Eliana Willis

Cloud security company RiskIQ has been bought by Microsoft for $500 million, according to Bloomberg.  RiskIQ said last year that its cybersecurity programs are used by 30% of the Fortune 500 and more than 6,000 total organizations across the world, including the US Postal Service, BMW, Facebook and American Express. In a blog post, Microsoft cloud security vice president Eric Doerr said they were acquiring the company to help customers “build a more comprehensive view of the global threats to their businesses, better understand vulnerable internet-facing assets, and build world-class threat intelligence.”In the last year, Microsoft has purchased IoT security firms CyberX and ReFirm Labs to boost its cybersecurity offerings. Microsoft paid the $500 million in cash, Bloomberg reported. The tech giant has brought in more than $10 billion in revenue from security products over the last year.  “As organizations pursue this digital transformation and embrace the concept of Zero Trust, their applications, infrastructure, and even IoT applications are increasingly running across multiple clouds and hybrid cloud environments,” Doerr said. “Effectively the internet is becoming their new network, and it’s increasingly critical to understand the full scope of their assets to reduce their attack surface. RiskIQ helps customers discover and assess the security of their entire enterprise attack surface—in the Microsoft cloud, AWS, other clouds, on-premises, and from their supply chain.”Doerr touted RiskIQ’s PassiveTotal community that crowd-sources threat intelligence from around the globe. 

He said organizations can use RiskIQ threat intelligence “to gain context into the source of attacks, tools and systems, and indicators of compromise to detect and neutralize attacks quickly.””The combination of RiskIQ’s attack surface management and threat intelligence empowers security teams to assemble, graph, and identify connections between their digital attack surface and attacker infrastructure and activities to help provide increased protection and faster response,” Doerr explained.RiskIQ co-founder and CEO Elias Manousos said RiskIQ’s Attack Surface and Threat Intelligence solutions will be added to the Microsoft Security portfolio, which include Microsoft 365 Defender, Microsoft Azure Defender, and Microsoft Azure Sentinel.In his own blog post, Manousos said that the company works with “hundreds of the Global 2,000” and that their “community has grown to more than 100,000 security professionals.””We’ll continue to support, nurture, and grow this community with Microsoft. We’ll also continue to grow and work with the valued members of our Interlock Partner Program. We’re joining Microsoft to extend and accelerate our reach and impact and are more committed than ever to executing our mission,” Manousos said. “We’ll work closely with our customers as we integrate RiskIQ’s complementary data and solutions with Microsoft’s Security portfolio to enable best-in-class solution attack surface visibility, threat detection, and response.”RiskIQ raised $83 million from Battery Ventures, Georgian, Summitt Partners, MassMutual Ventures, National Grid Partners and Akkadian Ventures in capital funding before the Microsoft acquisition, according to Crunchbase.  More

You may now see brand logos in your Gmail inbox thanks to a new agreement between Google and the AuthIndicators Working Group, which created the Brand Indicators for Message Identification (BIMI).The developers of BIMI describe it as an “email specification that enables the use of brand-controlled logos within supporting email clients.” BIMI is meant to leverage the work an organization puts into deploying DMARC protection by bringing brand logos to a customer’s inbox, according to the developers behind the project. The group is made up of a committee of companies working to add more authentication to inboxes as a way to offer more security to users. Google, Mailchimp, Fastmail, Proofpoint, Twilio SendGrid, Validity, Valimail, and Verizon Media are some of the companies working on developing BIMI.Valimail chief product officer Seth Blank, chair of the AuthIndicators Working Group, said Vailmail employees are responsible for founding, naming and resourcing the BIMI standard. “We’ve been an avid supporter of BIMI since Valilmail’s founding in 2015. With a goal to improve the ecosystem for everyone, BIMI enables brands to deliver their logos alongside email messages to billions of inboxes worldwide, increasing customer engagement with those messages and boosting brand trust,” Blank said. He went on to explain that in addition to the security benefits, BIMI allows companies and brands to customize their logos on email, newsletters, receipts and offers. 

BIMI was available to Yahoo users but is now available to Gmail users, representing a massive expansion for the effort. BIMI will now be available to more than 2 billion inboxes through Gmail, AOL, Yahoo Mail and Fastmail. On top of offering companies a “secure, global framework in which inboxes display sender-designated logos for authenticated messages,” the effort is also meant to stop people from “spoofing” the logos of different enterprises. BIMI’s developers claim companies that use their system have seen a 10% average increase in engagement. Blank said many brands are now targeted by cybercriminals for spoofing and phishing, adding that BIMI was an “industry-wide effort to advance email authentication and help all brands protect themselves.” “It provides protection for users at scale and makes the email ecosystem better and safer for everyone,” Blank explained, adding that DMARC was an “essential safeguard” against most phishing attacks.”For the brand’s logo to be displayed, the email must pass DMARC authentication checks, ensuring that the organization’s domain has not been impersonated,” the tool’s creators explained. “By displaying the sending company’s logo next to an email, BIMI provides a visual cue to the recipient that the email has been authenticated and the sender is not spoofed.”The AuthIndicators Working Group said that for an enterprise’s logo to be eligible for being displayed in Gmail messages, companies need to get a BIMI certificate — which they called a Verified Mark Certificate — that confirms their right to use the image. “While VMCs are currently tied to registered trademarks from select jurisdictions, future plans seek to expand access to include both additional jurisdictions and options for unregistered trademark logos,” the group said. Valimail also said it was partnering with certificate providers Entrust and DigiCert to create a “streamlined process for companies to enforce DMARC and earn a VMC, both essential steps for BIMI compliance.””DigiCert’s partnership with Valimail simplifies BIMI compliance with VMCs and DMARC enforcement — a strategy designed to deliver more consistent, secure email for businesses and consumers,” said Dean Coclin, DigiCert’s senior director of business development. “We anticipate growing demand for digital certificates displaying verified logos in email and are developing scalable solutions to help companies be ready on day one.”  More

As ransomware attacks surge across various industries, how should banks and credit unions protect their data, their customers’ data, and their reputation? ZDNet caught up with Steve Bomberger, head of SEI IT Services, to learn more about how banks and credit unions can avoid ransomware attacks and why they should pay close attention to what’s going on in the ransomware world right now. Watch my conversation with Bomberger above, or read a few of the highlights below.

Beth Mauder: Steve, what are some best practices to prevent from falling victim to a ransomware attack? Steve Bomberger: I think it’s pretty obvious these days that we’re all living in a digital and connected world. So to your point, businesses of all shapes and sizes, all industries are being affected by ransomware and other malware attacks. If we think about cybersecurity, we’d like to think about it as not just a technology planning solution, but also how it should be in the context of your business operations and your business planning. So a lot of times we have a common question that’s brought to light and it’s is ransomware a technology-related issue? Is it a policy issue? Is it a process issue?Really to us, we think about it in all of the above. Some of those best practices that you would put within those categorizations to kind of go down a quick laundry list for you, Beth, are simple things like maintaining and exercising a simple cybersecurity incident response plan. I think we’re all very, very aware now of what’s going on in the industry, so it’s time for us to be prepared collectively, both in the public sector and the private sector. So maintaining a response plan is a critical start to that.Also, from a preparation perspective, kind of keeping backups of data offline and regularly testing those backup procedures as an organization is pretty critical to being to rally after an event if it were to occur. Simple things like separating your network systems. So keeping your corporate environment separate from your operations or your productions environment is a good way to isolate different segments within your business. Practicing good standards for remote desktop. So we’ve all experienced this remote environment and working from home and that’s increased the surface area that we’re all dealing with from a cybersecurity perspective. So making sure that we are active with securing those connectivities to the best degree we can use multi-factor authentication certainly critical elements as well.The other thing is vulnerability scanning. We’ve seen that through a recent event in the press. Doing regular scanning of your vulnerabilities and then timely patching of those vulnerabilities and making sure people and organizations are updating their software. Those are all things that are also critical. We know an attack vector is email phishing for ransomware. That’s the number one attack vector right now. So user education, good training can go a long way in combating this. Also, conducting regular exercises as an organization. So test the awareness of your users. Do third-party and regular phishing testings on your employees to see how they react and what their level of awareness is. Couple of other things are keeping a good asset inventory. So understanding not just what hardware you have, but also what software you have, and keeping a tidy record of that is going to allow you for a better and more swift reaction too if there was an incident. Really, from a technology perspective, we talk a lot about being comprehensive in your approach to cybersecurity. So the concept of defense in depth, which we know is an industry term that’s been out there for a while, the concept of having a layered approach to cybersecurity is something that’s also very, very important. So this is a little bit of a defense that moves beyond just policy and procedure. So how do you position yourselves to be able to combat this as best as possible? Beth Mauder: Regulations are starting to increase surrounding ransomware. What type of pressure is that adding to an already very pressured field? Steve Bomberger: Yeah. Obviously, regulatory pressure can play a huge part in how we move forward with all this. Ransomware is not old as we all know. It’s been around for 30 years, probably, but it’s really been monetized and kind of in our face in the last decade. More recently, we’ve seen, to your point, about the Colonial Pipeline. We’ve seen a lot of big press on this. So ransomware is not going away. I think in general, if we look at regulatory pressure, it may help reduce the volume and potential severity of attacks. But again, by no means is it going away. If we think about a couple of ways to look at it, if regulation or increased pressure allows organizations to follow standards or to feel more apt to follow standards and strengthen their security posture, that’s going to make it harder for malicious actors, obviously, to get the pay off that they’re looking for.On the other side, if malicious actors are held more accountable or if there’s a mechanism to hold them more accountable for their actions, that would clearly detour them to some degree. From a payment perspective, you look at kind of that hockey stick evolution of ransomware, and it really ramped up when digital payments became simpler. So being anonymous with how you receive your payments certainly has eased the benefit for malicious actors. So if you can take all of those things and kind of put the pressure on certain elements of those, maybe you can help reduce that volume of it.I don’t want to minimize the severity and the importance of this topic, but I sort of think about it from a simple analogy. If you can walk into a convenience store and steal a candy bar easily and walk out of the store and not have any repercussions, you’re most likely or probable to steal that candy bar again. However, if you add in a defense system, if you add in a security camera, if you put the candy bar sitting right in front of where the clerk is, that’s going to detour you to some degree. So collectively, we talk internally here about a rising tide, the old quote, a rising tide lifts all boats. If we can collectively make it harder for these malicious actors through whether it’s regulation or through better standards ourselves, if we can make it harder, then make the payout more difficult, we’re all collectively going to make it a better spot for us.

Beth Mauder: What happens if banks specifically fall victim to ransomware? Steve Bomberger: Yeah. Obviously, banks and credit unions and any other organization that has confidential, very proprietary information on clients and deals with financial transactions are going to be a heavily targeted group. I think you see that in a lot of statistics and data that are out there today. Specifically to banks, they’re going to have to deal with it like most other organizations are going to. Obviously with the added pressure of regulation and communicating through those regulations effectively what has transpired and what’s at a loss from a client perspective or a business perspective. I mean, I think if we talk about best practices and we talk about financial institutions, whether they’re banks or credit unions being prepared for this, you kind of go back to that incident response plan. Having that plan in place is critical.If you walk through the steps of what that looks like, it’s going to vary from organization to organization. But the process that an organization goes through is you got to identify what was impacted by the attack and try to isolate that environment as fast as you can. Time to doing that obviously is critical in how effectively that potential virus or malware can spread across laterally through the organization. So identifying that early, as soon as possible is critical. Then you have to triage. You have to look at what’s been affected, what systems are affected, and then you have to prioritize that restoration and the recovery of that. Next, you analyze as an organization.Certainly, thankfully banks are regulated and have typically teams, processes, and people around this, and they are able to analyze, work to understand kind of where this came from and what occurred. Once that’s going on, you then, this is a big part of what we see today, you have to communicate that. Depending on the appropriateness of what transpired in the communication, you have to work with internal and external stakeholders to get the word out as to what occurred. Moving from there, you start to think about getting up and running or dealing with getting back to business operations as they are. So recovering and assessing.How do you keep this from happening again? How do you share intelligence? Go back to the quote I had earlier if we can all share intelligence and become smarter with what’s attacking us on a regular basis, especially not just within the private sector, but with the public sector, if we can collectively share information as a whole, financial institutions may get smarter because they have more data, more intelligence that can help prevent an attack in the future. I think the last thing that we shouldn’t be scared to talk about too is there’s a lot of resources out there now. I mean, this is a big topic with a lot of energy behind it, both in public and private sector. So if an organization needs assistance, they shouldn’t be afraid to go ask for that. There are some free resources out there and there are also some very good private sector resources that can help an organization through something like that. Beth Mauder: Steve, any final thoughts, anything that you’d like to cover? Steve Bomberger: Yeah. I guess I would just say this is a topic that we’re all heavily invested in across all of the world and within many organizations and sectors. I think the concept of looking at this collaboratively, we know that the malicious actors are collaborating and sharing tactics. So the degree that we can share tactics and all get a little bit more intelligent with how we’re approaching this topic in combating ransomware and other cybersecurity attacks, we’ll be better for it. We need to think about processes internally for organizations. We need to think about people and teams, and we need to think about the technology that we use and how those all work together outside of just the policy to make sure we’re doing everything we can to make it hard on these malicious actors. More

Crypto Dictionary: 500 Tasty Tidbits for the Curious Cryptographer • by Jean-Philippe Aumasson • No Starch/ Penguin Random House • 160 pages • ISBN: 9781718501409 • £20.99 / $24.99 Cryptography might be the most important thing that you use every day — from e-commerce to messaging apps to retrieving your email to getting money out of an ATM to satellite TV — without knowing. It’s a complex and important field that isn’t usually amusing or accessible.  Jean-Philippe Aumasson’s Serious Cryptography is a classic (and serious) introduction to the field. Arranged as alphabetical dictionary definitions with occasional supplementary details, his Crypto Dictionary: 500 Tasty Tidbits for the Curious Cryptographer is a rather less serious, but surprisingly comprehensive, collection of nuggets of information about cryptography that will make you smile, and occasionally scratch your head.  Sometimes the writing is pithy: Base64 is simply labelled “not encryption”, while the fundamental cryptocurrency concept Proof of work is (accurately) defined as “cryptography’s contribution to environmental problems”. Sometimes it’s both pithy and helpful: as well as calling blockchain “both a blessing and a curse”, the book offers an even-handed discussion of the drawbacks and benefits of so much interest in the technology.  Not all of the jokes are funny (or appropriate), with some being so cryptic that they will escape anyone who isn’t an expert (although it’s well worth researching why the author refers to Time AI as “the Fyre Festival of cryptography”). The author can’t resist the odd hobbyhorse that doesn’t contribute much, and you’ll need some mathematical knowledge and a passing acquaintance with cryptography basics to get the most out of the more technical definitions. But there are also plenty of genuinely useful entries with helpful explanations, from the basics of Diffie-Hellman encryption to Bruce Schneier’s famous warning signs for spotting cryptography systems that are more marketing hype than actual security. Crypto Dictionary covers standards, conferences, key websites, historical references and anecdotes — like the infamous banking representative asking for the fundamental principles of TLS 1.3 to be changed when the standard was all but decided — making it as much of a compendium as a dictionary.  Crypto Dictionary won’t teach you how to do cryptography or how to judge if something is cryptographically sound. But if you want to look up a specific cryptography cipher, technique or protocol, know what rainbow tables are and how they help crack passwords, or read about the difference between quantum and post-quantum cryptography (the former being both post-quantum but also not part of the latter), then this book is an ideal starting point. It will also probably pique your interest in some other concept as you turn to the relevant page. RECENT AND RELATED CONTENT

How quantum networking could transform the internet [Status Report] Qrypt’s cloud service will distribute entropy for better cryptography Samsung’s new Galaxy Quantum 2 uses quantum cryptography to secure apps Quantum computing breaking into real-world biz, but not yet into cryptography Crypto miners look beyond China as government threatens crackdown Read more book reviews More

Google may have delayed rolling out the Federated Learning of Cohorts (FLoC), which is the company’s alternative to the third-party cookie, but some Google Chrome users are finding themselves part of a trial for FLoC coming under the name Privacy Sandbox. According to some (such as the EFF, for example), this new feature raises new privacy risks. Want to opt-out of the trial? Here’s how.Must read: These three simple tips will keep your iPhone safe from hackersFirst off, are you running Chrome on a Windows/Mac/Linux, or Android:On Windows/Mac/Linux, type chrome://settings/privacySandbox into the address bar and hit Enter. On Android, open the Google Chrome menu, then tap on Settings > Privacy and security > Privacy Sandbox.There you’ll see a page about the Privacy Sandbox, and there you’ll also find a toggle (you might need to scroll down a bit). If you don’t see this setting, then you’re not part of the trial.

Flip the toggle to off, and you’re out of the trial.Note: This feature does not yet seem to be present in Google Chrome on iOSTurning this feature off in one browser should disable it on all devices logged into the same Google Account.Google has more information about the Privacy Sandbox here. More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. Also: Kaseya issues patch for on-premise customers, SaaS rollout underwayAccording to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.” “We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, “VSA SaaS Startup Guide,” and “On Premises VSA Startup Readiness Guide,” to assist clients in preparing for a return to service and patch deployment. Recovery, however, is taking longer than initially expected. “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment,” the company says. “We apologize for the delay and changes to the plans as we work through this fluid situation.”In a second video message recorded by the firm’s CEO, Voccola said:”The fact we had to take down VSA is very disappointing to me, it’s very disappointing to me personally. I feel like I’ve let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality.”The new release time for VSA is Sunday, in the afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment. July 12: Kaseya has now released a patch and is working with on-prem customers to deploy the security fix. Now, 100% of all SaaS customers are live, according to the company.”Our support teams continue to work with VSA on-premises customers who have requested assistance with the patch,” Kaseya added.

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait until Sunday. Kaseya intends to bring customers back online on July 11, at 4 PM EDT. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that scammers are trying to take advantage of the situation. “Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.Do not click on any links or download any attachments claiming to be a Kaseya advisory.”

Kaseya attack More

The amount of data that we carry on our smartphones is incredible — everything from personal photos to health data to financial information to confidential business information. Using a compromised smartphone means that all that data, and more, is up for grabs. While the chances of an iPhone being hacked is low, it’s not zero, and the more important data you have on it, the greater the chances are that someone will want it. Well, if you’re concerned, there’s an app for that. It’s called iVerify, and it’s available for both individuals and organizations. Must read: These three simple tips will keep your iPhone safe from hackers
While I’m a huge fan of the in-depth protection guides contained in iVerify — these alone are worth the $2.99 price of the app — where this app really shines is in its ability to carry out device scans and not only spot signs of compromise, but also offer solid, step-by-step advice on what to do and how to remove the threat. Coming back to those protection guides. These are a mine of quality, regularly updated information on how to do all sorts of things, from secure your social media accounts, protecting your wireless data, and protecting your iPhone from theft.

The version that’s aimed at organizations allows for centralized admin controls that allow the easy on-boarding of new devices, real-time security telemetry, as well as seeing who has — and hasn’t — been through the security guides! Enterprise protection starts at $3/user/month. I’m usually wary of “security” apps as most are little more than snake oil, but iVerify is one that offers real protection whether you’re a concerned individual or a company that wants peace of mind. I’ve been using this app for some time now, and I highly recommend it. The tutorials and guides alone are well worth the money and regularly updated, and the threat scanner is a nice extra. Worried that your Android device might be compromised? iVerify has a version for that platform that’s coming soon.  More