PLUS: China’s Great Firewall springs a leak; FBI issues rare ‘Flash Alert’ of Salesforce attacks; $10m bounty for alleged Russian hacker; and more

Infosec In Brief 15 ransomware gangs, including Scattered Spider and Lapsus$, have announced that they are going dark, and say no more attacks will be carried out in their name.

In a post on Breachforums, the ransomware-slingers say they have met their objectives – exposing insecure systems, not extortion – and “silence will now be our strength.”

“If you worry about us, don’t … [we] will enjoy our golden parachutes with the millions the group accumulated. Others will keep on studying and improving systems you use in your daily lives. In silence.”

The groups carried out the recent attacks against Jaguar and Marks & Spencer amongst many others.

Several members of the hacking crew have already been arrested and the group said it will try to free them with “the use of our skills to humiliate those who have humiliated, predate those who have predated.”

The group says there may be further attacks attributed to them, but these were carried out before the retirement announcement.

Cybercrime gangs often try to evade law enforcement by abandoning their handles, then changing tactics and operating under new names. The Register suspects whoever runs these gangs will resume attacks soon.

Someone has leaked an enormous trove of firewall logs, source code, and internal messages from entities thought to be technology providers for China’s Great Firewall.

The 600GB trove appears to come from the servers of Geedge Networks and the Massive and Effective Stream Analysis team at China’s Academy of Science, organizations that critics accuse of providing similar technology to lock down Myanmar’s internet access.

Threat analyst group InterSecLab has gone through [PDF] over 100,000 of the leaked documents and found they detail efforts to conduct deep packet inspection, real-time mobile internet monitoring, instructions on how to carry out granular control over data traffic, and censorship rules tailored to different regions. InterSecLab also feels the data indicates Chinese authorities can locate netizens.

The outfit’s researchers also assert that Geedge’s contributions to the Great Firewall may be copies of security appliances made by vendors Greynoise and Fortinet.

“They also incorporate open-source code in ways that may violate licensing terms,” the report states, before suggesting “Geedge seems to be using these tactics for competitive advantage — to more rapidly offer a set of products that match the capabilities of leading competitors while also building resilience to sanctions.”

US authorities have posted a $10 million bounty for Volodymyr Tymoshchuk, the accused admin of the infamous LockerGoga, MegaCortex, and Nefilim ransomware attacks that operated between December 2018 and October 2021. The US Attorney’s Office had already indicted Tymoshchuk.

“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” stated the Department of Justice’s acting assistant Attorney General Matthew Galeotti.

“In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored. This prosecution and today’s rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible, no matter where they are located.”

The announcement follows a similar $10 million bounty for the arrest of three men accused of hacking US critical infrastructure systems and described as members of Russian intelligence services.

Bounties of this sort are almost always PR exercises, as the accused are based in Russia and arresting them is therefore impossible unless they do something very stupid like entering a country that has an extradition treaty with the USA.

Some people do get caught, however. Liridon Masurica, 33, a Kosovan national, has pleaded guilty to being the lead administrator of BlackDB.cc forum, that bought and sold online credentials and financial information. He was arrested in the Balkans and handed over to US prosecutors.

Aleksanteri Kivimäki is out of prison and plans to appeal his conviction for hacking a psychotherapy clinic in 2018 and sending extortion demands to over 20,000 patients, threatening to reveal their medical records unless they paid up.

Finland’s courts last year convicted Kivimäki of breaking into systems at the Psychotherapy Center Vastaamo Oy medical center and demanding patients pay him €200 ($235) apiece or he would reveal their most intimate records.

After his conviction Kivimäki announced he would fight the charges as, while he did evade taxes on earnings, that cash came from cryptocurrency transactions, not extortion.

If the appeal fails, Kivimäki faces six years and three months in prison. The hack caused a massive spike in crime reports in the normally law-abiding Finnish state and led to the CEO of Vastaamo getting a three-month suspended sentence for failing to protect clients’ data.

Kivimäki began his criminal career very young – he was just 15 when he was convicted of hacking 50,000 servers, carried out swatting attacks (where police are called to attend a fictional violent crime) against targets in the US, and claims to have been a key player in the Lizard Squad hacking team.

To round off the week on Friday the FBI issued [PDF] one of its Flash alerts [PDF] to deliver the bad news that two hacking groups are going after Salesforce customers using several different attack techniques.

The Feds identified the two groups as UNC6040 and UNC6395. The former is associated with the ShinyHunters criminal gang and the latter is claimed to be behind the Salesloft Drift intrusion that has hit “hundreds” of Google, Palo Alto Networks, and Cloudflare customers.

“Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms,” the agency said. “The FBI is releasing this information to maximize awareness and provide IOCs that may be used by recipients for research and network defense.”

UNC6040 has conducted phishing attacks against Salesforce customers since October 2024, the FBI said, by targeting call centers to get access credentials by social engineering. After creating trial accounts on the CRM platform they would call support to get new credentials and multi-factor authentication access codes.

UNC6395, on the other hand, used purloined OAuth tokens to get access to the Salesloft Drift app, an AI bot from Salesforce, which locked down access to the bot on August 20 to stymie further attacks.

Flash warnings from the FBI are relatively uncommon, so you will do well to take this seriously. ®