandrovych (officer of the 4th section of SCO of the FSB Sevastopol branch), Sushchenko Oleh Oleksandrovych (officer of the 4th section of SCO of the FSB Sevastopol branch) and Miroshnychenko Oleksandr Valeriiovych (officer of the 4th section of SCO of the FSB Sevastopol branch).

The SSU also published intercepted phone conversations between two Gamaredon members regarding attacks they were carrying out and complaints about their FSB salaries. (Catalin Cimpanu / The Record)

Kevin Collier @kevincollier

This is wild. Ukraine just doxed not just FSB officers, but actual phone conversations they had about spying on Ukrainian officials. A step further than when the US DOJ doxes intelligence officials by indicting them; this is a whole punchy video.

SSU intercepted conversations of FSB hackers who carried out over 5 000 cyberattacks on State bodiesyoutube.com

Dmitri Alperovitch @DAlperovitch

The published intercepted conversations of FSB cyber operatives in Crimea are amazing. Real-time reports of operational successes intermixed with complaints about frequent COVID-19 testing at work and getting screwed on bonus pay and awards by FSB. Hackers are bureaucrats too… https://t.co/0VGtmHhb5M

John Hultquist @JohnHultquist

Great work by Ukraine's SBU attributing the activity of the group best known as Armagedon/Gamaredon, an FSB-tied operation out of occupied Ukraine. We've this crew for a long time, but the FSB rarely gets as much attention as other Russian services. 1/x https://t.co/BRcXpnojPH

Following a nine-month internal review and complaints from vendors over the cost and complexity of the requirements, the Department of Defense issued Cybersecurity Maturity Model Certification (CMMC) 2.0, an updated version of its cybersecurity compliance program for contractors.

Under CMMC 2.0, a third-party assessment will be focused "on companies supporting the highest priority programs," according to the DOD. A new website focused on the updated CMMC says the new version will cut red tape for small and medium-sized businesses, set priorities for protecting DoD information, and reinforce cooperation between the DoD and industry in addressing evolving cyber threats. (Adam Mazmanian / FCW)

Researchers at Check Point say that threat actors are using advertisements in Google Search to promote fake cryptocurrency wallets and DEX platforms to steal user'’ cryptocurrency.

The ads promote sites that install fake Phantom and MetaMask wallets used for Solana and Ethereum and fake decentralized exchange (DEX) platforms, such as PancakeSwap and Uniswap. Google has taken down the ads, but new ones will undoubtedly pop up. (Bill Toulas / Bleeping Computer)

Senator Ron Wyden (D-OR) sent a letter to the director of national intelligence, the heads of the FBI and CISA, and Jessica Rosenworcel, the presumptive next chair of the Federal Communications Commission, about the “abysmal failure” by the U.S. government to defend its employees from unauthorized cellphone surveillance.

Wyden’s complaint focused on cell-site simulators, also known as “IMSI catchers,” which are more commonly known as “stingrays.” These simulators exploit long-standing security vulnerabilities in phones by impersonating a legitimate phone company’s cell towers. Wyden says that the Departments of State and Defense have confirmed “that they lack the technical capacity to detect cell-site simulators in use near their facilities.” Aside from asking that federal workers be required to use end-to-end encryption for messages and calls, Wyden has also asked the FCC to require phone manufacturers to include an easy method whereby consumers can disable their phones’ support for 2G and 3G networks, which are vulnerable to stingray technology. (Dell Cameron / Gizmodo)

Media Alliance @twrling

When your own #spyware bites you in the .... " The Departments of State and Defense have confirmed to Wyden’s office, he said, “that they lack the technical capacity to detect #cellsitesimulators in use near their facilities.”

DoD and State Lack ‘Technical Capacity’ to Detect Stingray Phone Surveillance, Senator SaysSen. Ron Wyden calls for countermeasures against spying by cell-site simulators at embassies and military bases.gizmodo.com

Deputy Attorney General Lisa Monaco said that “in the days and weeks to come, you’re going to see more arrests,” more seizures of ransom payments to hackers, and additional law enforcement operations.

Despite stepped-up efforts by the Biden administration to rein in cybercriminals and ransomware attackers, “We have not seen a material change in the landscape. Only time will tell as to what Russia may do on this front,” Monaco said. (Eric Tucker / Associated Press)

Related: The Hill: Cybersecurity, Reddit

Zev Shalev @ZevShalev

Dep AG Lisa Monaco warns Russia and other cyber threat actors to expect arrests and criminal charges related to ransomware threats in coming weeks - no matter from where in the world they originate. "If you come for us, we're. going to come for you". @AP

The AP Interview: DOJ conducting cyber crackdownDeputy Attorney General Lisa Monaco is expecting arrests and criminal charges related to ransomware threats in the coming weeks and spoke to The Associated P...youtu.be

France’s Computer Emergency Response Team (CERT) released details about the tools and tactics used by a ransomware affiliate group, now tracked as Lockean.

According to the CERT, the group has compromised the networks of at least eight French companies, stealing data and deploying malware from multiple ransomware-as-a-service (RaaS) operations. (Ionut Ilascu / Bleeping Computer)

Related: Security Affairs

The Justice Department indicted a suspected Twitter hacker, Joseph O'Connor, also known as 'PlugWalkJoe' for stealing $784,000 worth of cryptocurrency using SIM swap attacks.

Prosecutors allege that O’Connor and co-conspirators used SIM swaps to gain access to accounts for a Manhattan-based cryptocurrency company to steal $784,000 Bitcoin Cash, Litecoin, Ethereum, and Bitcoin from wallets managed by the company on behalf of clients. The Justice Department previously indicted O’Connor for his alleged involvement in the massive July 2020 Twitter hack that allowed threat actors to hijack accounts, including high-profile accounts such as those of Barack Obama, and promote cryptocurrency scams that stole over $120,000 worth of Bitcoin. The U.S. is pursuing the extradition of O'Connor, who is currently in custody in Spain. (Lawrence Abrams / Bleeping Computer)

Give a gift subscription

Researchers at SentinelLabs discovered a critical heap-overflow security vulnerability in the Transparent Inter Process Communication (TIPC) module of the Linux kernel that could allow local exploitation and remote code execution, leading to complete system compromise.

The flaw (CVE-2021-43267) resides in a message type that allows nodes to send cryptographic keys to each other. When received, the keys can be used to decrypt further communications from the sending node. Sentinel recommends that affected Linux users should apply the just-released patch. (Tara Seals / Threatpost)

Cisco has released security updates to address critical security flaws allowing unauthenticated attackers to log in using hard-coded credentials or default SSH keys to take over unpatched devices.

CISA encourages users and administrators to review the relevant Cisco advisories and apply the necessary updates. (Sergiu Gatlan / Bleeping Computer)

Related: US-CERT Current Activity

Researchers released public exploit code and a proof of concept tool to test Bluetooth devices against System-on-a-Chip (SoC) security bugs impacting multiple vendors, including Intel, Qualcomm, Texas Instruments, and Cypress.

CISA asks vendors to patch these vulnerabilities. (Sergiu Gatlan / Bleeping Computer)