Information Technology

Image: Getty Images
Cybersecurity expert and former United States CISA chief Chris Krebs has testified before an Australian security and intelligence committee, providing a case as to why policymakers should consider adding elements of the country’s election system to the list of what constitutes as critical infrastructure.”I think there are elements of the election administration function that should absolutely be considered critical infrastructure, and that is the administration element,” he said. “That’s the systems, the machines, the counting process, the protocols around it — I think it’s, at least in the US, a step too far to call the political parties themselves as part of the infrastructure, but they do have certainly a contribution and a piece involvement.”The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is currently looking into Australia’s Security Legislation Amendment (Critical Infrastructure) Bill 2020, which, among other things, looks to bring more sectors into the definition of “critical infrastructure”.These are communications, financial services and markets, data storage and processing — including cloud providers — defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors.Krebs said Russian interference in the 2016 US election led the focus for the 2020 election to be on thwarting technical attacks and disruptions of election systems by ransomware attacks against voter registration databases, and of media outlet hacks, both on websites and television, such as changing the results on the live tally.”But as we got closer to the election, what we actually realised were the most likely were perception hacks, or disinformation campaigns, claiming to have been able to access the system, claiming to have been able to change an outcome, or that somebody else was doing it,” Krebs explained. “And ultimately, that’s what we saw with some of the claims of Hugo Chávez from the grave hacking into the vote counting systems, and those persist to this very day, with the so-called audit in Arizona, and elsewhere. “Those are the more pervasive, much harder to debunk, because there’s an asymmetry of the adversary. Even if it’s domestic, it’s still an adversary, in this case, [a] domestic actor that is trying to undermine confidence in the process for their own outcomes.”

He said what is at stake is defending democracy.See also: Researchers found three flaws in ACT e-voting system that could affect election outcomesAdding to Krebs’ remarks was the director of the Australian Strategic Policy Institute’s international cyber policy centre, Fergus Hanson, who considers political parties themselves as a key vulnerability, given the scale to which their operations need to grow come election time. “Trying to provide a solid cybersecurity basis for that is very difficult for a very small organisation that’s undergoing massive and rapid scaling. I think providing government support for all political parties to be more resilient to interference, I think, would be really important,” he told the PJCIS. “And we’ve seen in lots of countries where political parties have been breached [or] there’s been hacks or leaks — operations that have potentially swayed people’s views on parties during the heat of a campaign.”Further on misinformation and disinformation, Krebs said an understanding exists of there being underinvestment in cybersecurity and the critical infrastructure community, but there has been “virtually no investment on countering disinformation, nowhere”. “More important is that right now than in the deployment of COVID-19 vaccinations, we are seeing an active threat environment from Russia and China for vaccine diplomacy and we’re also seeing it from conspiracy theorists and just anti-vaxxers in general — there’s a much longer tail on the disinformation,” he said. “But I will say that I’ve been impressed with the Australian government’s efforts over the last several years to take disinformation and threats to democracy in particular, very, very seriously. In fact, they’re well ahead of where I would say the United States is.”RELATED COVERAGECountering foreign interference and social media misinformation in AustraliaDFAT, the Attorney-General’s Department, and the AEC have all highlighted what measures are in place to curb trolls from spreading misinformation across social media.ASPI wants statutory authority to prevent foreign interference through social mediaIt said the authority would be granted explicit insight into how content is filtered, blocked, amplified, or suppressed, both from a moderation and algorithmic amplification point of view.Facebook, Google, Microsoft, TikTok, and Twitter adopt Aussie misinformation codeCode will not apply to government content, political advertising, satirical work, or other journalistic pieces that are governed by an existing Australian law. More

CSO Group has signed a four-year cybersecurity deal with the New South Wales (NSW) Department of Communities and Justice (DCJ) to provide real-time visibility, intelligence, and remediation. Worth AU$7 million, the deal will see CSO Group deliver a fully-managed security monitoring service, security operations centre (SOC), and managed security information and event management, which will be delivered through a sovereign architecture via Macquarie Government’s protected cloud and government-certified environment. “Working with enterprise-grade Australian cybersecurity companies that house the data in a protected Australian data centre is a highly valuable requirement.” NSW DCJ CISO Matthew Fedele-Sirotich said.”Furthermore, the services offered enables our internal teams to conduct the in-depth threat hunts to continuously validate the secure nature of our environment. All the while knowing our service partner is acting as our overwatch, ensuring we identify and respond to malicious behaviours and events.”The contract is part of the NSW DCJ’s cyber refresh program and is in addition to a four-year AU$16 million deal that was recently awarded to CSO Group to deliver new cybersecurity solutions for the cloud, endpoint, and email.At the end of last year, the Information and Privacy Advisory Committee was set up by the NSW government to provide it with information, advice, assistance, and training on how to best deliver information and privacy management practices in government. The committee was also tasked with facilitating collaboration between government, industry, and academia.A dedicated cyber and privacy resilience group was also established by the state government as a vow to keep customer data safe.

It followed the state government announcing a AU$240 million commitment to improve NSW’s cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce. With that funding, it announced plans to create an “army” of cyber experts.Related Coverage More

Brazilians are concerned about the security of their data despite knowing that companies they interact with keep some type of information about their consumption and leisure habits, according to a new survey. According to te research carried out by Datafolha Institute on behalf of Mastercard with 1517 users of digital services in January 2021, 92% of respondents said they are aware companies retain their information to some degree. However, on a scale of 1 to 10 where 10 is “very secure”, 5.1 is the average score given to how secure respondents feel their information is in digital environments.

The survey, carried out with the goal of measuring the level of concern regarding the security of consumers within data and information exchange environments, found that only 13% consider their data to be very secure, while 21% consider their data to be insecure.The fear of cyber attacks is high among Brazilian users, according to the survey, which suggests that 73% of respondents reported having suffered some kind of digital threat such as receiving fake messages from companies and stolen passwords. As a result of these incidents, many of those polled have taken additional security measures, the study noted. More than 80% of the survey respondents said they avoid clicking suspicious links while 75% avoid using public Wi-Fi networks and 64% have different passwords for each of the accounts they have on digital platforms or apps. Social networks were considered by respondents as the least trustworthy environments, while hospitals, medical examination clinics, schools and colleges are the institutions that respondents have the greatest level of confidence.Moreover, nearly 70% of respondents stated they know that when they access a social network, shop over the internet or make financial transactions online, the data is stored by the companies they are transacting with, and that data can be used to better target offers, benefits and monitor consumption habits.

Brazilians are willing to allow the collection of their personal data, as long as they give something in return, according to a separate study, published by cybersecurity firm Kaspersky in June 2020. Some 43% of respondents said they would share sensitive private data to ensure better ranking in social rating systems, discounts, or to receive customized services. Brazilian consumers are also more willing to share their social media profiles in exchange for other benefits, they Kaspersky study noted, such as protecting their job, finding a better place to live, a place at a good school for their children or getting a visa. More

Morgan Stanley has notified New Hampshire Attorney General John Formella that one of it’s vendors was attacked through the Accellion FTA vulnerability and that some customer information — including Social Security numbers — was accessed. In a letter dated July 2, Morgan Stanley said that Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, informed them on May 20 that it had been hacked. The information of some StockPlan Connect participants, including those in New Hampshire, were “obtained by an unauthorized individual.” Morgan Stanley said it “regularly” sends a secure file to Guidehouse of existing StockPlan long shareholders scheduled for escheatment and “engages Guidehouse to obtain current contact information for these StockPlan participants prior to the escheatment process commencing.”

ZDNet Recommends

“Although the files in Guidehouse’s possession were encrypted, we have been told by Guidehouse that the unauthorized individual was able to obtain the decryption key during the security incident, due to the Accellion FTA vulnerability,” the company said, adding that passwords for financial accounts were not accessed during the breach. “The files obtained from the vendor included the following participant information: name; address (last known address); date of birth; Social Security number (if the participant had one); and corporate company name.”Guidehouse told Morgan Stanley that the attacker gained access to the information in January but that they did not discover the attack until March, waiting another two months to then tell Morgan Stanley. Guidehouse defended its actions to Morgan Stanley, claiming the Accellion FTA vulnerability was patched “within 5 days of the patch becoming available” and that they waited until May to notify Morgan Stanley because of the “difficulty in retroactively determining which files were stored in the Accellion FTA appliance when the appliance was vulnerable.”

In a statement to ZDNet, a Morgan Stanley spokesperson said the “protection of client data is of the utmost importance and is something we take very seriously.”   “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients,” the spokesperson said. Breach notification letters have already been sent out to those who have been affected by the incident. The company said it is providing any victims in New Hampshire with 24 months of free credit monitoring services from Experian and will “arrange to provide codes to our corporate clients or directly to New Hampshire residents as applicable.” It did not say whether people in other states were affected. The Accellion FTA vulnerability has been used widely by cybercriminals to launch an array of attacks against some of the biggest companies in the world. The Clop ransomware group became well-known for attacking companies using old versions of the Accellion FTA file-sharing server like Stanford Medicine and Bombardier. The Reserve Bank of New Zealand, the University of Maryland Baltimore, Washington State Auditor, the University of California and cybersecurity firm Qualys are just a few of the victims attacked by Clop members through the Accellion vulnerability. Kroger and Shell have also faced attacks through Accellion FTA vulnerability. Accellion announced the end-of-life for the FTA product in February due to the spate of attacks.  More

The Ransomware-as-a-Service (RaaS) ecosystem is evolving into something akin to a corporate structure, researchers say, with new openings available for “negotiators” — a role focused on extorting victims to pay a ransom. 

On Thursday, KELA threat intelligence analyst Victoria Kivilevich published the results of a study in RaaS trends, saying that one-man-band operations have almost “completely dissolved” due to the lucrative nature of the criminal ransomware business.  The potential financial gains squeezed from companies desperate to unlock their systems have given rise to specialists in cybercrime and extortion and have also led to a high demand for individuals to take over the negotiation part of an attack chain.  Ransomware can be devastating not only to a business’s operations but its reputation and its balance sheet. If attackers manage to strike a core service provider used by other businesses, they may also be able to expand their attack surface to other entities quickly.  In a recent case, zero-day vulnerabilities in VSA software provided by Kaseya were used, over the US holiday weekend, to compromise endpoints and put organizations at risk of ransomware infection. At present, it is estimated that up to 1,500 businesses have been affected, at the least due to the need to shut down VSA deployments until a patch is ready.  According to KELA, a typical ransomware attack comprises four stages: malware/code acquisition, spread and the infection of targets, the extraction of data and/or maintaining persistence on impacted systems, and monetization.  There are actors in each ‘area,’ and recently, demand has increased for extraction and monetization specialists in the ransomware supply chain.  

The emergence of so-called negotiators in the monetization arena, in particular, is now a trend in the RaaS space. KELA researchers say that specifically, more threat actors are appearing that manage the negotiation aspect, as well as piling on the pressure — such as though calls, distributed denial-of-service (DDoS) attacks, and making threats including the leak of information stolen during a ransomware attack unless a victim pays up.  KELA suggests that this role has emerged due to two potential factors: the need for ransomware operators to walk away with a decent profit margin and a need for individuals able to manage conversational English to hold negotiations effectively. “This part of the attack also seems to be an outsourced activity — at least for some affiliates and/or developers,” Kivilevich says. “The ransomware ecosystem, therefore, more and more resembles a corporation with diversified roles inside the company and multiple outsourcing activities.”  Initial access brokers, too, are in demand. After observing dark web and forum activity for over a year, the researchers say that privileged access to compromised networks has surged in price. Some listings are now 25% – 115% more than previously recorded, especially when domain admin-level access has been achieved. 
KELA
These intrusion specialists may be paid between 10% and 30% of a ransom payment. However, it should also be noted that some of these brokers will not work with ransomware deployments at all and will only ‘sign up’ to an attack leveraged against other targets, such as those that will lead to credit card records being obtained.  “During recent years, ransomware gangs grew into cybercrime corporations with members or “employees” specializing in different parts of ransomware attacks and various accompanying services,” KELA commented. “The recent ban of ransomware on two major Russian-speaking forums does not seem to affect this ecosystem because only the advertisement of affiliate programs was banned on the forums.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have disclosed a set of API vulnerabilities in the Coursera platform. 

Kaseya attack

On Thursday, Checkmarx security researcher Paulo Silva revealed the discovery of multiple security failings in the Coursera online learning platform, which caters to millions of learners, both at home and in the enterprise.The company collaborates with over 200 universities and companies, including Stanford University, Duke University, AWS, Google, Cisco, and IBM. Courses on offer range from degrees in the STEM field to shorter classes in health, the humanities, and languages.  Silva says that Checkmarx decided to investigate Coursera’s security posture due to the increased popularity of remote and on-demand learning prompted by the COVID-19 pandemic, in line with the organization’s Vulnerability Disclosure Program, launched in 2015. The researchers focused on access control, a security point mentioned in the program as an in-scope issue: accessing data you are not authorized to, that of other learners, or being able to tap into internal, backend administrative systems.  Checkmarx found multiple API problems, including an enumeration via password reset function error, resource limitations relating to both a GraphQL and a REST API, and a GraphQL misconfiguration.  However, the main issue of note was a Broken Object Level Authorization (BOLA) security flaw, considered by OWASP to be a major threat due to the ease of exploitation. 

BOLA flaws in APIs may expose endpoints that handle object identifiers, potentially opening the door to wider attacks.  The BOLA vulnerability that was found related to preferences stored in learner accounts. Anonymous users could retrieve this information and change them — and in addition, some user metadata was also leaked.  “Authorization issues are, unfortunately, quite common with APIs,” the researchers say. “It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component. New API endpoints, or changes to the existing ones, should be carefully reviewed regarding their security requirements.” Checkmarx reported its findings to Coursera on October 5, 2020, and the e-learning provider began to triage the report on October 26. By December 18, a partial patch was issued, but an additional “issue” required re-tests, delaying the confirmation of fixes until May 24. Despite delays in fully resolving the vulnerabilities, the researchers say that Coursera took “prompt ownership” of the API bugs, once reported.  “The privacy and security of learners on Coursera is a top priority,” Coursera told ZDNet. “We’re grateful to Checkmarx for bringing the low-risk API-related issues to the attention of our security team last year, who were able to address and resolve the issues promptly.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

ZDNet Recommends More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. Also: Should Kaseya pay the ransom? Experts are dividedAccording to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.” “We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, “VSA SaaS Startup Guide,” and “On Premises VSA Startup Readiness Guide,” to assist clients in preparing for a return to service and patch deployment. Recovery, however, is taking longer than initially expected. “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment,” the company says. “We apologize for the delay and changes to the plans as we work through this fluid situation.”In a second video message recorded by the firm’s CEO, Voccola said:”The fact we had to take down VSA is very disappointing to me, it’s very disappointing to me personally. I feel like I’ve let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality.”The new release time for VSA is Sunday, in the early afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment. 

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that “customers who experienced ransomware and receive a communication from the attackers should not click on any links  —  they may be weaponized.”

Kaseya attack More

Nobody and nothing is perfect. Get that into your head early on in life, and you’ll be a million times happier.But that doesn’t mean we shouldn’t want things to be better.

see also

The best browsers for privacy

If you’re like most people, you’re probably using Google Chrome as your default browser. It’s hard to fault Google’s record on security and patching but privacy is another matter for the online ad giant.

Read More

I like the Brave browser. A lot. But when I first started using it, I had concerns about a few things. A few things that felt a bit odd to me. But I put them aside, and they were soon forgotten.However, the other day I wrote about Brave, and how I think this is the perfect alternative to Google Chrome for those who want a powerful privacy-focused browser.But then a few comments came in, reminding me of those things that I initially didn’t like about Brave.Must read: The best browser to replace Google Chrome on Windows, Mac, iPhone, and Android

The first comment relates to the dashboard page and how this page feels cluttered and, because it occasionally displays ads, spammy.”Spammy” was a word that was used a few times.And it’s true that it does display ads, and there are links to several cryptocurrency services. They’re “safe” ads, and you can turn them off, but it wasn’t what some people expected to see in a browser that had been billed as putting privacy at its core.But the feedback I received makes it clear that some were not expecting to see huge trading ads, and what seem like deep links to crypto services.I understand the problem here. On the one hand, Brave needs to pay the bills, but on the other, first impressions matter.  I’m not sure if there’s a solution to this. Maybe give users a choice (although you and I both know what most will say). Maybe it doesn’t matter. Either way, it is all a bit jarring, especially for people not into crypto. And it doesn’t help that when people do a search, a few controversies float to the surface.The other thing that I got a fair amount of feedback on was the settings. Brave has a lot of settings. A lot more than the likes of Google Chrome, and while hardened stalwarts to browsers won’t have a problem — or will be able to drive to the nearest search engine for clarification — Brave can feel unfriendly and overwhelming to those who don’t live and breathe tech. And all the settings and buttons related to all the cryptocurrency stuff goes some way to bloating out the user interface.I don’t see either of these as showstoppers, but they are barriers and obstacles that some stumble on.I’m curious to know your thoughts on this. Do you think that Brave needs to address these issues, or is Brave a browser for a specific audience? More