Information Technology

Singapore has turned to the world wide web in its hunt for intelligence officers from “diverse backgrounds”. The Security and Intelligence Division (SID) has unveiled its official website today, 55 years after it was established inn 1966. Parked under the Ministry of Defence (Mindef), SID is the country’s external intelligence agency responsible for safeguarding the nation against external threats. It provides intelligence and assessments to local government agencies, as well as analyses global developments that may affect Singapore’s security and national interests. These include transnational threats such as cybersecurity and terrorism, geopolitics, and foreign relations, according to a statement released Monday by Mindef. SID also communicates with foreign intelligence and security agencies, sharing information and insights on countering transnational threats. 

With the launch of its website, the agency said it hoped to provide some idea of its operations, even though much of these remained classified for national security reasons. In doing so, it aimed to attract a wider spectrum of recruits to join the agency. An SID spokesperson said: “Singapore is facing challenging security issues in an increasingly complex and volatile world. The information we collect and analyse to detect and counter threats comes from wide and varied sources. The technologies to make sense of such information are evolving rapidly. “By increasing SID’s visibility, the website will help us to recruit Singaporeans from diverse backgrounds with the right values and expertise who can contribute towards our mission. It will also help us to strengthen existing linkages and forge new partnerships.”According to the website, the agency offers roles across five key areas including technology, operations, and research. Specialised skills it seeks in technology include cybersecurity, data science and engineering, and software engineering, while roles in operations require specialised skills in cybersecurity and threat analysis and investigation. 

SID’s past counter-terrorism work led to the arrests of Jemaah Islamiyah terrorists who fled Singapore in the early 2000s and foiled a terror group’s plot to launch an attack on the Marina Bay Sands integrated resort in 2016, Mindef said. The Singapore Armed Forces (SAF) in March 2020 restructured to boost its capabilities to address emerging threats in cyber, counter-terrorism, and maritime. In cyber defence, specifically, Mindef and SAF said they would build up capabilities to safeguard against foreign actors that posed cyber threats to Singapore’s national security. RELATED COVERAGE More

Campbell Conroy & O’Neil, P.C., a law firm handling hundreds of cases for the world’s leading companies, has announced a large data breach that resulted from a ransomware attack in February. In a statement released on Friday, the law firm said it noticed unusual activity on its network on February 27. The firm later realized it was being hit with a ransomware attack and contacted the FBI as well as cybersecurity companies for help. Their investigation revealed that the hackers behind the attack gained access to a database with names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials. The law firm is offering those affected 24 months of free credit monitoring, fraud consultation, and identity theft restoration services. 

Campbell Conroy & O’Neil is one of the world’s biggest law firms and boasts a client list that includes major corporate giants like Exxon, Ford, Toyota, British Airways, Boeing, Monsanto, Johnson & Johnson, Pfizer, Dow, Fisher-Price, Home Depot, Office Max, Walgreens, Toshiba and more. Last year, cybercriminals behind the REvil ransomware attacked Grubman Shire Meiselas & Sacks, a high-profile New York law firm with clients ranging from Lady Gaga, Madonna, Mariah Carey and Nicki Minaj to Bruce Springsteen, Bette Midler, U2, Outkast, Jessica Simpson, Cam Newton, Facebook and many more. Trevor Morgan, product manager with data security specialists with comforte AG, said ransomware groups have long attacked law firms because of the amount of sensitive data they handle on a daily basis, adding that the attack against Campbell Conroy & O’Neil, P.C. was “discomfiting.”

“Law firms house massive amounts of information about clients and legal cases—much of that privileged information—and most of that information is highly sensitive and can be used as leverage against the firms themselves (in ransomware attacks) and also to target other victims in a domino effect,” Morgan explained.  “Law firms and legal service providers (such as processors of legal discovery data) should be paying attention to this breach and immediately assessing their defensive posture. If you’re one of these organizations, you should be asking whether your sensitive data resides in a vulnerable clear state behind what you believe is a well-protected perimeter, or whether you apply some form of data-centric security to it.”  More

MITRE Engenuity announced on Monday the results of its first-ever ATT&CK Evaluations for Industrial Control Systems (ICS). 

ZDNet Recommends

Researchers with MITRE used the Triton malware to test the detection ability of five different cybersecurity products from ICS vendors. The results of the exam can be found here. Industrial control systems are used by many of the world’s most critical infrastructures, including energy transmission and distribution plants, oil refineries, wastewater treatment facilities and more.MITRE Evaluations created a “curated knowledge base of adversary tactics, techniques and procedures based on known threats to industrial control systems” and used it to test products from Armis, Claroty, Microsoft, Dragos and the Institute for Information Industry.MITRE said in a statement that Triton had been created by Russia’s Central Scientific Research Institute of Chemistry and Mechanics and had been used to attack industrial control systems across North America, Europe and the Middle East. The malware stops officials from addressing hazards and other conditions by specifically targeting safety systems. The US Treasury Department imposed sanctions on the Russian institute after Triton was used to shut down a Saudi refinery. Otis Alexander, leader of the ATT&CK Evaluations for ICS, said they chose to emulate the Triton malware because it targets safety systems, which “prevent some of the worst consequences from happening when something goes wrong in an industrial control setting.” 

“The amount of publicly reported data from the attacks and the devastating impact of the malware help ensure this is a robust emulation. We hope the evaluations can help organizations find security tools that are best suited to their individual needs,” Alexander said. “Our evaluations are intended to take the guesswork out of the process while providing realistic expectations about what security products can provide.”According to MITRE, there are multiple ways ICS attacks can be detected and a number of different products that can handle the task. The study was part of a larger effort to help cybersecurity teams understand their tools and improve their work. The tests can help organizations understand which cybersecurity products are best at handling “volume of detections, the stage of attack when the detections occur, the types of data sources offered and how information may be presented.”Yuval Eldar, general manager for IoT/OT security at Microsoft, said that with recent attacks targeting core business operations, community collaboration will help improve security products. He thanked MITRE Engenuity for the chance to test their agentless Azure Defender for IoT solution and Azure Sentinel SIEM/SOAR solution. “We look forward to our continued partnership and building upon what we learned about the need for a holistic SIEM/XDR view across networks, endpoints, identity, and other domains in our clients’ IT/OT infrastructures,” Eldar said. The ICS evaluations are intended to help organizations decide between cybersecurity products. MITRE Engenuity also provides similar services for security products for enterprise networks. They recently used attacks from cybercrime groups FIN7 and Carbanak to test 29 different cybersecurity products. Frank Duff, general manager of the ATT&CK Evaluations program, said vendors trust the organizations “to improve their offerings, and the community trusts that we’ll provide transparency into the technology that is necessary to make the best decisions for their unique environment.” “Unlike closed door assessments, we use a purple teaming approach with the vendor to optimize the evaluation process,” Duff explained. “MITRE experts provide the red team while the vendor provides the blue team to ensure complete visibility, while allowing the vendor to learn directly from ATT&CK experts.” More

The Justice Department announced charges against four Chinese nationals on Monday, accusing the men of being part of a hacking group that attacked “companies, universities, and government entities in the United States and abroad between 2011 and 2018.”According to a release from the DOJ, a San Diego federal grand jury returned the indictment of all four in May and it was unsealed on Friday.The indictment says Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin were members of the Hainan State Security Department working covertly within a front company called Hainan Xiandun Technology Development Co., Ltd.The goal of the operation, according to the Justice Department, was to steal information from companies that would help enterprises in China. The DOJ said the hackers were specifically looking for “information that would allow the circumvention of lengthy and resource-intensive research and development processes.”Operating out of Haikou, Hainan Province, the three are accused of “coordinating, facilitating, and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies.” Wu Shurong was also indicted for his role as a hacker who created malware, assisted the other three in breaking into computer systems, and allegedly supervised other Hainan Xiandun hackers.The DOJ noted that the group attacked companies across the US, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, UK, Austria, Cambodia, Canada, and Germany. Most of the attacks targeted companies working in the defense, education, healthcare, biopharmaceutical, and aviation sectors. 

“Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects),” the Justice Department statement said.  “At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg, and tularemia.” The indictment also accuses educators at universities in Hainan and across China of working with the country’s Ministry of State Security to help with the attacks. Deputy Attorney General Lisa Monaco said the charges highlight that China continues to use cyber-enabled attacks to steal what other countries make, calling the government’s actions representative of a “flagrant disregard of its bilateral and multilateral commitments.””The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe,” Monaco said. The DOJ noted that multiple cybersecurity firms have chronicled the group’s activities, giving them a variety of names over the years including Advanced Persistent Threat (APT) 40, BRONZE, MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope, and Temp.Jumper. The indictment lists the variety of hacking methods used to break into companies’ systems, detailing how the group used spearphishing emails, hijacked credentials, and more. “The conspiracy also used multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks,” the indictment said. “The conspiracy’s malware included those identified by security researchers as BADFLICK, aka GreenCrash; PHOTO, aka Derusbi; MURKYTOP, aka mt.exe; and HOMEFRY, aka dp.dll. Such malware allowed for initial and continued intrusions into victim systems, lateral movement within a system, and theft of credentials, including administrator passwords.”The indictment notes that the hackers used anonymizer services, Dropbox Application Programming Interface (API) keys, and even GitHub during their attacks. All four defendants have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit economic espionage. Combined, the two charges carry a maximum sentence of 20 years in prison. Acting US Attorney Randy Grossman tied the indictment to the larger announcements that came out on Monday, where dozens of countries accused China of a widespread hacking campaign.  Grossman said the indictment “demonstrates how China’s government made a deliberate choice to cheat and steal instead of innovate,” while also claiming the actions threaten the US economy and national security.The FBI and CISA released an advisory designed to help organizations defend against some of the tactics deployed by the four hackers indicted. The Joint Cybersecurity Advisory has “technical details, indicators of compromise, and mitigation measures.””The charges outlined today demonstrate China’s continued, persistent computer intrusion efforts, which will not be tolerated here or abroad,” said Special Agent in Charge Suzanne Turner of the FBI’s San Diego Field Office. “We stand steadfast with our law enforcement partners in the United States and around the world and will continue to hold accountable those who commit economic espionage and theft of intellectual property.” More

The UK government has formally laid the blame for the Microsoft Exchange Server cyberattack at the feet of China. 

On Monday, the government joined others — including the victim company itself, Microsoft — in claiming the cyberattack was the work of Chinese state-sponsored hackers, namely Hafnium, an advanced persistent threat (APT) group.  The United States, NATO, and the EU have joined the UK in condemning the attack. Foreign Secretary Dominic Raab deemed the attack “by Chinese state-backed groups” as a “reckless but familiar pattern of behavior.” “The Chinese Government must end this systematic cyber sabotage and can expect to be held [to] account if it does not,” Raab added.  Earlier this year, suspicious activity was detected and linked to four zero-day vulnerabilities in on-prem Microsoft Exchange Servers.  In March, the Redmond giant issued emergency patches to mitigate the threat to its customers; however, the vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — were exploited, compromising an estimated 30 000 organizations in the US alone. 

The European Banking Authority was one of the most high-profile victims of the attack.  Following the incident, the malware was discovered on over 2000 machines belonging to businesses in the United Kingdom. Read on: Everything you need to know about the Microsoft Exchange Server hackThe UK government believes the attack was likely conducted for “large-scale espionage”, including the theft of information and intellectual property by hackers sponsored by the People’s Republic of China (PRC).  Furthermore, UK officials say that the Chinese Ministry of State Security is backing two other groups, known as APT40 (TEMP.Periscope/TEMP.Jumper/Leviathan) and APT31 (Judgement Panda/Zirconium/Red Keres).  According to the National Cyber Security Centre (NCSC), APT40 is responsible for targeting the maritime industry and naval contractors in the United States and Europe, and the agency assesses with high confidence that the Chinese Ministry of State Security is backing the group, which “operates to key Chinese State Intelligence requirements.” In addition, the NCSC says that APT31 is responsible for targeting government and political figures, including the Finnish Parliament, in 2020. “[The] NCSC is almost certain that APT31 is affiliated to the Chinese State and likely that APT31 is a group of contractors working directly for the Chinese Ministry of State Security,” the agency added.  “The Chinese government has ignored repeated calls to end its reckless campaign, instead [of] allowing its state-backed actors to increase the scale of their attacks and act recklessly when caught,” UK officials commented. “This coordinated action today sees the international community once again urge the Chinese government to take responsibility for its actions and respect the democratic institutions, personal data, and commercial interests of those with whom it seeks to partner.” The government has also called on China to desist in its alleged attempts to conduct or support IP and trade secrets theft through cyberattacks. Update 15.33 BST: The UK, NATO, US, and EU have allied in their stance against alleged Chinese cyberattacks. Together with the UK, the White House has issued a joint statement criticizing China’s alleged behavior. “In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the US government claims. “The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.”The US Department of Justice (DoJ) has also indicted four Chinese nationals suspected of being members of China’s Ministry of State Security (MSS), as well as APT40. They are accused of “hacking into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018.”The DoJ alleges that the MSS has been involved in cyberattacks against victims in the US, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. Also: Kaseya issues patch for on-premise customers, SaaS rollout underwayAccording to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.” “We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, “VSA SaaS Startup Guide,” and “On Premises VSA Startup Readiness Guide,” to assist clients in preparing for a return to service and patch deployment. Recovery, however, is taking longer than initially expected. “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment,” the company says. “We apologize for the delay and changes to the plans as we work through this fluid situation.”In a second video message recorded by the firm’s CEO, Voccola said:”The fact we had to take down VSA is very disappointing to me, it’s very disappointing to me personally. I feel like I’ve let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality.”The new release time for VSA is Sunday, in the afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment. July 12: Kaseya has now released a patch and is working with on-prem customers to deploy the security fix. Now, 100% of all SaaS customers are live, according to the company.”Our support teams continue to work with VSA on-premises customers who have requested assistance with the patch,” Kaseya added.

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait until Sunday. Kaseya intends to bring customers back online on July 11, at 4 PM EDT. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that scammers are trying to take advantage of the situation. “Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.Do not click on any links or download any attachments claiming to be a Kaseya advisory.”

Are REvil still active?

After Biden made his stance clear to Putin on ransomware gangs, the REvil ransomware group’s leak site was seized and taken down by law enforcement. The takedown included REvil’s payment site, public domain, helpdesk chat platform, and the negotiation portal. While the intention was to secure some form of control over the group, it should be noted that ransomware operators often close down sites, rebrand, and regroup. A side effect of the takedown is that the removal of negotiation and the possibility of purchasing a decryption key have left victims with unrecoverable systems. One victim who paid up for a decryption key — which ended up not working — is now out of pocket and unable to secure assistance from the cybercriminals. 

Kaseya attack More

An investigation into leaked data allegedly connected to NSO Group has resulted in claims that its software is being used to target journalists, activists, and government figures. 

As reported by The Guardian, an investigation into a data leak apparently connected to the Israeli spyware vendor implies that “authoritarian” governments are using NSO Group’s Pegasus software to compromise mobile devices belonging to human rights activists, political dissidents, lawyers, journalists, and politicians.  Pegasus is a spyware tool with remote access capabilities that is able to extract handset information, harvest conversations taking place over apps including WhatsApp and Facebook, monitor email clients and browser activity, record calls, and spy on victims through their microphone and camera.  Based in Israel, NSO Group markets its products as intended for governments to detect and “prevent a wide range of local and global threats,” as well as a way to tackle criminal and terrorist activity.  However, a probe launched by non-profit Forbidden Stories, Amnesty International, and a number of media outlets alleges that the software is being abused to monitor innocents.  According to the publication, a leaked list of phone numbers accessed by Forbidden Stories and Amnesty International revealed over 50 000 numbers believed to have been “of interest” to NSO Group clients and “selected for targeting” since 2016. While the existence of a phone number does not mean that a handset has been compromised, the consortium’s investigation — dubbed the Pegasus project — says that infection was confirmed: “in dozens of cases.”

The project says:”NSO Group contends that its Pegasus software is meant only to help legitimate law enforcement bodies go after criminals and terrorists, and that any other use would violate its policies and user agreements.The Pegasus Project did find numbers belonging to suspected criminal figures on the leaked list. However, of over 1,000 numbers whose owners were identified, at least 188 were journalists. Many others were human rights activists, diplomats, politicians, and government officials. At least 10 heads of state were on the list.”In response, the Israeli firm slammed the project’s claims as full of “wrong assumptions and uncorroborated theories” and has denied any wrongdoing. “Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims,” the NSO Group says. “In fact, these allegations are so outrageous and far from reality that NSO is considering a defamation lawsuit.” According to the company, the data used to back up the Pegasus project’s claims is likely based on “accessible and overt basic information” gleaned from services such as HLR Lookups and are not related to “the customers’ targets of Pegasus or any other NSO products.” “Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide,” NSO Group says. “The claims that the data was leaked from our servers is a complete lie and ridiculous since such data never existed on any of our servers.” The company repeated that its technologies are only sold to vetted governments, law enforcement, and intelligence agencies.  In 2019, Facebook filed a lawsuit against the software vendor, alleging that the company was responsible for the sale and deployment of a zero-day vulnerability in WhatsApp to target over 1,400 devices owned by government employees, political dissidents, journalists, activists, and more.  Tech giants including Microsoft, Google, and Cisco later filed an amicus brief in support of the court case.  Last year, the US Federal Bureau of Investigation (FBI) launched an investigation into the NSO Group amid suspicions that US citizens and organizations may have been targeted for cyberespionage.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Security researchers have shown how they were able to bypass Windows 10’s Windows Hello biometric authentication with just a single infrared frame of the target. Researchers at security firm Cyber Ark have detailed the Windows Hello authentication bypass and how an attacker could exploit it. 

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.SEE: Windows 10 Start menu hacks (TechRepublic Premium)But with those pieces in place, an attacker could gain access to sensitive information on the target’s Windows 10 PC – and potentially information stored in Microsoft 365 cloud services.”With only one valid IR frame of the target, the adversary can bypass the facial recognition mechanism of Windows Hello, resulting in a complete authentication bypass and potential access to all the victim’s sensitive assets,” Cyber Ark researcher Omer Tsarfati explained in a blogpost. The attacker could capture an IR frame of the target or convert a regular RGB frame into an IR frame. 

The apparent weakness lies in how Windows Hello processes “public” data, such as the image of the person’s face, from a USB device, so long as the device meets Windows Hello requirements that the camera has both IR and RGB sensors. The researchers discovered that only the IR camera frames are processed during authentication, so an attacker just needs a valid IR frame to bypass Windows Hello authentication. The RGB frames can contain anything. During tests, Tsarfati used an RGB frame of SpongeBob and the bypass still worked. Tsarfati argued it would be fairly simple to get an IR frame of the target. For example, walking by the person with an IR camera or placing it where the target will likely walk through, such as an elevator. The image could even be snapped at a distance with higher-end infrared sensors.Tsarfati noted that Microsoft addressed the vulnerability last week and has tagged it as CVE-2021-34466.    SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefMicrosoft said that the attacker would need physical access and that it is a complex attack to pull off. Microsoft noted it is an important patch to apply, but its description suggests it’s nothing an admin should lose sleep over. “A successful attack depends on conditions beyond the attacker’s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected,” Microsoft noted. “For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).” More