Information Technology

An Australian intelligence and security committee has been told by four technology giants that they foresee no scenario where the installation of government software would be of benefit and do not require assistance from the government in responding to cyber incidents. “I cannot think of a situation where installing ASD software on our networks would be of assistance,” director of Google’s threat analysis group Shane Huntley said. “We have a good working relationship with the ACSC and there has been productive threat sharing, and we believe that there is a productive means to collaborate as collaborators, not as coercion or them stepping in to operate our systems and to install stuff on our systems. “That is where we draw the strong line.” Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. This includes the proposal for software to be installed that is touted as aiding providers in dealing with threats. Huntley on Thursday told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) — which is looking into the Bill — that if there was an incident, Google would absolutely work with the Australian Signals Directorate (ASD) to help respond if required, however that is where it would end. “I do not believe that there is a situation where installing ASD software on our networks or our systems, especially in the heat of an incident, is actually going to cause anything except more problems, and it’s not going to help the solution and it’s not going to help the problem at hand,” he continued.

Appearing alongside Huntley was Atlassian director of global public policy David Masters, who echoed much the same — that it’s not that his company wouldn’t want to work with the Australian Cyber Security Centre (ACSC), but allowing officials into his company’s networks to install software and somewhat pick up the running of services and processes is not a scenario he could see Atlassian wanting or even requiring. The tech sector has raised concerns with government step in powers from day one. Amazon Web Services (AWS) previously said government “assistance” or “intervention” powers could give it overly broad powers to issue directions or act autonomously and Microsoft previously told the PJCIS it would prefer the government stay out of its incident response. AWS and Microsoft also provided testimony to the PJCIS on Thursday morning, as did Australian cloud services provider AUCloud. With the exception of AUCloud, who said “never say never”, the other two tech giants agreed with the characterisation put forward by Google and Atlassian. “Installation of any type of software, particularly in a complex and interconnected network will have severe adverse consequences,” Hasan Ali, assistant general counsel in Microsoft’s office of critical infrastructure, said. “Doing so in the data storage or processing sector with hyperscale cloud providers, these are interdependent systems, they will introduce vulnerabilities, and we think it’s going to be potentially a source of substantial third-party risk that we may have to mitigate for, from the government, if there is uncertainty with how these powers may be used.” While Huntley accepted that installing software to allow for monitoring and detection of threats and for data collection would be beneficial for those without a sophisticated IT environment and a lack of internal capability, that isn’t the case with the likes of Google. “We have 1,000s of security engineers, we have our own systems for monitoring, threat analysis, detection, and the best way — and really, the only feasible way to do this sort of monitoring — would be with our own systems and our own tools,” he said. “I really can’t imagine the situation where there is some software from ACSC or ASD which installing on our systems wouldn’t even work, let alone be safe.” Instead, he would prefer the government provide threat information. “If ASD wants to say, ‘Here’s what to look for on your systems, here is the IP addresses, here’s the signatures of the malware, here is data to help in this instance’, we always want to see that information,” he said. “What we need is information and collaboration, because the only real software that’s safe to operate in a sort of Google or hyperscale cloud environment is our software and our systems that have been tested and vetted. “I don’t think there was a gap that can be filled by the government here.” Speaking following the tech giants, auDA CEO Rosemary Sinclair said the Department of Home Affairs had taken on its recommendation for the domain name system to be treated as a subsector, rather than being “caught up” in the broader communications sector.Sinclair added the domain administrator was already adhering to cybersecurity standards such as the Essential Eight and ISO27001, using DNSSEC, and working with parts of its supply chain and registry operators on cyber assessments and red team exercises. She said AuDA will be auditing them every 12 months, with the potential penalty for failure to comply being the loss of accreditation.”If needed we have our own disaster recovery arrangements and could step in should a register or the registry fail. All that is already in place and is quite extensive in its operation and effective,” Sinclair said.”All those relationships and processes are in place, and one of the things that strikes us about the legislation is that it’s focusing on a problem of the unwilling and trying to address that. Whereas I suspect that … the vast majority of people who have been engaging in this process are in fact, the willing.”In response, Senator James Paterson pointed back to a large company that refused assistance from ASD.”Unfortunately, we do have to legislate … for those worst case scenarios, and we are already aware of, at least, one instance, of the significant entity failing to cooperate when they should have in a serious cybersecurity incident,” he said.”And so, unfortunately, the Parliament can’t ignore that — we have to balance the impact that it has on those of you who do have better practice.” Sinclair said that the government should be careful about creating a solution to the wrong problem, but that she appreciated the problem of “somebody reaching for the lawyers, rather than actually reaching for the cybersecurity experts”.”Nonetheless, the powers that are being proposed are very significant and require proportionate use and scrutiny.” MORE ON THE CRITICAL INFRASTRUCTURE BILL More

Image: iStock/Borislav
When he was an undercover specialist surveillance photographer with the South Australia Police Force in the 1990s, David Chadwick was responsible for taking photos of suspected criminals and their associates from the backseat of a car, “just like you see in the movies”, he said.He would return to the station, print his shots, then make multiple copies of the best quality image that would be distributed to police officers, among dozens of other shots, with hopes of finding out the identity of the individual talking to a known criminal.”I would zoom in, crop, print off 50 copies of that, and I would stick those in the internal dispatch system and I would send them out to every detective agency in the state and say, ‘Right, we need to know who this is’,” Chadwick told ZDNet. “We had collections of criminal records photos, but they were under ‘name’, and we have no idea who this is.”Then hopefully, at some stage in the next two, three, four, five days we get a response back saying, ‘Hey that looks like John Smith’.” John Smith could be an old school teacher, a neighbour, or a drug dealer, but once his name was known, Chadwick said that would become a lead and then police work would come into it.Now the director of identity and biometrics for Unisys Asia Pacific, Chadwick would argue the use of biometrics in 2021 is just a faster, and safer, way of performing this task.”What police are doing with facial recognition is exactly what they did without facial recognition,” he said.

“Most of the time, you don’t know if this person has done anything wrong — if they’re coming out of a bank holding a sawed-off shotty and a bag of money, pretty good odds it’s a bad guy, but realistically, it returns essentially ‘I think that’s John Smith’, then police would do police work.”See also: Australia’s cops need reminding that chasing criminals isn’t society’s only needBIOMETRICS AND BIASThe Australian Human Rights Commission in May asked for a moratorium on the use of biometrics, including facial recognition, in “high-risk” areas, such as in policing and law enforcement, until such time that legislation is in place that guarantees the protection of, among other things, human rights.Chadwick would argue there needs to be education, not a moratorium. He said real-life use of biometrics is not at all like what you see on CSI or NCIS.”I’ll hack into the DMV to find a match — A. you’ve committed a criminal offence and B. you can’t,” he said. “It will then flash lots of images on a screen and produce one with flashing text saying ‘match’ underneath. Well, no, that’s not how facial recognition works.”Facial recognition is incredibly good, but it’s only ever a probability of a match.”Biometrics is a useful little tool in the identity management lifecycle and nothing else. It is all about identity, biometrics is just the sexy stuff.”Biometrics only anchors the identity; he said it never returns a result saying, that with 100% accuracy, the person you are looking for is this one, rather it pulls a number of images, usually the top 20 matches, and in a random order.”Unless you pass in a passport quality photo taken by a surveillance operative — I had a joke that if I ever take a perfect quality facial image, I’m burnt, I’ve been seen, because that means they’re looking right at me — this will be off-axis, might be a bit blurry, might be a bit grainy,” he said. “You’ll get a stream of 20 images and most systems will not show you the best match because if you see one image that’s 99%, that’s likely to bias you.”You might have two or three possible matches, but the emphasis is on possible. It’s a lead generation device.Also raised by the Human Rights Commission, and many, many others, is the possibility of bias in the use of biometrics. According to Chadwick, that isn’t as prominent in Australia.”Because they use machine learning it depends on the dataset that you train them on,” Chadwick said. “The Australian passport dataset is wonderfully diverse … most of the training databases in America is filled with correctional datasets, which is overrepresented by people of colour.”A MATTER OF TRUSTMaking the distinction between facial recognition and mass surveillance, Chadwick said, is important.”Everybody’s confused,” he said. “You read about how terrible facial recognition is, about how people want it banned, and then they look at their phone and it unlocks and think this is wonderful, then you cross the border and you go, ‘this is fantastic’, without actually understanding this is also biometrics.”He was pointing to the Australian government’s digital identity play.The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with myGovID — developed by the Australian Taxation Office — which is essentially just a form of proof allowing the user to access certain online services, such as the government’s online portal myGov.Read more: Australia to open digital ID system to private sector with consultation on new legislationChadwick would appreciate the DTA referring to this as a digital credential as the first step in correcting any confusion.”There’s one thing government does really, really badly and that’s sell itself,” he said, noting there needs to be clear, simple communication from government about what it’s actually doing in the space.”Even the very fact the DTA still calls it a digital identity, the first thing that goes through the average person’s mind is ‘oh you’re creating an identity database’ … It’s not an identity, it’s a credential.”Chadwick said government needs to lift its game; communicate better and actually gain the trust of people. Industry carries some of the responsibility, too.”Industry needs to stop selling bullshit, otherwise we end up like China where everyone thinks China has the most unbelievably good facial surveillance system in the world that could pick you out of a crowd and deduct 10 social points because you spat on the ground … it’s utter rubbish,” he said.He said it is impossible to do accurate, many-to-many facial recognition matches in real-time.”Imagine you’ve got 10 million people in the city, you’ve got to have a database of 10 million people and you’ve got to be scanning this low resolution camera for a thousand faces, so you’re doing a thousand faces to 10 million records, constantly. Sorry, it’s rubbish.”We need to start telling an accurate and honest story … and understand some people will never believe you, the tinfoil hat wearers will never believe you.”He also said there needs to be an understanding that the government is not tracking you.”Police or intelligence agencies tracking — they may well be, but if they are, then you’ve got more problems because they think you’re up to no good,” he said.”Biometrics isn’t the bad guy; biometrics is in fact a really important way to protect your identity, all this rubbish about identity, hackers getting in and changing your biometrics, oh my god, the Australian passport office has been doing this for 15 years, they’ve kind of got that bit figured out.”It’s about trust, it’s about trusting the capability, but its also about the government being able to trust you are who you say you are, so they can deliver higher value services to you.”Related coverage More

The White House is urging mayors across the US to be more proactive about cybersecurity measures and meet with state level officials to test their cybersecurity posture as attacks continue to plague both small towns and major metropolitan areas. Anne Neuberger, the deputy National Security Advisor for Cyber and Emerging Technology, spoke to a bipartisan group of mayors virtually during a US Conference of Mayors event this week, addressing the spate of ransomware attacks on dozens of cities over the last two years. Neuberger “urged mayors to immediately convene heads of state agencies to review their cybersecurity posture and continuity plans,” according to a White House readout of the meeting. Multiple cities, including Tulsa, Atlanta, New Orleans, Baltimore and others, have dealt with ransomware attacks and other breaches by criminal groups in recent months. Two weeks ago, Tulsa was forced to notify city residents that some of their personal information may be on the dark web thanks to a ransomware attack in May by prolific cybercriminal group Conti.Many cities and towns do not make ransom payments public, as noted in a recent report from eSentire that found ransomware gangs like Ryuk launched attacks on “Jackson County, Georgia, which paid a $400,000 ransom; Riviera Beach, Florida, which paid $594,000; and LaPorte County, Indiana, which paid $130,000.”In addition to attacks on government infrastructure, ransomware groups made hundreds of millions of dollars throughout 2020 and 2019 by attacking hospitals across the country. Neuberger said the White House is working to “disrupt ransomware infrastructure” through coordination with private cybersecurity firms and partnering with other countries to “hold countries who harbor ransom actors accountable.” 

She did not go into detail about what specific actions are being taken against ransomware groups but said the White House is continuing to use cryptocurrency exchanges as a way to track down threat actors. They are also in the process of creating a “cohesive and consistent approach” when it comes to whether local communities should go through with ransom payments, which dozens of towns and cities have already paid. Neuberger also touted the administration’s “Improving the Nation’s Cybersecurity” Executive Order and said the FBI as well as CISA are ready to help cities facing ransomware attacks. She outlined efforts the federal government is making to secure critical industries like the electric sector, pipelines, water treatment plants and chemical plants. The federal government is working on a pilot program called the Cybersecurity Industrial Control Systems Initiative, which Neuberger said will “strengthen cyber resilience in the electric sector.”Cybersecurity expert Chloé Messdaghi told ZDNet that legacy equipment, inadequate or even undesignated cybersecurity budgets, and challenges finding and up-skilling talent are all substantial problems across the public sector prompting the increase in ransomware attacks. “Whether public or private sector, the thing to remember is that everyone is a target. Outdated equipment, missed patches, inadequate staffing and tight budgets are a huge problem across the public sector,” Messdaghi said. “Getting employees to update their systems in time is such a challenge, and the slower that cities and towns are to patch and update their systems, the more at risk they put the public they serve.” More

About 1,500 small to medium-sized companies and 50 MSPs are still struggling to deal with the fallout from the massive ransomware attack launched by REvil last week.Dozens of small law offices and dental clinics are dealing with ransomware infections while 800 Coop supermarket chain stores in Sweden had to temporarily close after they were unable to open their cash registers.

Kaseya attack

Kaseya has not said if it is considering paying the ransom but ZDNet reported that the company missed a July 6 deadline they set for relaunching SaaS servers. It planned subsequent configuration changes to improve security, including an on-premise patch.Also: This major ransomware attack was foiled at the last minute. Here’s how According to a statement from Kaseya, “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya said in a statement, adding that it is working “around the clock to resolve this issue and restore service.” Operators with REvil initially demanded $70 million for decryption keys but CNBC reported that private negotiators are saying the group is willing to lower their demands to $50 million, despite no changes to the figure on the leak site. “It’s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities — nobody will not cooperate with us,” the ransomware group said in a message on its site. 

“Its not in our interests. If you will not cooperate with our service — for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice — time is much more valuable than money.”In two of the most recent high profile ransomware attacks on Colonial Pipeline and meat processor JBS, both companies paid millions in ransoms to get their data and systems back online with varying success. Colonial Pipeline paid almost $5 million to DarkSide operators while JBS paid $11 million in Bitcoin to REvil, the same group behind the Kaseya attack. While the official government answer is for companies to never pay ransoms, Rep. Eric Swalwell told ZDNet that situations like this are why he believes “Congress, in partnership with the White House and law enforcement, needs to take a coordinated approach to consider questions like this.” “We can’t wait any longer. Every light on the dashboard is flashing. Ransomware attacks are increasing in frequency and threatening to shut down entire sectors of the US economy,” Swalwell said. “These attacks threaten both the economy and national security. Businesses are outmatched, and criminal organizations are holding them hostage. Ransomware is a threat to any person, business or organization that relies on computers.”Many cybersecurity experts urged Kaseya not to pay the ransom for a variety of reasons. Some said there was no evidence the decryption keys would work while others said payment would only validate the gang’s decision to launch such a widespread attack. Mat Gangwer, vice president of Sophos Managed Threat Response, explained that he was not aware of any examples of REvil’s decryptor not working and said there was no incentive for them to provide one that was unusable. “REvil has been quite proud of what they put together and wouldn’t want to jeopardize that here,” he said.Bryson Bort, CEO of SCYTHE, said the kind of ransom REvil was demanding was unprecedented. Bort said he thought it was “not on Kaseya to pay the $70 million” and that they would need to “collect money from affected parties for a combined payment.” “This has never been done before that I’m aware of. No one knows what that process would even look like — they individually contribute to the same wallet and just trust?” Bort asked.Also: Best enterprise identity access management softwareRoss McKerchar, Sophos vice president and CISO, said that regardless of whether the decryption keys are provided, the recovery effort will still be significant. “Impacted organizations use MSPs, to begin with, because they have limited IT resourcing, and these MSPs will be inundated with requests for assistance, restoring backups, and more, and the very tool MSPs use to access customer environments to remediate issues in this particular situation is offline,” McKerchar explained.

John McClurg, CISO of BlackBerry, told ZDNet there is no golden rule when it comes to dealing with ransomware attacks. While paying ransoms is publicly discouraged, there are many instances where there may be no other way to recover. The financial impact of downed systems, reputational damage and the potential for permanent data loss can be catastrophic for many companies, McClurg said. David White, president of Axio, said Kaseya should instead reimburse individual companies for all the associated impacts connected to the attack, including any ransom payments individual companies may make. He argued that this would benefit the people who were hurt rather than the people behind the attack. According to White, it may also cost far less than the $70 million or $50 million ransom considering some companies may recover on their own. White added that in the recent case of JBS, the decryption keys worked after it paid a ransom but he cited analysis from Coveware that showed REvil sometimes demands a second payment and sometimes releases data that they promised to destroy. CYE CEO Reuven Aronashvili also noted that by paying ransoms, companies get put onto “blacklists” by ransomware gangs that know which companies will be willing to pay up in the event of an attack. Aronashvili also disputed White’s assessment of the cost of recovering, explaining that $70 million is “definitely lower than the accumulated costs of the different organizations.” But even with that, he suggested Kaseya not pay the ransom.  Allan Liska, a ransomware expert and member of the computer security incident response team at Recorded Future, explained that any ransom paid to REvil will probably be used to buy another exploit for a zero day.But he said that while Kaseya is feeling the heat for this fiasco, more pressure may be on REvil members, as evidenced by their willingness to drop their ransom demand from $70 million to $50 million. “This is a big mess for them that they don’t want. They still have a limited staff and we already know that REvil is behind on processing negotiations and publishing to their extortion sites. They’re just publishing data to their extortion sites from attacks that happened in the beginning of June,” Liska said. “They’re already overwhelmed with the number of attacks they have. Imagine having 1,500 victims going to your chat services trying to figure out what the ransom is and all this other stuff. It’s a mess for them. And you’ve now got the attention of all these different world governments.”The brazenness of the attack has not gone unnoticed by world leaders, who will now devote significant resources to bringing the group down, Liska said, adding that due to hubris, the people behind REvil will want this to go away as quickly as possible but can’t simply hand out decryption keys. REvil operators also have to contend with the fact that some MSPs may begin to help clients recover, damaging the group’s ability to profit from the attack. “So they’re going to get horribly bad press and they’re going to make very little money. This started off as a very sophisticated operation. You have a zero day vulnerability with a zero day exploit being pushed through MSPs to push down. And then after that, it all looks like a cracker jack operation,” Liska said. “It all looks like it’s amateur hour, so they may need to do something else to save a little bit of face because while the front part of it looks very effective, the aftermath looks like a complete disaster for them.” For Kaseya, Liska said paying the ransom would only compound the problems they face. In his experience, the decryptor given out to REvil victims has been lackluster and difficult to use. “So on top of whatever the ransom cost is, they’d have to pay Mandiant to write a real decryptor that they could distribute to the MSPs who could then distribute it to their clients. A lot of the clients that are hit hardest by this are lawyer shops that maybe have a staff of 10 or 15. They don’t have the infrastructure to be able to recover from something like this so they’re counting on their MSP to do it,” he said. 

ZDNet Recommends

“But at the same time, you’d be giving a lot of money to a bad actor who has shown that they will use that money to do even worse things.”None of the MSPs have paid any ransoms but Liska said he has heard reports from other researchers who said some of the end victims have paid. But, overall, Liska told ZDNet he believes most people would understand if Kaseya decided against paying the ransom even if it would help a lot of people. Unlike other attacks, victims may be down for about a week or more, Liska added. “A lot of it is going to depend on how much access the MSPs have to backups and other things that can help with the restore,” Liska said. “It does look like Kaseya is ready to push out the patch in the next couple of days and if that happens then, all of the MSPs are going to be able to bring their VSA back online and really start assessing what the damage is.” More

A specially-crafted hotspot can cause big problems for your iPhone or iPad. Software engineer Carl Schou discovered that a specific network name — %secretclub%power — can completely disable your iPhone’s ability to connect to Wi-Fi. And beware, because things cannot be restored back to normal by rebooting the device or resetting the iPhone’s network settings.

You can permanently disable any iOS device’s WiFI by hosting a public WiFi named %secretclub%powerResetting network settings is not guaranteed to restore functionality.#infosec #0day— Carl Schou (@vm_call) July 4, 2021

Must read: Windows 11 chaos, and how copying Apple could have helped Microsoft avoid itAll of this sound vaguely familiar? That’s because only last month, Schou discovered something similar but not as nasty or tricky to fix.Unlike the previous bug that Schou discovered, recovery from this one isn’t easy. You can’t reset the network settings, and recovery from a backup doesn’t work.Schou got his Wi-Fi to work by going back to a backup and manually editing the file to remove the malicious network name.Not something your average user is going to be able to do.

This is an incredibly serious bug because it’s so easy to implement and start causing mayhem.So, how can you prevent this from happening to you? After all, little stops pranksters — or possibly a hacker using this as a vulnerability to do something more malicious — from setting up Wi-Fi hotspots with this name and no password.Go to Settings > Wi-Fi and make sure that Auto-Join Hotspots is set to Ask to Join or Never on your iPhone (and iPad). Do this. Do this now. More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) – and their customers. According to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” 

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.”

“We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that “customers who experienced ransomware and receive a communication from the attackers should not click on any links  —  they may be weaponized.” More

The SideCopy advanced persistent threat (APT) group has expanded its activities, and now, new Trojans are being used in campaigns across India. 

The APT has been active since at least 2019 and appears to focus on targets of value in cyberespionage. Last year, Cyware said that SideCopy was involved in a number of attacks, including those targeting Indian defense forces and military personnel. On Wednesday, researchers from Cisco Talos said a recent surge in activity “signals a boost” in the APT’s development of techniques, tactics, and tools, with multiple, new remote access trojans (RATs) and plugins now in play.  An interesting aspect of SideCopy is the group’s attempts to confuse security researchers by copying techniques usually reserved for Sidewinder, a separate APT believed to have attacked the Pakistani military and other targets across China.  SideCopy has also taken reference from Transparent Tribe, also known as PROJECTM, APT36, or Mythic Leopard. This group also strikes at Indian government and military units; however, Transparent Tribe has recently shifted its focus to Afghanistan.  According to Talos, SideCopy has expanded from the deployment of a C#-based RAT called CetaRAT, the Allakore Trojan, and njRAT to four new customized Trojans and two further commodity RATs known as Lilith and Epicenter.  SideCopy’s original infection chain used malicious .LNK files and .DLLs to deploy a Trojan on a victim’s machine. Link lures will often relate to the Indian army operational; however, the group also uses honeytraps — in particular, the promise of explicit photos of women.

However, since last year, SideCopy’s attack chain has evolved to a .LNK file, three HTML application files, three loader .DLLs, and then multiple RATs — including two versions of CetaRAT deployed in the same strike. Decoy documents and images may also be used in the initial stages of an attack.  In other variations, such as an attack chain that was designed to deploy njRAT, the group used a dropper hidden in a self-extracting .RAR archive, and in others, the .LNK element is completely abandoned in favor of malicious .ZIP archives hosted on attacker-controlled websites.   DetaRAT, ReverseRAT, and MargulasRAT are new Trojans joining CetaRAT. They contain typical functions for this kind of malware — the creation of a link between a victim machine and a command-and-control (C2) server, data theft, process tampering, clipboard data stealing, and screenshot capture — with the exception of ReverseRAT, which is a simple reverse shell and removable drive monitor.  Once infected, plugins are also deployed, including functions such as enumeration, keylogging, and browser credential stealers. One set of plugins of note are “Nodachi,” written in the Goland programming language and designed to steal files from an Indian multi-factor authentication (MFA) app called Kavach.  “What started as a simple infection vector by SideCopy to deliver a custom RAT has evolved into multiple variants of infection chains delivering several RATs,” Talos says. “The use of these many infection techniques — ranging from LNK files to self-extracting RAR .exes and MSI-based installers — is an indication that the actor is aggressively working to infect their victims.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Following the latest series of ransomware attacks, the White House has said the US will take action against the gangs involved, if the Russian government doesn’t. The June ransomware attack on Colonial Pipeline, which distributes much of the fuel to the eastern seaboard of the US, was a turning point in discussions about cybercrime between US president Joe Biden and Russian president Vladimir Putin. 

Kaseya attack

Biden in June said critical infrastructure should be “off-limits” to these style of cyberattacks and is pressuring Putin to get a grip on ransomware gangs operating in Russia’s jurisdiction. While the US intelligence community has not attributed the attack to one gang, most cybersecurity experts are pointing to gangs operating out of Russia.SEE: Network security policy (TechRepublic Premium)The question over ransomware came up again after last week’s attack on US tech firm Kaseya, whose VSA remote management and monitoring software was compromised, leading to about 1,500 companies being affected. While few critical infrastructure providers appear to have been hit, it has forced the closure of dozens of Coop supermarket stores in Sweden since Sunday. Affected Coop stores remained closed until Tuesday as it replaced cash registers. REvil offers its ransomware infrastructure as a service to any gang who’s willing to pay. The attackers have demanded $70 million for a universal decryption key that would resolve the issue for Kaseya, its managed service provider (MSP) customers, and MSPs’ customers. White House press secretary Jen Psaki on Tuesday offered an update to the US response to Russian-based cybercrime.

“As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own,” said Psaki. She said a high level of the US national security team has been in touch with a high level of Russian officials to discuss the attacks.But she said that even if the ransomware gangs were not operating with the permission of the Russian government, stopping the attacks was still Russia’s responsibility.”Even as it is criminal actors who are taking these actions against the United States or entities – private-sector entities in the United States, even as – even without the engagement of the Russian government, they still have a responsibility. That continues to be the President’s view and the administration’s view,” she said.  The G7 alliance, which includes Canada, France, Germany, Italy, Japan, the UK and the US, in June warned countries from which ransomware gangs operated to reign them in. Colonial ended up paying $4 million to its ransomware attackers while JBS, which was also compromised by a REvil-related gang, paid $11 million.   Kaseya on Tuesday issued a statement outlining its efforts to minimize impact on critical infrastructure. 

It said the REvil attack impacted about 50 Kaseya customers. “Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised,” Kaseya said in a statement. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefThe attack exploited a previously unknown flaw in Kaseya’s VSA software and only impacted customers with on-premise VSA servers. Kaseya however took its VSA software-as-a-service (SaaS) product offline too and was expected to bring it back online on July 6. The company issued a notice late on July 6 that it deferred its SaaS restoration due to an undisclosed issue. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service. We will be providing a status update at 8 AM US EDT,” it said in a statement.    More