More details come to light in Kaseya ransomware incident
Continuing coverage this week of the ransomware attack against customers of the remote monitoring and management software vendor Kaseya.
In total, around 60 Kaseya customers were compromised, who manage approximately 1,500 different organisation’s IT environments. The attack was carried out by the REvil ransomware gang who claim that ‘more than one million systems’ have been affected in the attack. The cybercrime group posted on their ‘Happy Blog’ notification that they would provide a decryptor tool that works with any of the affected organisations in exchange for $70 million in Bitcoin. Palo Alto Networks threat intel team has a write-up of the REvil ransomware gang and their common tactics and techniques.
Fortunately, it seems that while REvil were able to encrypt data on a huge scale, there were unable to delete backups or exfiltrate encrypted data for double-extortion purposes. As a result, many managed service providers are restoring data and few victims are opting to pay the criminal’s demands.
The initial infiltration appears to have been through an authentication bypass on the web control panel for the appliance before running SQL commands to deploy and execute the malware. Apparently, the issues had been reported to Kaseya by the Dutch Institute of Vulnerability Disclosure a few weeks ago and the firm was in the process of addressing them, but not before the attackers managed to make use of them.
Meanwhile, other attacks have jumped on news of the attack and spoofed emails purporting to be from Microsoft that include malicious attachments posing as ‘security updates’. The malicious spam, or malspam, campaign drops the Cobalt Strike tool on infected devices.
In an almost ten-minute video statement posted to YouTube earlier this week, Kaseya CEO Fred Voccola, praised the support of the FBI and Department of Homeland Security, in responding to the incident. While understandably defensive in places, is a largely good explanation of the world we now live in and the types of decisions that a CEO has to make. Kaseya was following a ‘playbook’ for this type of scenario (props for having one in place) though one aspect Voccola touches on is one that I always try to cover when running cyber crisis exercises with clients: sleep. “We have about 150 people that have probably slept a grand total of 4 hours in the last 2 days.”
It’s important not to underestimate the ‘soft’ side of incident response when creating cyber playbooks. Create a plan, and consider how you’re going to feed, water and accommodate your staff during a crisis. Teams often rise to the occasion and supporting them is one of the most important things you can do. Rested and fed employees will also tend to make better decisions.
The topic of ransomware was discussed in an hour-long call between U.S. and Russian leaders this week, where President Biden “made it very clear” that he expected President Putin to act “when a ransomware operation is coming from [Russian] soil.”
Kaseya plans to restore SaaS operations today (Sunday), while the company finishes adding in additional protections. Guides have been published for SaaS and on-prem customers to help restore their operations.
techcrunch.com (#s & $70m), therecord.media (vulnerability), bleepingcomputer.com, paloaltonetworks.com, cyberscoop.com, youtube.com (statement), ft.com (Biden/Putin), Restoration guides: kaseya.com (saas), kaseya.com (on-prem)
43% of all crime in Singapore during 2020 was cybercrime, according to the city-state’s Cyber Security Agency zdnet.com
10x the price paid for domain admin vs user accounts, with $4,207 average asking price for domain administrator privileged accounts, and $406 average asking price for standard user accounts, based on analysis of over 500 listings by threat intel provider Kela zdnet.com
Other newsy bits
Microsoft releases out-of-band patch for PrintNightmare…
The PrintNightmare (vol. 4, iss. 27) for Microsoft gets worse as an out-of-band emergency patch does not appear to have been properly tested. Researchers were quick to suggest that the way Microsoft has fixed the issue could be easily circumvented.
The patch does more than just address the technical vulnerability though, changing the permissions required to install unsigned printer drivers: “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers,” said Microsoft. “Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”
Win for farmers seeking ‘right to repair’
U.S. President Biden is to issue an executive order directing the Department of Agriculture to “give farmers the right to repair their own equipment” in an ongoing battle between farmers and John Deere. The machinery manufactured by John Deere has become increasingly sophisticated, with greater use of technology and software to control aspects of their tractors. In 2016 they updated the terms of service stating on authorised service technicians could work on the machines, prompting outrage from the farming community. The order is also expected to encourage the Federal Trade Commission to explore similar rules for consumer electronics, too.
Why the Kaseya ransomware attack is a really big deal
Matt Tait has a piece at Lawfare on some of the dynamics behind the Kaseya ransomware attack and why it matters. Supply-chain attacks are different to ‘standard’ breaches because of the force multiplier affecting many parties simultaneously and doing so indiscriminately. So far these supply-chain attacks have been relatively limited in scale. Even Kaseya. There are a greater number of vendors that could be compromised and used to cause significant disruption than you might immediately think. Not just Microsoft, Apple, Google, but also popular software vendors like Adobe and Zoom, plus games companies with store platforms like Valve and Blizzard. lawfareblog.com
Attacks, incidents & breaches
- Passenger and cargo railway services disrupted in Iran, with departure boards updated to urging travellers to call the phone number of Iran’s Supreme Leader for more information theguardian.com
- Gettr, a new social media network launched by a former Trump spokesperson, launched on 4th July before promptly being defaced and having its user data scraped because of weaknesses in its API vice.com
- Barristers’ chambers 4 New Square victim of ransom demands over stolen data, according to court paperwork theregister.com
- U.K. Information Commissioner launches investigation into the use of private email and chat apps at Department of Health and Social Care zdnet.com
- Morgan Stanley reports data breach, including Social Security Numbers, of ’StockPlan’ customers after supplier using Accellion file transfer appliance was breached earlier this year zdnet.com
- Details of 75,349 individuals accessed by attackers during a breach at insurer CNA Hardy earlier this year (vol. 4, iss. 13) bleepingcomputer.com
- ‘SideCopy’ group is using government and military-themed lures in a cyber-espionage campaign targeting Indian users therecord.media
- ‘Perfect 10’ vulnerability in Sage X3 enterprise resource planning suite allows a command to be executed by unauthenticated users - especially a concern if the instance is exposed to the Internet theregister.com
- Colorado passes Privacy Act, applying to companies collecting personal data from 100,000 Colorado residents, dropping to 25,000 where this is used to derive revenue from sales zdnet.com
- Companies including DuckDuckGo and ProtonMail ask E.U. and U.S. authorities to ban ‘surveillance-based’ advertising practices therecord.media
- China signals intention to increase scrutiny on domestic tech companies listing on foreign securities exchanges, both on data security and regulatory oversight bloomberg.com
- Good overview of the U.K.’s draft Online Safety Bill that, in its current form, will see services like Zoom and Facebook Messenger become regulated. The bill has previously been described as a “censor’s charter” (BBC News) lawfareblog.com, bbc.co.uk
Mergers, acquisitions and investments
- Encrypted cloud service provider Tresorit acquired by Swiss Post for an undisclosed sum techcrunch.com
- Sophos has acquired detection startup Capsule8 to boost Linux and container security capability sophos.com
Kaspersky Password Manager… not so random
It’s come to light that the way Kaspersky’s password manager generates passwords for a user was, well, not so random. The software used only the time as an input (or seed) when generating random passwords, meaning that two users would get the same password if generated at exactly the same time. It also means that if you know roughly when a password has been generated an attacker could regenerate an array of potential passwords to try against an account. The reason is why all KPM users had to update all their passwords back in March 2019.