Information Technology

Crypto Dictionary: 500 Tasty Tidbits for the Curious Cryptographer • by Jean-Philippe Aumasson • No Starch/ Penguin Random House • 160 pages • ISBN: 9781718501409 • £20.99 / $24.99 Cryptography might be the most important thing that you use every day — from e-commerce to messaging apps to retrieving your email to getting money out of an ATM to satellite TV — without knowing. It’s a complex and important field that isn’t usually amusing or accessible.  Jean-Philippe Aumasson’s Serious Cryptography is a classic (and serious) introduction to the field. Arranged as alphabetical dictionary definitions with occasional supplementary details, his Crypto Dictionary: 500 Tasty Tidbits for the Curious Cryptographer is a rather less serious, but surprisingly comprehensive, collection of nuggets of information about cryptography that will make you smile, and occasionally scratch your head.  Sometimes the writing is pithy: Base64 is simply labelled “not encryption”, while the fundamental cryptocurrency concept Proof of work is (accurately) defined as “cryptography’s contribution to environmental problems”. Sometimes it’s both pithy and helpful: as well as calling blockchain “both a blessing and a curse”, the book offers an even-handed discussion of the drawbacks and benefits of so much interest in the technology.  Not all of the jokes are funny (or appropriate), with some being so cryptic that they will escape anyone who isn’t an expert (although it’s well worth researching why the author refers to Time AI as “the Fyre Festival of cryptography”). The author can’t resist the odd hobbyhorse that doesn’t contribute much, and you’ll need some mathematical knowledge and a passing acquaintance with cryptography basics to get the most out of the more technical definitions. But there are also plenty of genuinely useful entries with helpful explanations, from the basics of Diffie-Hellman encryption to Bruce Schneier’s famous warning signs for spotting cryptography systems that are more marketing hype than actual security. Crypto Dictionary covers standards, conferences, key websites, historical references and anecdotes — like the infamous banking representative asking for the fundamental principles of TLS 1.3 to be changed when the standard was all but decided — making it as much of a compendium as a dictionary.  Crypto Dictionary won’t teach you how to do cryptography or how to judge if something is cryptographically sound. But if you want to look up a specific cryptography cipher, technique or protocol, know what rainbow tables are and how they help crack passwords, or read about the difference between quantum and post-quantum cryptography (the former being both post-quantum but also not part of the latter), then this book is an ideal starting point. It will also probably pique your interest in some other concept as you turn to the relevant page. RECENT AND RELATED CONTENT

How quantum networking could transform the internet [Status Report] Qrypt’s cloud service will distribute entropy for better cryptography Samsung’s new Galaxy Quantum 2 uses quantum cryptography to secure apps Quantum computing breaking into real-world biz, but not yet into cryptography Crypto miners look beyond China as government threatens crackdown Read more book reviews More

Google may have delayed rolling out the Federated Learning of Cohorts (FLoC), which is the company’s alternative to the third-party cookie, but some Google Chrome users are finding themselves part of a trial for FLoC coming under the name Privacy Sandbox. According to some (such as the EFF, for example), this new feature raises new privacy risks. Want to opt-out of the trial? Here’s how.Must read: These three simple tips will keep your iPhone safe from hackersFirst off, are you running Chrome on a Windows/Mac/Linux, or Android:On Windows/Mac/Linux, type chrome://settings/privacySandbox into the address bar and hit Enter. On Android, open the Google Chrome menu, then tap on Settings > Privacy and security > Privacy Sandbox.There you’ll see a page about the Privacy Sandbox, and there you’ll also find a toggle (you might need to scroll down a bit). If you don’t see this setting, then you’re not part of the trial.

Flip the toggle to off, and you’re out of the trial.Note: This feature does not yet seem to be present in Google Chrome on iOSTurning this feature off in one browser should disable it on all devices logged into the same Google Account.Google has more information about the Privacy Sandbox here. More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. Also: Kaseya issues patch for on-premise customers, SaaS rollout underwayAccording to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.” “We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, “VSA SaaS Startup Guide,” and “On Premises VSA Startup Readiness Guide,” to assist clients in preparing for a return to service and patch deployment. Recovery, however, is taking longer than initially expected. “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment,” the company says. “We apologize for the delay and changes to the plans as we work through this fluid situation.”In a second video message recorded by the firm’s CEO, Voccola said:”The fact we had to take down VSA is very disappointing to me, it’s very disappointing to me personally. I feel like I’ve let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality.”The new release time for VSA is Sunday, in the afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment. July 12: Kaseya has now released a patch and is working with on-prem customers to deploy the security fix. Now, 100% of all SaaS customers are live, according to the company.”Our support teams continue to work with VSA on-premises customers who have requested assistance with the patch,” Kaseya added.

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait until Sunday. Kaseya intends to bring customers back online on July 11, at 4 PM EDT. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that scammers are trying to take advantage of the situation. “Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.Do not click on any links or download any attachments claiming to be a Kaseya advisory.”

Kaseya attack More

The amount of data that we carry on our smartphones is incredible — everything from personal photos to health data to financial information to confidential business information. Using a compromised smartphone means that all that data, and more, is up for grabs. While the chances of an iPhone being hacked is low, it’s not zero, and the more important data you have on it, the greater the chances are that someone will want it. Well, if you’re concerned, there’s an app for that. It’s called iVerify, and it’s available for both individuals and organizations. Must read: These three simple tips will keep your iPhone safe from hackers
While I’m a huge fan of the in-depth protection guides contained in iVerify — these alone are worth the $2.99 price of the app — where this app really shines is in its ability to carry out device scans and not only spot signs of compromise, but also offer solid, step-by-step advice on what to do and how to remove the threat. Coming back to those protection guides. These are a mine of quality, regularly updated information on how to do all sorts of things, from secure your social media accounts, protecting your wireless data, and protecting your iPhone from theft.

The version that’s aimed at organizations allows for centralized admin controls that allow the easy on-boarding of new devices, real-time security telemetry, as well as seeing who has — and hasn’t — been through the security guides! Enterprise protection starts at $3/user/month. I’m usually wary of “security” apps as most are little more than snake oil, but iVerify is one that offers real protection whether you’re a concerned individual or a company that wants peace of mind. I’ve been using this app for some time now, and I highly recommend it. The tutorials and guides alone are well worth the money and regularly updated, and the threat scanner is a nice extra. Worried that your Android device might be compromised? iVerify has a version for that platform that’s coming soon.  More

Iran’s railway service and network dissolved into what state media called “unprecedented chaos” due to an alleged cyberattack. 

As reported by Reuters, on Friday, the country’s train services experienced delays and cancellations as ticket offices struggled to cope with the attack. However, not only did the miscreants cause severe operational issues, but those behind the situation also trolled Iranian Supreme Leader Ayatollah Ali Khamenei, who has been in office since 1989.  IRIB reported that electronic boards used to display arrival and departure information to passengers at train stations were compromised. The boards asked travelers to call a number to reach a help desk for further information. However, the number actually belonged to the leader’s office. Iranian officials from the Ministry of Road and Urban Development confirmed the attack on Saturday.  “Following a disruption in the staff computer systems in the headquarters of the Ministry of Road and Urban Development, the issue is under investigation by technical experts of the ministry,” the organization said. The rail service’s website now appears to be fully operational. 

In April, the UK’s Merseyrail network was subject to a cyberattack conducted by the Lockbit ransomware group. It appears that an Office 365 email account used by the company was compromised — and was also used to inform employees and journalists of the attack.  The UK Information Commissioner’s Office (ICO) was informed of the incident.  Back in 2018, Rail Europe experienced a three-month-long cyberattack leading to the theft of customer payment card data and personal information. Threat actors were able to install credit card-skimming malware on the network’s website.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A security expert has launched a site to keep a publicly trackable record of bitcoin payments to key ransomware gangs, such as REvil.  The ransomwhe.re site has been created by Jack Cable, a security researcher who works with the Krebs Stamos Group cyber consultancy and the US Defense Digital Service. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The Ransomwhere site is an open, crowdsourced ransomware payment tracker, offering a breakdown of victim payments in bitcoin to wallets linked to a dozen major ransomware variants. The payment figures can be broken down by ‘all time’, this year, this month, and this week.  SEE: Network security policy (TechRepublic Premium) Ransomware attacks are on the rise and now the subject of debate between world leaders after attacks on Colonial Pipeline, meat processor JBS, and last week’s attack against enterprise software management firm Kaseya, which saw REvil ransomware spread to dozens of managed service providers and over 1,000 of their customers.   Across all time, the Mailto/Netwalker ransomware leads the ransomware pack, but – isolating payments to this year – the REvil/Sadinokibi – which was behind the JBS and Kaseya attacks – is the leader with $11.3 million payments received.  REvil’s total for 2021 could rise significantly if it receives the $70 million it demanded last week in the Kaseya attack. 

Cable joined the US Cybersecurity and Infrastructure Security Agency under then CISA director Chris Krebs to help secure election systems ahead of the US 2020 presidential elections. Cable explained his motives for building the site in a thread on Twitter, noting the data about victim payments can change the response to ransomware.  “Today, there’s no comprehensive public data on the total number of ransomware payments. Without such data, we can’t know the full impact of ransomware, and whether taking certain actions changes the picture,” he wrote.   “Ransomwhere aims to fill that gap by tracking bitcoin transactions associated with ransomware groups. It’s public, so anyone can view and download the data. And it’s crowdsourced, so anyone can submit reports of ransomware they’ve been infected with or otherwise observed.” SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief According to an FAQ on Ransomwhe.re, the Bitcoin’s transparency in payments makes it easy to track payments and receipt addresses.  The site calculates the US dollar value of bitcoin payments based on the exchange rate of the day a payment was made, so it’s an estimate of how much victims paid, but not how much ransomware gangs sold it for.  More

Kaseya has released its promised patch to resolve security flaws responsible for a ransomware attack. 

Kaseya attack

The software solutions provider, which counts managed service providers (MSPs) among its client base, was the subject of a ransomware outbreak on July 2. Kaseya said the threat group responsible, REvil, exploited unpatched vulnerabilities in the firm’s VSA remote monitoring software to trigger both bypass authentication and code execution, allowing them to deploy ransomware on customer endpoints.  It is estimated that between 800 and 1500 businesses have been impacted. REvil has demanded $70 million for a universal decryption key. Kaseya pulled its SaaS systems offline and urged customers to shut down their VSA servers when the first reports of cyberattacks came in. Initial attempts to relaunch SaaS servers were made and set for July 6, however, technical problems prompted a further delay. According to Kaseya, the decision was made by CEO Fred Voccola in order to give the company the time to bolster existing security mechanisms. On Sunday, the tech giant said that the rollout is underway and going “according to plan.”

In total, 95% of the company’s SaaS customers are now live, with servers “coming online for the rest of our customers in the coming hours.” On-premise clients now have access to the VSA patch, too, and support teams are working with organizations that need assistance in applying the security update.  The release notes for both VSA on-prem and SaaS deployments include fixes for three CVE-issued vulnerabilities: a credentials leak and business logic flaw (CVE-2021-30116), a cross-site scripting (XSS) bug (CVE-2021-30119), and a two-factor authentication bypass (CVE-2021-30120).  In addition, Kaseya has resolved a secure flag problem in User Portal session cookies, an API response process that could expose weak credentials to brute-force attacks, and an unauthorized file upload vulnerability impacting VSA servers.  Due to the speed necessary in deploying the patch, some VSA functionality has been disabled temporarily — including some API endpoints.  “Out of an abundance of caution, these API calls are being redesigned for the highest level of security,” Kaseya says. “Individual functions will be restored in later releases this year.” Kaseya has also temporarily removed the ability to download agent installer packages without authentication to VSA and the User Portal page. A number of legacy functions have been permanently removed. Clients will need to change their password once they have installed and logged in to the latest build. Kaseya has also provided VSA SaaS and on-premise hardening and best practice guides.Bloomberg reports that in the past, former employees sounded the alarm on cybersecurity worries including outdated code, weak encryption, and a lack of robust patching processes. However, the ex-staff members claimed their concerns were not fully addressed.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In the first six months of 2021, Australians lost over AU$7 million by letting scammers access their home computers — up 184% when compared to last year.The latest data from the ACCC’s Scamwatch reveals so far this year almost 6,500 Australians have reported phone calls from scammers trying to convince them to download software that gives access to home computers and their bank accounts. “Remote access scams are one of the largest growing scam types in Australia. Scammers take advantage of the digital world and the fear of fraud and cybercrime to access people’s devices and steal their money,” ACCC deputy chair Delia Rickard said.”These types of scams target and impact all people and can be convincing.”People aged 55 and over lost over AU$4.4 million, accounting for almost half of total losses. Young people reported losing on average AU$20,000 and eight Indigenous Australians, some in remote communities, lost a total of AU$38,000, across 84 reports.The ACCC said the scammers pretend to be from organisations such as Telstra, eBay, NBN Co, Amazon, banks, government organisations, police, and computer and IT support organisations. Telstra was impersonated 1,730 times, with reported losses of AU$1.95 million, followed by NBN Co with 1,023 reports and reported losses of AU477,980.

The scammer’s modus operandi is to create a sense of urgency to make victims provide access to their computers via remote access software. A common tactic used by the scammers, too, is to say the victim has been billed for a purchase they didn’t make, then convince the victim their device has been compromised, or account “hacked”, as a result.”The scammer will pretend to assist you or ask you to assist them to catch the scammer,” the ACCC cautioned. “They will tell you to download remote control software such as AnyDesk or TeamViewer.”Once the scammer has control of the device, they will ask the individual to log into applications such as emails, internet banking, or PayPal accounts, which is how they obtain the log-in credentials.”It is really important not to let anyone who contacts you out of the blue access your devices, as once you give them access, you have no way of knowing what the person will do to your computer or what programs they may install,” Rickard added.”If you receive contact from someone claiming to be from a telecommunications company, a technical support service provider or online marketplace, hang up. If you think the communication may have been legitimate, independently source the contact details for the organisation to contact them. Don’t use the contact details in the communication.””Also, don’t click on any of the links.”Australians in 2020 lost a total of AU$8.4 million to remote access scams.RELATED COVERAGEAustralians spent AU$26.5m in cryptocurrency to pay scammers in 2020The total number of scams received by the ACCC’s Scamwatch during the 2020 calendar year was 216,087, with a total of AU$156 million lost.Australian telcos have blocked over 55 million scam calls since DecemberLess than four months since the scam call blocking code was registered, millions of calls have been stopped in Australia.Automating scam call blocking sees Telstra prevent up to 500,000 calls a dayTelco reaches the third part of its Cleaner Pipes program. More