Category: Cyber-Crimes

CISA AND MS-ISAC RELEASE JOINT RANSOMWARE GUIDE


The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing a joint Ransomware Guide meant to be a one-stop resource for stakeholders on how to be proactive and prevent these attacks from happening and also a detailed approach on how to respond to an attack and best resolve the cyber incident.

CISA and MS-ISAC observed there are vast products and resources available, but very few that have them all in one place.

This one-stop guide is divided into two parts:

First, the guide focuses on best practices for ransomware prevention, detailing practices that organizations should continuously do to help manage the risk posed by ransomware and other cyber threats. It is intended to enable forward-leaning actions to successfully thwart and confront malicious cyber activity associated with ransomware. Some of the several CISA and MS-ISAC preventive services that are listed are Malicious Domain Blocking and Reporting, regional CISA Cybersecurity Advisors, Phishing Campaign Assessment, and MS-ISAC Security Primers on ransomware variants such as Ryuk.

The second part of this guide, response best practices and services, is divided up into three sections: (1) Detection and Analysis, (2) Containment and Eradication, and (3) Recovery and Post-Incident Activity. One of the unique aspects that will significantly help an organization’s leadership as well as IT professional with response is a comprehensive, step-by-step checklist.

With many technical details on response actions and lists of CISA and MS-ISAC services available to the incident response team, this part of the guide can enable a methodical, measured and properly managed approach.  

“It is a CISA priority to help our partners defend against ransomware, advise them on appropriate risk-management actions and provide best practices for a resilient, responsible incident response plan in the event of an cyberattack,” said Bryan Ware, Assistant Director for Cybersecurity, CISA. “The collaborative and consistent engagement with our industry and government partners support our concerted efforts to offer trusted, proactive and timely resources and services. This guide is based on operational insight from CISA and MS-ISAC and our engagements with varied sector partners.”

Recent events stress the important reminder that ransomware can happen at any time to any organizations, so we encourage all organizations with sensitive or important data stored on their network to take steps now to protect it, including backing up data, training employees, and patching systems to blunt the potential impact of ransomware.

Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion.

One of the ways this guide can help is with identifying their critical data. It’s hard to have an organization determine after-the-fact what critical data was impacted by a ransomware incident if they did not have that understanding of what critical data they had ahead of time.

And, it is hard to revert to backups if an organization does not have or has not properly maintained and tested their backups.

This joint ransomware guide is written primarily for the IT professional, but every level of an organization can benefit from reviewing it. CISA and MS-ISAC are proud to provide this guide that can help them plan for a ransomware incident and understand the risk management, analytical, and response services available to them.

Blogs to Follow:

Justice.gov (September 2020)  CISA AND MS-ISAC RELEASE JOINT RANSOMWARE GUIDE

International law enforcement operation targeting opioid traffickers on the Darknet results in over 170 arrests worldwide and the seizure of weapons, drugs and over $6.5 million


Darknet narcotics vendors selling to tens of thousands of U.S. residents charged

On September 22, 2020, the Department of Justice, through the Joint Criminal Opioid and Darknet Enforcement team, joined Europol to announce the results of Operation DisrupTor, a coordinated international effort to disrupt opioid trafficking on the Darknet.

The operation, which was conducted across the United States and Europe, demonstrates the continued partnership between JCODE and Europol against the illegal sale of drugs and other illicit goods and services. Operation DisrupTor builds on the success of last year’s and the coordinated law enforcement ,one of the largest illegal online markets on the dark web..

Following the Wall Street Market takedown in May 2019, U.S. and international law enforcement agencies obtained intelligence to identify Darknet drug traffickers, resulting in a series of complementary, but separate, law enforcement investigations. Operation DisrupTor actions have resulted in the arrest of 179 Darknet drug traffickers and fraudulent criminals who engaged in tens of thousands of sales of illicit goods and services across the United States and Europe.

This operation resulted in the seizure of over $6.5 million in both cash and virtual currencies; approximately 500 kilograms of drugs worldwide; 274 kilograms of drugs, including fentanyl, oxycodone, hydrocodone, methamphetamine, heroin, cocaine, ecstasy, MDMA, and medicine containing addictive substances in the United States; and 63 firearms. 

Darknet vendor accounts were identified and attributed to real individuals selling illicit goods on Darknet market sites such as AlphaBay, Dream, WallStreet, Nightmare, Empire, White House, DeepSea, Dark Market and others. By leveraging complementary partnerships and surging resources across the U.S. government and Europol, Operation DisrupTor was used to significantly disrupt the online opioid trade and send a strong message that criminals operating on the Darknet are not beyond the reach of law enforcement. 

Operation DisrupTor led to 121 arrests in the United States including two in Canada at the request of the United States, 42 in Germany, eight in the Netherlands, four in the United Kingdom, three in Austria, and one in Sweden. A number of investigations are still ongoing to identify the individuals behind dark web accounts.

“Criminals selling fentanyl on the Darknet should pay attention to Operation DisrupTor,” said Deputy Attorney General Jeffrey Rosen. “The arrest of 179 of them in seven countries—with the seizure of their drug supplies and their money as well—shows that there will be no safe haven for drug dealing in cyberspace.”

“The 21st century has ushered in a tidal wave of technological advances that have changed the way we live,” said DEA Acting Administrator Timothy J. Shea. “But as technology has evolved, so too have the tactics of drug traffickers. Riding the wave of technological advances, criminals attempt to further hide their activities within the dark web through virtual private networks and tails, presenting new challenges to law enforcement in the enduring battle against illegal drugs. Operation DisrupTor demonstrates the ability of DEA and our partners to outpace these digital criminals in this ever-changing domain, by implementing innovative ways to identify traffickers attempting to operate anonymously and disrupt these criminal enterprises.”

“With the spike in opioid-related overdose deaths during the COVID-19 pandemic, we recognize that today’s announcement is important and timely,” said FBI Director Christopher Wray. “The FBI wants to assure the American public, and the world, that we are committed to identifying Darknet drug dealers and bringing them to justice. But our work does not end with today’s announcement. The FBI, through JCODE and our partnership with Europol, continues to be actively engaged in a combined effort to disrupt the borderless, worldwide trade of illicit drugs. The FBI will continue to use all investigative techniques and tools to identify and prosecute Darknet opioid dealers, wherever they may be located.”

“U.S. Immigration and Custom’s Enforcement’s Homeland Security Investigations has played an integral role in Operation DisrupTor which has effectively removed opioids from our communities,” said ICE Acting Deputy Director Derek Benner. “It has been an honor to work alongside our domestic and international law enforcement partners and pursue bad actors hiding on the Darknet. Our trained cyber analysts and investigators have conducted undercover efforts that target dark website operators, vendors and prolific buyers of these dangerous drugs. HSI special agents employ unique investigative capabilities to trace and identify the proceeds stemming from the distribution and online sales of fentanyl and other illicit opioids. These efforts will continue to thwart a significant amount of criminal drug sale activity and deter criminals believing they can operate with anonymity on the Darknet.”

“The U.S. Postal Inspection Service has worked diligently for years to rid the mail of illicit drug trafficking and preserve the integrity of the mail,” said Chief Postal Inspector Gary Barksdale. “Most importantly, these efforts provide a safe environment for postal employees and the American public. Today’s announcement serves as an outstanding example of the worldwide impact Postal Inspectors can make through our ever-growing partnerships with federal and international law enforcement agencies. On behalf of the U.S. Postal Service, we offer our sincere appreciation to all of our partners in this operation who helped protect the nation’s mail, and we pledge to never relent in our pursuit of criminals seeking to exploit the U.S. mail.”

“Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” said Edvardas Šileris, the Head of Europol’s European Cybercrime Centre. “Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen.”

The extensive operation, which lasted nine months, resulted in over dozens of federal prosecutions including:

  • The Los Angeles JCODE Task Force, in conjunction with the U.S. Attorney’s Office for the Central District of California, successfully dismantled a drug trafficking organization that used online monikers such as “Stealthgod” to sell methamphetamine and MDMA on multiple Darknet marketplaces. Investigators have linked the crew to more than 18,000 illicit drug sales to customers in at least 35 states and numerous countries around the world. During law enforcement actions in Southern California earlier this year, members of JCODE arrested five defendants and seized approximately 120 pounds of methamphetamine, seven kilograms of MDMA and five firearms. Two of the five – Teresa McGrath, 34, of Sunland-Tujunga, and Mark Chavez, 41, of downtown Los Angeles – have since pleaded guilty to narcotics-trafficking and other offenses, and each faces a 15-year mandatory minimum sentence. As the investigation continued, the Los Angeles JCODE Task Force made additional seizures, including $1.6 million in cryptocurrency, 11 pounds of methamphetamine and 14 pounds of pills pressed with methamphetamine. Andres Bermudez, 37, of Palmdale, California, who allegedly was a main supplier of methamphetamine to the “Stealthgod” crew, was charged last week with a narcotics-trafficking offense that carry a 10-year mandatory minimum sentence. He is considered a fugitive.
  • Arden McCann, 32, of Quebec, Canada, was charged with conspiring to import drugs into the United States and money laundering conspiracy, in a four-count indictment returned by a grand jury in Atlanta. According to court documents, the defendant is alleged to have imported alprazolam, fentanyl, U-47700, and fentanyl analogues such as carfentanil, furanyl fentanyl, 4-fluoroisobutyryl fentanyl, acryl fentanyl, and methoxyacetyl fentanyl into the United States from Canada and China. The superseding indictment alleges that fentanyl analogues the defendant imported into the United States resulted in a non-fatal overdose in April 2016, and fentanyl the defendant imported into the United States resulted in an overdose death in December 2016.
  • Khlari Sirotkin, 36, of Colorado; Kelly Stephens, 32, of Colorado; Sean Deaver, 36, of Nevada; Abby Jones, 37, of Nevada; and Sasha Sirotkin, 32, of California, were charged with drug trafficking and money laundering conspiracy, in a 21-count indictment returned by a grand jury in Cincinnati, Ohio. According to court documents, the defendants are alleged to be members of one of the most prolific online drug trafficking organizations in the United States and allegedly specialized in the manufacturing and distribution of more than one million fentanyl-laced counterfeit pills and laundered approximately $2.8 million over the course of the conspiracy. The pressed fentanyl pills, along with heroin, methamphetamine and cocaine, were shipped to the Southern District of Ohio and throughout the country. DEA, FBI, FDA, HSI and USPIS agents seized 2.5 kilograms of fentanyl; 5,095 pressed xanax; 50 suboxone; 16.5 grams of cocaine; 37 grams of crystal meth; 12 grams of black tar heroin; an industrial pill press; 5,908 pounds of dried marijuana with an estimated street value of $9 million; $80,191 in cash, 10 firearms and one pound of fentanyl.
  • The FBI Washington Field Office’s Hi-Tech Opioid Task Force, in conjunction with the U.S. Attorney’s Office for the Eastern District of Virginia, successfully thwarted a firebomb attack plot involving explosives, firearms, the Darknet, prescription opioid trafficking, cryptocurrency, and sophisticated money laundering. William Anderson Burgamy, 33, of Hanover, Maryland, and Hyrum T. Wilson, 41, of Auburn, Nebraska, pleaded guilty in the Eastern District of Virginia to charges related to a conspiracy to use explosives to firebomb and destroy a competitor pharmacy in Nebraska. Burgamy, who is not a pharmacist, operated as the Darknet vendor NeverPressedRX since at least August 2019. Wilson, who was a licensed pharmacist, illegally mailed to Burgamy over 19,000 dosage units of prescription medications, including opioids, from his pharmacy in Nebraska. Burgamy illegally sold prescription drugs through his Darknet vendor account to customers nationwide, and claimed at one point that he made nearly $1 million total. Burgamy and Wilson agreed that Burgamy and another individual would carry multiple firearms during the attack operation and use explosives, specifically Molotov cocktails enhanced with Styrofoam as a thickening agent, to burn the victim pharmacy down in furtherance of their drug trafficking scheme. Law enforcement agents seized thousands of opioid pills, eight unsecured firearms, including two loaded AR-15 assault rifles with high capacity magazines, and over $19,000 cash. Prior to Burgamy’s arrest in April 2020, which uncovered and thwarted the firebombing plot, Burgamy and Wilson fully intended on the attack occurring after COVID-19 restrictions were lifted.
  • Aaron Brewer, 39, of Corsicana, Texas, was charged with conspiracy to possess with intent to distribute a controlled substance and distribution of a controlled substance in a two-count indictment returned by a grand jury in the Northern District of Texas. According to court documents, the defendant allegedly sold cocaine, heroin, and other drugs via the dark web. He allegedly accepted payment in cryptocurrency, primarily bitcoin, and then shipped the drugs to customers’ addresses through the U.S. mail and other shipping services. Following Brewer’s arrest on July 2, agents with the U.S. Postal Inspection Service and FBI Dallas Field Office seized roughly 650 grams of black tar heroin, cocaine, and OxyContin, two computers, and more than $870 in postage stamps, as well as a ledger outlining 757 drug shipments sent to 609 unique addresses between December 2019 and March 2020.

An indictment and criminal complaint merely alleges that crimes have been committed. The defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Operation DisrupTor was a collaborative initiative across JCODE members, including the Department of Justice; Federal Bureau of Investigation; U.S. Drug Enforcement Administration; U.S. Postal Inspection Service; U.S. Immigration and Customs Enforcement’s Homeland Security Investigations; U.S. Customs and Border Protection; Financial Crimes Enforcement Network; Bureau of Alcohol, Tobacco, and Firearms; Naval Criminal Investigative Service, and Department of Defense. Local, state and other federal agencies also contributed to Operation DisrupTor investigations. 

The investigations leading to Operation DisrupTor were significantly aided by essential support and coordination by the Department of Justice’s multi-agency Special Operations Division, the Criminal Division’s Computer Crime and Intellectual Property Section, Narcotic and Dangerous Drug Section, and Organized Crime and Gang Section, the Justice Department’s Office of International Affairs, the National Cyber Joint Investigative Task Force, Europol and its Dark Web team and international partners Eurojust, Austrian Federal Investigation Bureau, Cyprus Police, German Federal Criminal Police Office, Canada’s Royal Canadian Mounted Police, Portuguese Judicial Police, Dutch Police, Swedish Police, the British National Crime Agency, Australia’s Western Australia Police Force, and Australian Criminal Intelligence Commission.

Federal prosecutions are being conducted in more than 20 Federal districts, including: the Central District of California, the Eastern District of California, the Northern District of California, the Southern District of California, the District of Colorado, the District of Columbia, the District of Connecticut, the Middle District of Florida, the Southern District of Florida, the Northern District of Georgia, the District of Hawaii, the Western District of Missouri, the District of New Jersey, the Western District of North Carolina, the Northern District of Ohio, the Southern District of Ohio, District of Oregon, the Western District of Pennsylvania, the Northern District of Texas, the Eastern District of Virginia, the District of the Virgin Islands and the Western District of Washington.

JCODE is an FBI-led Department of Justice initiative, which works closely with the DEA-led, multi-agency, Special Operations Division to support, coordinate and de-conflict investigations targeting for disruption and dismantlement of the online sale of illegal drugs, especially fentanyl and other opioids. Additionally, JCODE targets the trafficking of weapons and other illicit goods and services on the internet. Operation DisrupTor illustrates the investigative power of federal and international partnerships to combat the borderless nature of online criminal activity.

Blogs to Follow:

DEA.gov (September 2020)  International law enforcement operation targeting opioid traffickers on the Darknet results in over 170 arrests worldwide and the seizure of weapons, drugs and over $6.5 million

Technology Proliferation, Influence Ops May Be as Disruptive as COVID-19


The COVID-19 pandemic has been globally disruptive in nearly every facet of life. But other things may prove as disruptive in the future, said leaders of the military intelligence community.

One advancement that may possibly be as disruptive as COVID-19 is the revolution in information technology that’s available to everybody — not just the U.S. and its allies, Navy Vice Adm. Robert Sharp, director of the National Geospatial-Intelligence Agency, said during an online forum today with the Armed Forces Communications and Electronics Association and the Intelligence and National Security Alliance.

“It’s this revolution in remotely-sensed and geo-located data, which is available to everyone,” he said. “It’s available to us, but it’s also available to our competitors. [Also] the revolution in smart machines and artificial intelligence — once again, [it’s a] great opportunity for us, but it’s not only our opportunity. That’s the competition space.”

Another area of concern is something Sharp called “GEOINT assurance.” With the growth of open-source geospatial intelligence coming from multiple sources, it becomes less certain that the information can be trusted, he said.

“How do you have confidence in the ones and zeros that you’re using for making decisions based off of,” he asked.

Army Gen. Paul Nakasone, director of the National Security Agency and commander of U.S. Cyber Command, cited influence operations as the next possible great disruptor. Influence operations, he said, have a very low barrier to entry, enabling just about anybody to engage in them.

“We’ve seen it now in our democratic processes,” Nakasone said. “I think we’re going to see it in our diplomatic processes, we’re going to see it in warfare, and we’re going to see it in sowing civil distrust in different countries.”

Influence operations, he said, are all enabled by the proliferation of inexpensive technology that allows anybody with an agenda to get online.

“The great technology that’s enabling so much of what we’re doing is also that dual-edged sword that malicious cyber actors and others are being able to use to create doubt, or to be able to question authority, or to be able to … to spread messages that are far from true,” he said. “I think influence operations, just in general, will be for us one of the things that we’ll be dealing with not just every two or four years, but this is the competitive space that we’re going to be in as intelligence agencies and as our nation”.

Blogs to Follow:

Defense.gov (September 2020)  Technology Proliferation, Influence Ops May Be as Disruptive as COVID-19

VA Notifies Veterans of Compromised Personal Information


Hackers attempted to reroute medical payments from the VA, exposing information of 46,000 Veterans

The U.S. Department of Veterans Affairs (VA) Office of Management today announced a data breach involving the personal information of approximately 46,000 Veterans and actions taken by the department to prevent and mitigate any potential harm to those individuals. 

The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans.

The FSC took the application offline and reported the breach to VA’s Privacy Office.

A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.

To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology. 

To protect these Veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information.

The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised. 

Veterans whose information was involved are advised to follow the instructions in the letter to protect their data.

There is no action needed from Veterans if they did not receive an alert by mail, as their personal information was not involved in the incident. 

Veterans or Veteran next-of-kin that receive notification their information is potentially at risk from this incident can direct specific questions to the FSC Customer Help Desk to VAFSCVeteransSupport@va.gov or writing to VA FSC Help Desk, Attn: Customer Engagement Center, .P.O. Box 149971, Austin, TX 78714-9971. 

Blogs to Follow:

VA.gov (September 2020)  VA notifies Veterans of compromised personal information

Trump Administration Launches First Cybersecurity Principles for Space Technologies


The Trump Administration announced the first comprehensive cybersecurity policy for systems used in outer space and near space on Friday.

Space Policy Directive- 5 (SPD-5) makes clear the lead role the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have in in enhancing the nation’s cyber defenses in space, notably on key systems used for global communications, navigation, weather monitoring, and other critical services.

“From establishing CISA in 2018 to today’s directive to protect American interests on the final frontier, President Trump is empowering the Department of Homeland Security to defend the nation against ever-evolving cyber threats,” said Acting Homeland Security Secretary Chad F. Wolf. “The security of the homeland depends upon the security of our space systems, interests, and freedom of action in space. The policy unveiled today is a critical step in establishing a baseline standard for cybersecurity as America leads in space and cyberspace alike.” 

Legacy space systems, networks, and channels may be vulnerable to malicious cyber activities that can deny, degrade, or disrupt space-systems operations or even destroy a satellite with potential cascading effects into critical infrastructure sectors. 

Building security and resilience into space systems is essential to maximizing their potential and supporting the American people, economy, and homeland security enterprise.

SPD-5 establishes the following key cybersecurity principles of space systems:

  • Space systems and their supporting infrastructure including software, should be developed and operated using risk-based, cybersecurity-informed engineering;
     
  • Space systems operators should develop or integrate cybersecurity plans for space systems that include capabilities to ensure operators or automated control center systems can retain or recover positive control of space vehicles, and verify the integrity, confidentiality, and availability of critical functions and the missions, services, and data they provide;
     
  • Space system cybersecurity requirements and regulations should leverage widely-adopted best practices and norms of behavior;
     
  • Space system owners and operators should collaborate to promote the development of best practices and mitigations to the extent permitted by law and regulation; and,
     
  • Space systems security requirements should be designed to be effective while allowing space operators to manage appropriate risk tolerances and minimize undue burden to civil, commercial, and other non-government space system operators.

“The Department of Homeland Security looks forward to continue to work with its partner agencies to implement these principles to help protect the American people,” Acting Secretary Wolf concluded.

For more information regarding the provisions, please visit: https://www.whitehouse.gov/wp-content/uploads/2020/09/2020SPD5.mem_.pdf

Blogs to Follow:

DHS.gov (September 2020)  Trump Administration Launches First Cybersecurity Principles for Space Technologies