Information Technology

Analysts with cybersecurity company Intezer have found that cybercriminals are now going after a new attack vector against Kubernetes clusters via misconfigured Argo Workflows instances.Intezer security researchers Ryan Robinson and Nicole Fishbein wrote a report detailing the attack, noting that they have already found infected nodes. The two said the attacks were concerning because there are hundreds of misconfigured deployments, and attackers have been detected dropping crypto-miners like the Kannix/ Monero-miner through this attack vector.”We have detected exposed instances of Argo Workflows that belong to companies from different sectors including technology, finance and logistics. Argo Workflows is an open-source, container-native workflow engine designed to run on K8s clusters. Argo Workflows instances with misconfigured permissions allow threat actors to run unauthorized code on the victim’s environment,” Robinson and Fishbein said. “Exposed instances can contain sensitive information such as code, credentials and private container image names. We also discovered that in many instances, permissions are configured, which allow any visiting user to deploy workflows. We also detected that threat actors are targeting some misconfigured nodes.”Some cyber-attackers have been able to take advantage of misconfigured permissions that give them access to an open Argo dashboard where they can submit their own workflow.The “Kannix/ Monero-miner,” according to the researchers, requires little skill to use, and the report notes that other security teams have discovered large-scale cryptocurrency mining attacks against Kubernetes clusters.”In Docker Hub, there are still a number of options for Monero mining that attackers can use. A simple search shows that there are at least 45 other containers with millions of downloads,” the study said. 

Fishbein and Robinson urge users to access the Argo Workflows dashboard from an unauthenticated incognito browser outside of corporate environments as a way to check if instances are misconfigured. Administrators can also query the API of an instance and check the status code. 

Yaniv Bar-Dayan, CEO of Vulcan Cyber, explained that the complexity and scale inherent to enterprise cloud deployments means that there will be breaches due to human error. “Misconfiguration is just one type of risk-inducing vulnerability, and cloud is just one attack vector that needs to be tracked and mitigated. If security teams can understand and prioritize risk created by cloud misconfigurations alongside IT infrastructure and application vulnerabilities, they have a shot at reducing risk and improving the security posture of business,” Bar-Dayan added. “Cloud security can no longer be someone else’s problem, and it is not enough to ask if cloud infrastructure by itself is secure. We must ask the same about our applications, traditional infrastructure and networks.”Coalfire managing principal Andrew Barratt noted that orchestration platforms are an interesting attack surface due to their ability to perform. Barratt said they could allow an adversary to perform very sophisticated lateral attacks entirely leveraging the scale of native cloud services. While he is not against using them, he said it is now important for them to be seen as a sophisticated attack platform with many capabilities and typically elevated privileges and the ability to build and deploy resources with an immediate cost associated. “These vulnerabilities have been around for a long time, and security teams are already aware of them to some degree, regardless of platform — be it virtualization, physical data centers or the public cloud and the many different service offerings,” said Michael Cade, a senior global technologist with Kasten.”This is not going to be the only vulnerability that is found within Kubernetes environments or wider operating systems.” More

Microsoft is warning customers about the LemonDuck crypto mining malware which is targeting both Windows and Linux systems and is spreading via phishing emails, exploits, USB devices, and brute force attacks, as well as attacks targeting critical on-premise Exchange Server vulnerabilities uncovered in March. 

ZDNet Recommends

Also: The 25 most dangerous software vulnerabilities to watch out forThe group was discovered to be using Exchange bugs to mine for cryptocurrency in May, two years after it first emerged.         Notably, the group behind LemonDuck is taking advantage of high-profile security bugs by exploiting older vulnerabilities during periods where security teams are focussed on patching critical flaws, and even removing rival malware.  “[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise,” the Microsoft 365 Defender Threat Intelligence Team note.  “Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.” Cisco’s Talos malware researchers have been scoping out the group’s Exchange activities too. It found LemonDuck was using automated tools to scan, detect, and exploit servers before loading payloads such as the Cobalt Strike pen-testing kit — a favored tool for lateraled movement — and web shells, allowing malware to install additional modules. 

According to Microsoft, LemonDuck initially hit China heavily, but it has now expanded to the US, Russia, Germany, the UK, India, Korea, Canada, France, and Vietnam. It focuses on the manufacturing and IoT sectors. This year, the group ramped up hands-on-keyboard or manual hacking after an initial breach. The group is selective with its targets.  It also crafted automated tasks to exploit the Eternal Blue SMB exploit from the NSA that was leaked by Kremlin-backed hackers and used in the 2017 WannCry ransomware attack. “The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today,” Microsoft’s security team notes.  LemonDuck got its name from the variable “Lemon_Duck” in a PowerShell script that’s acts as the user agent to track infected devices.  The vulnerabilities it targets for initial compromise include CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon). “Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts,” Microsoft notes.  More

GitHub has announced a slew of supply chain security upgrades for modules based on the Go programming language. 

On July 22, GitHub staff product manager William Bartholomew said in a blog post that Go — also known as Golang — is now firmly entrenched in the top 15 programming languages on the platform, and as the most popular host for Go modules, GitHub wants to help the community “discover, report, and prevent security vulnerabilities.” Introduced in 2019, Go modules were designed to improve dependency management. According to the Go Developer Survey 2020, 76% of respondents said that Go is now used in some form in the enterprise.  In addition, Go modules adoption is increasing, with 96% of those surveyed saying that these modules are used for package management — an increase of 7% from 2019 — and 87% of respondents reported that only Go modules are used for this purpose.  An overall trend in the survey appears to suggest the use of other package management tools is decreasing.  According to GitHub, there are four main areas of improvement for supply chain security now available for Go modules. The first is GitHub’s Advisory Database, an open source repository of vulnerability information which, at the time of writing, now contains over 150 Go advisories.  The database also allows developers to request CVE IDs for newly-discovered security issues. 

“This number is growing every day as we curate existing vulnerabilities and triage newly discovered ones,” Bartholomew commented.  In addition, GitHub has now provided its dependency graph, which can be used to monitor and analyze project dependencies via go.mod — as well as to alert users when vulnerable dependencies are detected.  GitHub has also included Dependabot in this update, which will send developers a notification when new vulnerabilities are discovered in Go modules. Automatic pull requests can be enabled to patch vulnerable Go modules and notification settings have been upgraded for fine-tuning.  Bartholomew says that when repositories are set to automatically generate pull requests for security updates, dependencies tend to patch up to 40% faster than those which do not.  Developers can check GitHub’s documentation for repository security here.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. Also: Kaseya issues patch for on-premise customers, SaaS rollout underwayAccording to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.” “We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, “VSA SaaS Startup Guide,” and “On Premises VSA Startup Readiness Guide,” to assist clients in preparing for a return to service and patch deployment. Recovery, however, is taking longer than initially expected. “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment,” the company says. “We apologize for the delay and changes to the plans as we work through this fluid situation.”In a second video message recorded by the firm’s CEO, Voccola said:”The fact we had to take down VSA is very disappointing to me, it’s very disappointing to me personally. I feel like I’ve let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality.”The new release time for VSA is Sunday, in the afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment. July 12: Kaseya has now released a patch and is working with on-prem customers to deploy the security fix. Now, 100% of all SaaS customers are live, according to the company.”Our support teams continue to work with VSA on-premises customers who have requested assistance with the patch,” Kaseya added.

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait until Sunday. Kaseya intends to bring customers back online on July 11, at 4 PM EDT. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that scammers are trying to take advantage of the situation. “Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.Do not click on any links or download any attachments claiming to be a Kaseya advisory.”

Are REvil still active?

After Biden made his stance clear to Putin on ransomware gangs, the REvil ransomware group’s leak site was seized and taken down by law enforcement. The takedown included REvil’s payment site, public domain, helpdesk chat platform, and the negotiation portal. While the intention was to secure some form of control over the group, it should be noted that ransomware operators often close down sites, rebrand, and regroup. A side effect of the takedown is that the removal of negotiation and the possibility of purchasing a decryption key have left victims with unrecoverable systems. One victim who paid up for a decryption key — which ended up not working — is now out of pocket and unable to secure assistance from the cybercriminals. 

A decryption key?

On July 22, Kaseya said that the company has managed to secure a decryption key. Obtained by a “third-party,” the decryption key has been tested successfully in victim environments — and the suggestion is that the decryption key may be universal. The company is working with Emsisoft to reach customers still suffering due to locked systems and in need of a decryption key. “We remain committed to ensuring the highest levels of safety for our customers and will continue to update here as more details become available,” Kaseya said. “Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.”

Kaseya attack More

American software firm Kaseya has access to the universal decryption key for the REvil ransomware that targeted its managed service provider customers.   The company announced its access to the decryption tool on Thursday, some 20 days after the ransomware attack took place on July 2 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The attack affected 60 of its customers directly and as many as 1500 of its customers downstream. Swedish supermarket chain Coop’s cash registers were down for almost a week due to the attack. The company’s cash registers nationwide were infected via a tainted software update of Kaseya’s product, VSA, which distributes software and security updates to endpoints. Schools in New Zealand using Kaseya software were also affected. SEE: Network security policy (TechRepublic Premium)According to Kaseya, New Zealand-based security firm Emsisoft has confirmed the decryption tool does unlock files encrypted with REvil. “We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” Kaseya said in a statement. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.” 

Last week, an unnamed customer claimed to have paid a ransom to the REvil gang but was unable to decrypt encrypted files with the decryption key provided. REvil sold its ransomware as a service to third-party criminal gangs.     The REvil gang’s websites went dark last week after US President Joe Biden pressed Russian President Vladimir Putin to clamp down on cybercriminals based in Russia that were targeting US firms.  Biden reportedly told Putin that critical infrastructure should be off-limits after a separate ransomware attack from the group DarkSide knocked US east coast fuel distributor Colonial Pipeline offline. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Some security experts believe the attack on Colonial elevated Russian-based ransomware to diplomatic discussions and prompted REvil to suspend its operations. See: Ransomware: Now gangs are using virtual machines to disguise their attacksCoop rolled out a mobile payment system to allow customers to pay for goods while replacing encrypted cash registers on July 8. The mobile payment system was rolled out to 300 stores across Sweden, allowing it to continue in-store trade. It also worked with charities to distribute perishable items while its cash registers were down to minimize waste. It’s not clear whether Kaseya paid the ransom demand of $70 million. A Kaseya spokesperson told The Guardian that it acquired the decryption key from a “trusted third party”. While some of Kaseya’s downstream customers have remediated affected systems, some customers’ endpoints have remained offline and could restore systems with the decryption key.  More

Health Minister Greg Hunt launching the COVIDSafe app on 26 April 2020.
Image: Getty Images
The Digital Transformation Agency (DTA) has changed the way feedback is provided for the country’s COVIDSafe app, as the issue-plagued app moves to “business as usual” mode.As highlighted by software developer Geoffrey Huntley on Twitter, the DTA has disabled the ability to collaborate on GitHub. “This removes a huge wealth of information, history and discussion around decisions made, bugs that were fixed etc. @DTA surely this is a mistake?”But according to the DTA, it was not a mistake. “As part of the COVIDSafe app’s transition to ‘business as usual mode’, we have streamlined the channels for support and engagement with the community,” a spokesperson told ZDNet.”Feedback and support channels for the COVIDSafe app remain open via support@covidsafe.gov.au, we welcome input from the tech community. “The process for reporting security concerns remains unchanged and is published on GitHub.”

The reason for posting on GitHub was previously touted by the agency as enabling the tech community an opportunity to provide feedback.See also: A Bluetooth revamp touted to fix Australia’s COVIDSafe app connectivity flawsAfter pinning the cost of keeping the COVIDSafe app running at AU$100,000 a month in March, former DTA CEO Randall Brugeaud in May almost halved the previous estimate.”I estimated AU$100,000 per month to host COVIDSafe at the last hearing, that has ended up at AU$75,094.98 per month. And we’ve made a number of performance improvements to the app over the last couple of months, which should see that sitting at about AU$60,000 per month from the first of July,” he said at the time.The total cost to build and operate the app as of May was AU$7,753,863.38, including GST. To the end of January, that figure was AU$6,745,322.31, which Brugeaud said comprised around AU$5,844,182.51 for the app’s development and AU$901,139.80 for hosting.Earlier this week, the Department of Health released freedom of information documents requested by the Canberra Times pertaining to the evaluation of the operation and effectiveness of COVIDSafe and the National COVIDSafe Datastore. The final report is meant to provide information on the app’s appropriateness, implementation, and efficiency.In May, the DTA said the app had picked up 567 close contacts not found through my manual contact tracing, a large increase on the previous number of 17 contacts, and that there had been 779 uploads to the National Data Store since inception last year.Whole paragraphs that discuss the effectiveness of the app in New South Wales, Queensland, and Victoria are missing from the report, however.The heavily redacted document does however provide the finding that the app touted by Prime Minister Scott Morrison as digital sunscreen was the “correct tool” to implement.”As our technology review indicates, based on the parameters of knowledge and capabilities at the time of app launch, it is believed that the COVIDSafe app was the correct tool to employ,” the report says. “Many of the international contact tracing apps, such as Singapore’s TraceTogether, utilised BLE to capture digital ‘handshakes’ between mobile devices.”As of 9pm AEST 22 July 2021, there were around 1,700 active cases of COVID-19 in Australia, with most of the country remaining under strict lockdown orders.MORE DIGITAL SUNSCREEN14 COVIDSafe enquiries to OAIC, but still no complaints or breachesThe agency’s second six-month report shows there have been no reports of breaches, no complaints made, and no investigations underway regarding the COVIDSafe app that Labor has referred to as a ‘turkey’.Australian Committee calls for independent review of COVIDSafe appIt said the AU$5.24 million app has significantly under-delivered on the Prime Minister’s promise that the app would enable an opening up of the economy in a COVID safe manner.Attorney-General urged to produce facts on US law enforcement access to COVIDSafeIn its second interim report, Australia’s COVID-19 committee argues misuse of public interest immunity claims from agencies, including by the Attorney-General’s Department which it has accused of failing to confirm whether a US law enforcement agency was barred from accessing data collected by COVIDSafe. More

Within the Asia Pacific, Australians are second most likely to fall victim to a tech support cyber scam, according to new findings from Microsoft. Leading the way is India which recorded 69% of people encountered a tech support scam.The 2021 Global Tech Scam Research report [PDF] showed that in the past 12 months, 68% of Australians encountered some form of tech support scam. While it was a two-point decrease from 2018, it was still higher than the global average which came in at 59%, five points lower than in 2018.Of those Australians who encountered a scam in 2021, 9% lost money as a result, a three percentage point increase on 2018, and slightly higher than the global average of 7%. The amount lost by those who continued interacting with such scammers was about AU$126 on average. According to the research, the slight drop in scam encounters in Australia between 2018 and 2021 was largely driven by a decrease in pop-up ads and website redirect scams that accounted for 39% and 34% of scam interactions in 2021 respectively. On the flipside, unsolicited calls and unsolicited emails received by Australian customers increased to 46% and 41% respectively in 2021. When breaking down the type of scams and interaction by generation, Australian boomers, those who are aged 54-plus, were the most susceptible to unsolicited calls at 55%. Meanwhile, for millennials, aged 24-37, just under half fell for an unsolicited email.  Australian consumers continued to be distrustful of unsolicited contact, the survey indicated, noting of those surveyed in 2021, 88% thought that it was very or somewhat unlikely a company would contact them via an unsolicited call, pop-up, text message, ad, or email.

“Tech support scams are perpetrated globally and target people of all ages. The survey findings reveal that Australians are experiencing higher-than-average tech support scam encounters when compared globally, showing that consumers need to understand how these scammers work to better enable them to protect themselves from scams,” Microsoft Asia digital crimes unit regional lead assistant general counsel Mary Jo Schrade said. “Tactics used by fraudsters to victimise users online have evolved over time, from pure cold calling to more sophisticated ploys, such as fake ‘pop-ups’ displayed on people’s computers.”The report also showed that between 2018 and 2021, India recorded the biggest jump globally when it came to the number of people who lost money consistently. In 2018, it was 14% and this skyrocketed to 31% in 2021.This correlated closely with India, alongside Singapore, experiencing the largest jump in phone scams globally between the three-year period. India saw it increase by eight percentage points to 31%, while Singapore more than doubled to 34%. Despite these increases, Australia still experienced the most unsolicited calls globally in 2021 at 46%. Within the Asia Pacific, tech support scams that targeted Japan remained low at 29%, a decrease from the 36% in 2018. Of those scams that did occur, 24% were ignored. But where there was interaction, Gen Z, aged 18-23, was the generation that was most likely to engage with a scam that came from a pop-up ad or window. “Tech support scams will remain an industry-wide challenge until sufficient people are educated about these scams and can avoid them,” Schrade said. “The best way consumers in Australia and Asia Pacific can protect themselves is to learn about how these scammers are targeting people, be suspicious of any unsolicited contact from purported tech company employees and avoid letting people they do not know remotely access their computers.”Other findings from the report included those who lost money to scams engaged more in risky activities, such as using torrent sites, downloading music and videos, and sharing email addresses in exchange for content. These same people also displayed overconfidence in their computer literacy. At the same time, consumer protection agencies and government regulators are seen to have the biggest responsibility to protect consumers against scams. Related Coverage More

Image: Getty Images
The Office of the Australian Information Commissioner (OAIC) has handed down its determination that Uber interfered with the privacy of over 1 million Australians in 2016.Australia’s Information Commissioner and Privacy Commissioner Angelene Falk on Friday said US-based Uber Technologies Inc and Dutch-based Uber B.V. failed to appropriately protect the personal data of an estimated 1.2 million Australian customers and drivers, when it was accessed from a breach in October and November 2016.It came to light in late 2017 that hackers had stolen data pertaining to 57 million Uber riders worldwide, as well data on more than 600,000 drivers. Instead of notifying those impacted, Uber concealed the breach for more than a year and paid a hacker to keep it under wraps.While Uber required the attackers to destroy the data and there was no evidence of further misuse, OAIC said its investigation focused on whether Uber had preventative measures in place to protect Australians’ data.Reach the full story here: Former Uber CSO charged for 2016 hack cover-upFalk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required. The tech giant also failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles (APP), she said.

“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” the determination says. “Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”APP 11.1 requires companies to take reasonable steps to protect personal information against unauthorised access, while APP 11.2 requires reasonable steps to be taken to delete or de-identify personal information that is no longer needed for a permitted purpose. Also breached, the OAIC found, was APP 1.2, which requires companies to take reasonable steps to implement practices, procedures, and systems relating to the entity’s functions or activities, to ensure compliance with the APPs.In her determination, Falk said the Uber companies must not repeat those acts and practices.She has also requested that Uber prepare, within three months, a data retention and destruction policy that will, when implemented, enable and ensure compliance by the Uber companies with APP 11.2.Falk has also asked Uber to establish an information security program and appoint an individual to run its helm. The program must identify risks related to the security or integrity of personal information of Australian users collected and/or held by the Uber companies that could result in misuse, interference, or loss, or unauthorised access, modification, or disclosure of this information. It must also include refresher training for staff and boast rigid safeguards.The privacy commissioner also wants an incident response plan implemented by the company, which includes a clear explanation of what constitutes a data breach.Falk said the matter raised complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.In this case, Australians’ personal information had been directly transferred to servers in the United States under an outsourcing arrangement, and the US-based company argued it was not subject to the Privacy Act.”Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” she added.To that end, her determination also included a request for an independent assessment of Uber’s adherence to the Australian Privacy Act.The commissioner has also ordered the Uber companies to appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.Uber in September 2018 agreed to pay $148 million in a US settlement over the incident, and a few months later was fined over £900,000 by UK and Dutch watchdogs in relation to the 2016 data breach.Two men pleaded guilty in October 2019 to the hack and Uber’s former chief security officer was charged in August 2020 by US authorities over the cover-up.In response to the OAIC’s determination, an Uber spokesperson told ZDNet it welcomed the resolution to the incident.”We learn from our mistakes and reiterate our commitment to continue to earn the trust of users,” they said. “We have made a number of technical improvements to the security of our systems, including obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies, as well as making significant changes in leadership, since this incident in 2016. “We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”Updated 4:10pm AEST Friday 23 July 2021: Added statement from Uber spokesperson.MORE FROM UBER More