Information Technology

Cyber criminals are targeting energy, oil and gas and other companies around the world with a phishing campaign designed to deliver malware capable of stealing usernames, passwords and other sensitive information in what’s believed to be the first stage of a wider campaign. Detailed by cybersecurity company Intezer, the phishing campaign has been active for at least a year and those behind it appear to have put a lot of effort into making the phishing emails look as legitimate as possible.The phishing emails include references to executives, addresses of offices, official logos and requests for quotations, contracts and refer to real projects in order to look authentic. Cyber criminals have sent the emails to international companies in oil and gas, energy, manufacturing and technology around the world, with targets including companies in the United States, United Arab Emirates, Germany and South Korea. In one case detailed by researchers, the phishing email referred to a specific power plant project as a lure.This phishing email and others invite the victim to click on an attachment designed to look like a PDF but is actually is an IMG, ISO, or CAB file which redirects users to an executable file – if this is run, it will install malware on the PC. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Several different forms of Remote Access Tools (RATs) and information stealing malware are being deployed in these attacks, including Formbook, Agent Tesla and Loki. Many of these are malware-as-a-service operations, meaning that those behind the phishing attacks are leasing malware, rather than developing it themselves. “It appears that the use of malware-as-a-service threats helps blend in with the noise of other malicious activity. It appears that they are casting a wide net with these types of threats and also targeting a lot of small-medium sized suppliers. Both might also indicate that this is the first stage in what may be wider activity,” Ryan Robinson, a security researcher at Intezer told ZDNet. It’s currently unknown who exactly is behind the phishing attacks, but Robinson says their methods “show a decent level of sophistication.” While some of the infrastructure around the attacks has been removed, it’s likely that the phishing campaign remains active. “Treat emails with awareness and caution, especially emails that are received from outside your company’s domain. Most importantly, don’t open suspicious files or links,” warns the research paper. MORE ON CYBERSECURITY More

Microsoft’s emergency update which included a fix for the so-called PrintNightmare print spooler problem has the unexpected side-effect of causing a problem with some printers.

The PrintNightmare flaw is a major security risk for enterprise, where print spoolers are used on Windows machines. Microsoft considered it serious enough to rush out a patch last week, before its usual Patch Tuesday update.   Also: Best printers for your home officeThe PrintNightmare bug is being tracked as CVE-2021-1675 and CVE-2021-34527. One of them is a remote code execution flaw and the other is a local privilege escalation flaw. An additional concern was that exploit code was in the public domain before Microsoft released a patch for it.Microsoft notes that an attacker can use the bug to write whatever code they want with system privileges. From there, they could install programs; view, change, or delete data; or create new accounts with full user rights. But now that patches are being installed, some customers are reporting an impact on some printers.Microsoft itself has warned of the issue.

“After installing this update, you might have issues printing to certain printers. Most affected printers are receipt or label printers that connect via USB. Note This issue is not related to CVE-2021-34527 or CVE-2021-1675,” it said.”This issue is resolved using Known Issue Rollback (KIR). Please note that it might take up to 24 hours for the resolution to propagate automatically to consumer devices and non-managed business devices.”Restarting your Windows device might help the resolution apply to your device faster. For enterprise-managed devices that have installed an affected update and encountered this issue, it can be resolved by installing and configuring a special Group Policy,” it said.Printer maker Zebra confirmed that some of its devices were being affected.”We are aware of issues affecting multiple brands of printers when printing from PCs that have been recently updated via the Windows Update Service (KB5004945, KB5004760, or KB5003690). The most common symptom is print jobs being sent, but not actually printing,” it said.”This issue is observed after users install the Windows 10 out-of-band security update KB5004945 (or previous updates, KB5004760 and KB5003690). The KB5004945 security update addresses a remote code execution exploit in the Windows Print Spooler service, known as ‘PrintNightmare,'”it added.Microsoft rounded out its patches for Windows 10 systems this week, delivering patches for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012. It was serious enough for Microsoft to release patches for Windows 7, which reached mainstream end of support in January 2020. Microsoft still provides security updates to organizations paying for extended support on Windows 7. Microsoft has advised customers to disable the print spooler service until patches are applied. The patch introduces some changes to how organizations handle the installation of drivers on Windows machines. It prevents general users from installing printer driver software updates. Some security researchers have found there are ways to bypass Microsoft’s patch. More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. Also: Should Kaseya pay the ransom? Experts are dividedAccording to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.” “We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, “VSA SaaS Startup Guide,” and “On Premises VSA Startup Readiness Guide,” to assist clients in preparing for a return to service and patch deployment. Recovery, however, is taking longer than initially expected. “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment,” the company says. “We apologize for the delay and changes to the plans as we work through this fluid situation.”In a second video message recorded by the firm’s CEO, Voccola said:”The fact we had to take down VSA is very disappointing to me, it’s very disappointing to me personally. I feel like I’ve let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality.”The new release time for VSA is Sunday, in the afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment. 

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait until Sunday. Kaseya intends to bring customers back online on July 11, at 4 PM EDT. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that scammers are trying to take advantage of the situation. “Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.Do not click on any links or download any attachments claiming to be a Kaseya advisory.”

Kaseya attack More

Microsoft has revealed it awarded 341 researchers a total of $13.6 million during the past year for reporting security vulnerabilities in its bug bounty programs. The awards were issued between July 1, 2020 and June 30, 2021 and is slightly less than what it paid out in 2019. That year, Microsoft tripled the awards from the previous year. 

The largest award was $200,000 under the Hyper-V Bounty Program, Microsoft’s program for its virtualization layer on Windows 10, Windows Server 2016, and containers for running Windows and Linux applications in the cloud. SEE: Network security policy (TechRepublic Premium)”With an average of more than $10,000 USD per award across all programs, each of the over 1,200 eligible reports reflect the talent and creativity of the global security research community and their invaluable partnership in addressing the challenges of a constantly changing security environment,” the Microsoft Security Response Center (MSRC) said in a blogpost. Microsoft has launched some new bug bounties this year, including one for Microsoft Teams with awards up to $30,000 for critical bug reports. The other bounty is aimed at a potential future post-quantum cryptography standard called Supersingular Isogeny Key Encapsulation (SIKE). Microsoft currently has 17 bug bounty programs available for researchers to earn rewards. The Hyper-V program offers the largest possible award of up to $250,000. 

The Microsoft Identity bounty is also important, covering Microsoft Account, Azure Active Directory, or select OpenID standards. The top payout is $100,000. Some individual security researchers can earn significant sums – even millions – from bug bounty programs. More

Ransomware is very profitable. The reason why cyber criminals continue to hack into corporate networks, encrypting files and servers, is that enough victims will pay the ransom – usually in Bitcoin or another cryptocurrency – to make it worth their while.Some of those ransoms can be enormous; recent weeks have seen one company pay $5 million to restore the network after falling victim to Darkside ransomware, while another hit by a REvil ransomware attack paid $11 million for the decryption key. 

Kaseya attack

REvil ransomware was also used in a massive ransomware attack, which saw management software company Kaseya hacked, affecting 1,500 companies around the world.  SEE: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens nextThe attackers demanded a ransom payment of $70 million in exchange for a universal decryption tool to supposedly resolve a problem affecting customers around the world – including a chain of supermarkets in Sweden that temporarily closed due to the cyberattack. These are just a handful of examples, but cyber criminals are regularly demanding millions of dollars from victims – and in many cases, they’re paying up because they don’t feel as if they’ve got any other option when it comes to restoring their network.  However, there are concerns that this creates a self-perpetuating cycle.

While governments discourage organisations from paying ransoms to cyber criminals, the practice isn’t illegal – but there have been calls for legislation to be drawn up to ban paying ransoms. The potential positive and negative consequences of banning ransom payments were recently discussed by a group of experts during a panel on disrupting the ransomware ecosystem, which was hosted by Royal United Services Institute for Defence and Security Studies (RUSI), a defence and security think tank.  “From an ideological point of view, most people agree that you want to ban ransom payments. Fundamentally, we are funding crime and that’s a bad thing,” says Jen Ellis, vice president of community and public affairs at Rapid7 and a co-chair of the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF). Not only does paying ransoms show criminals that ransomware works, encouraging further attacks, but the nature of the criminal ecosystem also means that payments are used to fund other crimes.Of course, when the network is down and they can’t operate, or if ransomware has compromised industrial control systems and manufacturing is impossible, businesses aren’t thinking about the long-term consequences of paying the ransom, they just want the issue resolved as quickly as possible. In some cases, businesses can claim back this cost from cyber-insurance policies. This is something a RUSI paper has argued could be enabling ransomware – but according to one insurer, paying ransoms is not something they want to do.”Believe me, insurers do not want to pay ransoms. It’s our client’s ultimate decision to take and I’m afraid to say there are times when there really is no other alternative,” says Graeme Newman, international cyber underwriter at CFC Underwriting, an insurance provider. Cyber-insurance policy holders who pay the ransom need to do it from their own budgets and it’s possible to recover that if certain conditions are met – but insurers aren’t just automatically handing over a large sum of money in the aftermath of a ransomware attack. Newman argues that the reason that businesses are paying ransoms, and then claiming the payments back on cyber-insurance policies, is because they’re in a desperate position, one which for many small- and medium-sized businesses would mean they go out of business if they don’t pay. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“If we banned payments, there would be a significant disadvantage to all the businesses which have been attacked,” he says. “What you need is a structured system of a small number of heavily supervised, heavily regulated bodies that can determine when it’s okay to make a payment”. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Currently, there isn’t any guidance over what situations it would be deemed acceptable to pay a ransom or what action should be taken against ransomware victims who choose to pay a ransom in the event of a ban – but there’s an argument that in the event of a ban, it isn’t insurers who should be penalised. “You ban payments, not the people who may or may not facilitate payments. Banning insurers from covering payments, but not banning payments, doesn’t make any sense – you either ban payments or you don’t. It’s not for insurers to make public policy, it’s for governments to do it,” says Ciaran Martin, professor of practice at the University of Oxford’s Blavatnik School of Government – and former director of the National Cyber Security Centre (NCSC), who says he’s “in favour of a ban in principle”. Currently, the decision on making a ransom payment is entirely in the hands of private enterprises and they’re ultimately going to decide on what’s best for them – and if that means paying a ransom, then they’ll pay the ransom. However, while the idea of banning ransoms might sound appealing, it wouldn’t be a silver bullet against ransomware attacks. It’s likely that cyber criminals will continue to conduct their campaigns, but in the knowledge that they can still go after the soft targets that don’t have a choice when it comes to paying a ransom – whether is is illegal to or not. “They’ll still target organisations that are least able to resist paying – critical infrastructure that cannot face the burden of disruption or small- to medium-sized businesses that don’t have the ability to have resilience. So, the likelihood is if we ban payments, attackers will focus on these groups,” says Ellis. “Banning payments seems like a good thing to do in the long term, it seems like a desirable outcome – we don’t know how to do that pragmatically speaking to make it work in a way that isn’t going to cause a lot of unintended harm in the short term. That’s the dilemma,” she adds. What is clear is that ransomware is going to remain a major cybersecurity problem for some time yet – but organisations can attempt to avoid becoming the next major victim by following the appropriate steps to protect their network from attacks. MORE ON CYBERSECURITY More

Kaseya has urged customers to be wary of a wave of phishing emails taking advantage of the disruption caused by a recent ransomware attack. 

Kaseya attack

Last Friday, Kaseya — which serves managed service providers (MSPs) among its client base — was hit by REvil, a ransomware group that managed to exploit vulnerabilities in the firm’s VSA software. As a precaution, the company pulled both VSA and SaaS servers offline. However, roughly 50 direct clients and up to 1,500 businesses further down the chain have been impacted.  On July 8, the software solutions provider said that scam artists are leveraging the security incident to “send out fake email notifications that appear to be Kaseya updates.” “These are phishing emails that may contain malicious links and/or attachments,” the company added.  Samples of fake, emailed Kaseya advisories, as noted by Malwarebytes, urge recipients to download and execute an attachment called “SecurityUpdates.exe” to resolve a vulnerability in Kaseya and to protect themselves against ransomware.  However, the attachment, a Windows executable, is actually a Cobalt Strike package. The legitimate threat emulation tool is used by penetration testers, but unfortunately, is also widely abused by threat actors. 

Cobalt Strike may be used to set up a connection with a command-and-control (C2) server. Together with Metasploit, an open source penetration testing toolkit, these tools were used to host over a quarter of all malware-linked C2s in 2020.  The email sample also contained a direct link to a malicious executable.  Previously, some legitimate emails sent to customers appear to have included links to the Kaseya helpdesk; however, if customers are used to this sort of format then they may be more susceptible to clicking on malicious links sent via email by threat actors.  In light of this potential security risk adding to the existing burden of restoration efforts, the company says it will no longer send email updates containing any links or attachments.  Kaseya has encountered some issues during recovery attempts. In a July 8 update, Kaseya CTO Dan Timpson said the vulnerabilities have been fixed and additional security measures “are being created prior to deployment to improve the overall security posture of our products.” At present, the company hopes to bring customers back online this Sunday at 4 PM EDT.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A resident of Houston, Texas, has been sentenced to over seven years in jail for his role in romance and business scams that netted over $2.2 million in illicit proceeds. 

Akhabue Ehis Onoimoimilin, otherwise known as David Harrison, stood before US District Judge Robert Pitman this week and was sentenced to 87 months in prison and ordered to pay back just over $865,000 in restitution. According to the US Department of Justice (DoJ), the 29-year-old has been embroiled in romance and Business Email Compromise (BEC) scams since approximately 2015.Romance scams will often begin with the creation of fake profiles on social media and dating apps. Predators will target individuals and will try to establish trust with their victim, who believes they are a potential romantic partner.  Requests for money soon follow for fake reasons; a need for credit, a medical emergency, or in recent years, in order to join a time-sensitive and lucrative financial opportunity.  However, once a vulnerable person has no money left to give, the scam artist vanishes.  UK police, too, have warned of another form of romance scam that has become more prevalent due to stay-at-home orders: requests for explicit photos, videos, or live camera sessions are made, and then victims are threatened with this content being leaked to family members or employers unless they pay the scammer. 

BEC schemes take a different road. Organizations, large and small, are phished and employees — such as those in accounts or HR — are duped into believing they are being emailed by other staff, including executives and business leaders.  Spoof emails request wire transfers and invoice payments, but the bank details included ensure that payment is sent to attacker-controlled accounts.  In both romance and BEC scams, a way to launder cash may be needed — and Onoimoimilin has pleaded guilty to this role. While working with co-conspirators, he used a fake passport to open bank accounts under the name of David Harrison in both Austin and Houston, Texas.  These accounts were used to launder funds, and for his efforts, Onoimoimilin took a cut of between 10% and 15% of over $420,000 banked.  Following his prison term, Onoimoimilin will also have to submit to two years of supervised release. A money judgement to the amount of $50,605 against the Nigerian national was also recognized. “These morally reprehensible schemes deprive people of their hard-earned money and even their entire life savings and retirement funds, leaving humiliation and financial ruin behind,” commented US Attorney Ashley Hoff. “Our office will continue to vigorously prosecute those who conspire to prey on vulnerable victims in this manner.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The CEO of Australia’s Cyber Security CRC Rachael Falk has offered clarity on the contentious government “step in” powers that are set to be legislated under the Security Legislation Amendment (Critical Infrastructure) Bill 2020.She told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that there has been a “bit of a labelling problem” in the Bill when it is called “step in” powers or powers to intervene.”I don’t think what is intended, if I may say so, is not what we call in traditional corporations law step in rights, which is traditionally associated with companies in liquidation where you have liquidators come in and step into the shoes of the companies and literally operate the company as if it were their own,” she said. “So I think this power has kind of been misunderstood and mislabelled.”Falk said, instead, it should be explained as a way for the Australian Signals Directorate (ASD) or its Australian Cyber Security Centre (ACSC) to lend their expertise.”It could be by way of a compulsory notice served in an organisation when it is clearly struggling to gain control of quite a serious cyber attack, that they then are able to be served with a compulsory notice, and then they have to engage and discuss with ASD,” she said. “I think what’s lost here a little bit in the debate is the Australian Signals Directorate are the experts here in terms of poacher and gamekeeper, they do this for a living every day. So a compulsory notice to be served, not step in rights, I think that label should be removed.”

During its hearing on Thursday, the PJCIS heard from four large technology firms that declared they did not need assistance from the Australian government and the installation of software would do more harm than good. But later that day it was a different story, with representatives from the nation’s water, electricity, and logistics sectors accepting government assistance if it was within reason.As part of his testimony, Water Services Association of Australia’s director of business excellence Greg Ryan discussed the potential for an indemnity or insurance that provides security to the organisation ahead of ASD/ACSC engagement.Falk believes rebranding it to “compulsory engagement” rather than being a step in power would remove the need for indemnity.”I think there’s a bit of a vision that Homer Simpson comes in and presses all sorts of red buttons, which in that case you might want the indemnity scenario. I think if there were more of a compulsory notice to engage, then they would be working with the impacted organisation, not working as the impacted organisation,” she said.”So it might mean there is no need for an indemnity because they are saying you need to engage and we advise you to take this advice.”I can see the advantages of an indemnity but if they were simply the subject of a compulsory notice to engage, they could disregard ASD advice and therefore wouldn’t need the indemnity.”She also touched on the requirement to notify the government of an incident within 12 hours. While Falk accepted it may not be known within 12 hours that an incident has occurred, she suggested a “staged approach” to notification.”Immediate notification isn’t too onerous. Once you realise you’re in the middle of an incident, and details can also follow in a reasonable period of time … I think a staged process where there’s immediate notification, we have an incident running, we’re unsure of what it is, we will come back once we have clarity within up to a timescale of 21 days,” she pondered. A case for ransomware payment notificationThe federal opposition last month introduced a Bill to Parliament that, if passed, would require organisations to inform the ACSC before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives by Shadow Assistant Minister for Cyber Security Tim Watts, who at the time took the opportunity to say the government’s current position of telling businesses to defend themselves by “locking their doors to cyber-criminal gangs” was “not good enough”.Cybersecurity expert and former United States CISA chief Chris Krebs agreed with Watts.He told the PJCIS it would be useful to compel critical infrastructure providers to disclose cybersecurity incidents, including ransomware.”Mandatory reporting for any ransomware victim before they make a payment,” he told the committee. “For ransomware, in particular, we do not know how big this problem is, in fact, probably the only people that know how big it is, are the criminals themselves. And they’re not apparently sharing that with us. “We have to get to the denominator of ransomware attacks and the easiest way to do that is require ransomware victims to make a notification to the government. This is not yet in determination on whether paying ransom itself is illegal, I think that’s a separate conversation, but just at a minimum, if you’re going to be engaging with the transaction, with the ransomware group, that that needs to be notified.”Krebs said this was so authorities could understand the scope of the problem and also collect the data on the payment. “We also want to make sure that the information, specifically the wallet to which the ransomware payment is going, to be tracked by law enforcement intelligence officials to light up the economy,” he explained.Last month, the US Department of Justice (DoJ) revealed it managed to recover some of the ransom paid by Colonial Pipeline to the cybercriminals behind the DarkSide ransomware in May.The DoJ and the FBI seized 63.7 bitcoins — valued at $2.3 million at the time — of the 75 bitcoins that the Colonial Pipeline CEO admitted to paying. Despite paying for the ransom, the encryption tools handed over did not work nor help the company’s efforts to restore its systems.Apprentice sparkies to be treated like an ASIO employeeActing national secretary of the Electrical Trades Union of Australia Michael Wright told the committee during his testimony that the Bill, as currently drafted, would see apprentice electricians held to the same security standards that ASIO officers are.”We’ve been engaging with the Department of Home Affairs around the rules that have been drafted … the department isn’t familiar with our industry, nor would you reasonably expect it to be. The issue we have is that they’re requiring the draft rules that they’ve designed have said that everyone who accesses, provides access to assets, would therefore need to go through the Auscheck process,” Wright said.”That may or may not make sense in other industries, but in an industry where asset means power pole and you do need an access permit to work on that, that means that the entire workforce … or workers in that industry would wind up being required to go through that Auscheck, that ASIO backgrounding … it really stats to pry into their personal lives.”Senator James Paterson said he considered it to be an unintended consequence for an apprentice electrician to be subject to the federal government’s ASIO vetting process, calling the idea “absurd”.”That’s a process that can take anywhere between six months and a year and researches all of the family and personal connections that a person might have, their international travel, their prior employment — are you suggesting seriously that apprentice electricians will have to get PV [positive vetting] security clearance to work?,” Paterson questioned.”We raised these concerns and we get nothing back,” Wright said in response.MORE FROM THE INQUIRYThe Chris Krebs case for including election systems as critical infrastructureThe cybersecurity expert has told an Australian Parliamentary committee there are elements of the election administration function that should ‘absolutely’ be considered critical infrastructure.Logistics and utilities providers agree to help from ASD in the event of a cyber incidentAfter being hit twice by ransomware last year, Toll has said it welcomes the installation of software from the Australian government to help with thwarting cyber criminals, admitting it already let the ASD into its systems. Qantas, AGL, and Water Services Association of Australia are all happy with the looming mandate, too, providing it is done proportionately.Tech giants say government cyber assistance would simply cause more problemsGoogle, Microsoft, AWS, and Atlassian all believe they are best placed to respond to cyber incidents and that installing software from the Australian government would only increase the risk in their respective platforms and systems. More