CyberWire Daily - Cyber conflict sputters in Ukraine? Kaseya delays VSA patch, offers assistance to REvil’s victims. US mulls retaliation for privateering. PrintNightmare patch. Another extradition run at Julian Assange.
Episode Date: July 8, 2021Ukrainian government websites may have come under an unspecified cyberattack early this week. Kaseya delays its VSA patch until Sunday, and offers assistance to victims of VSA exploitation by REvil. T...he US continues to mull its response to Russia over REvil and Cozy Bear. A small electric utility’s business systems go offline after a ransomware attack. Microsoft continues to grapple with PrintNightmare. Caleb Barlow from CynergisTek on the changing Cyber Insurance landscape. Our guest is Kwame Yamgnane from Qwasar on how he seeks to inspire minority kids to code. And the US will try again to get Julian Assange extradited. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/130 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukrainian government websites may have come under an unspecified cyber attack early this week.
Kaseya delays its VSA patch until Sunday and offers assistance to victims of VSA exploitations by Reval.
The U.S. continues to mull its response to Russia over Reval and Cozy Bear.
The small electric utilities business systems go offline after a ransomware attack.
Microsoft continues to grapple with print
nightmare. Caleb Barlow from Synergistic on the changing cyber insurance landscape.
Our guest is Kwame Yamnani from Quasar on how he seeks to inspire minority kids to code.
And the U.S. will try again to get Julian Assange extradited.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, June 8th, 2021. While much of the news this week has been of rising tension in cyberspace between Moscow and Washington,
cyber conflict hasn't left the rest of the world alone in the meantime.
Reuters reports that on Tuesday afternoon, an unspecified cyber attack hit the official websites of Ukraine's president,
the country's security services, and other institutions.
Service was restored quickly, and there's been no attribution of the attack.
But Reuters does note the hybrid war Russia has been waging against Ukraine
over the past decade.
The major story of the week remains, of course, Rival's exploitation of Kaseya's VSA to spread ransomware via MSPs who
use VSA. Kaseya's CEO Fred Vakola, in a video message posted at 9.45 Eastern Daylight Time
last night, said the new release time for a fixed and patched VSA
will be this coming Sunday at 4 p.m. Eastern Time.
While Kaseya was confident the patches they'd developed
had closed the vulnerabilities the extortionists exploited,
Vekola said that third-party engineers and internal IT personnel
recommended placing additional layers of security
to protect against other exploits they may not foresee.
The company also published a runbook last night of changes to the on-premises version of VSA,
which should enable customers to prepare themselves for the coming update.
Vekola also alluded in his video to Kaseya Cares,
a program initiated during the early days of the COVID-19 pandemic last year.
Kaseya Cares provided direct assistance, both financial and advisory, to MSPs serving small to mid-sized businesses.
He said they were extending similar help now to businesses affected by the VSA-propagated ransomware.
U.S. President Biden yesterday left a meeting with advisers and said that he
will deliver a response to Russia's President Putin over the ransomware attacks on U.S. companies.
The New York Times reports that Mr. Biden's vague statement, delivered as he was departing for a trip, left it unclear whether he was planning another verbal warning to Mr. Biden's vague statement delivered as he was departing for a trip left it unclear
whether he was planning another verbal warning to Mr. Putin, similar to the one he issued three
weeks ago during a one-on-one summit in Geneva, or would move ahead with more aggressive options
to dismantle the infrastructure used by Russian-language criminal groups. But it's at least clear that the U.S. administration's belief
is that Russia bears some responsibility for the Kaseya ransomware campaign,
even if that responsibility goes no farther than tolerating criminal behavior.
Reval is not a new group,
and it's operated for some time without molestation or interference
by Russian law enforcement or security organs.
More evidence that Reval is following its practice of not hitting Russian targets
was presented by Trustwave's Spider Labs, who, in their study of the operation against Kaseya,
found that its ransomware packages avoided systems identifiable as Russian.
The Times juxtaposes its account of deliberations
about a response to RIVL with a discussion of the U.S. administration's view of the attempt
on the Republican National Committee, apparently by Russia's SVR. Mr. Biden said, quote,
The FBI is working with the RNC to determine the facts. I will know what I'm going to do tomorrow, end quote.
Whether this represents a causal link
or mere correlation in time and circumstance isn't clear,
but the focus of any U.S. response
that may be under consideration in either case is Russia.
The BBC quotes experts to the effect
that the attempt to compromise the RNC
looks like traditional espionage,
but the Kaseya incident is another and arguably more serious matter altogether. The BBC thinks
that sanctions and some arrangement that would secure Russian police cooperation against Rival
are the two options the U.S. is most likely to avail itself of. Cooperation with Russian law enforcement seems unlikely, however, to be productive.
MIT Technology Review has an account of how earlier attempts at such collaboration
have fallen flat after initial promises of goodwill.
Kaseya's ability to cope with the attack has received starchy reviews from those who believe,
like the source's
CRN quotes in its When Will They Ever Learn coverage, that the company shouldn't have left
itself vulnerable to this kind of exploit in the first place. The Dutch Institute for Vulnerability
Disclosure says it discovered the zero day in April and promptly notified Kaseya. Kaseya was
in the process of addressing the issue when the
attack hit, so arguably the company's response was dilatory. It certainly came, unfortunately,
just a bit too late. But it's also true that other organizations have been caught on the hop
by an unexpected exploit before. Some other observers have given Kaseya much better notices. Electronic engineering,
for example, describes Kaseya as swiftly responding to contain the damage.
The company's public communication about the incident has been regular and clear.
The Cyber Wire has more extensive coverage on our website, where we continue to follow the story.
coverage on our website where we continue to follow the story. Other ransomware attacks also continue to surface. The Wiregrass Electric Cooperative, a small rural electrical utility
in the U.S. state of Alabama, was hit with a ransomware attack that seems unrelated to the
Kaseya incident. This seems not to be the long-feared assault on critical infrastructure
or industrial control systems,
but rather the more familiar attack on an organization's IT.
Business systems and not control systems were affected, Security Week says.
The cooperative says it did not lose any data,
but it did take member account information and payment systems offline as a precaution.
KELA takes a look at the way ransomware gangs operate today and sees the division of labor one finds wherever craft develops into industry. In this case,
there are five distinct stages in an attack, and they're increasingly entrusted to criminal
specialists. They are code, code or acquire malware with the desired capabilities, spread,
infect targeted victims, extract, maintain access to infected machines, and monetize,
get profits from the attack. Ars Technica writes that Microsoft's out-of-band patch that addressed
the print nightmare vulnerability may be incomplete and that it might be possible for attackers to bypass the protections the fix put in place.
And finally, Britain's High Court has agreed to hear a U.S. appeal
of a lower court's denial of extradition in the case of Julian Assange.
That denial had been predicated on fears that the American jails and prisons
that would hold the WikiLeaks proprietor
wouldn't be able to protect him from suicide.
Mr. Assange faces U.S. federal espionage charges.
The Wall Street Journal reports that American reassurances
about conditions of confinement swayed the high court,
and specifically a promise that, should he be convicted,
Mr. Assange wouldn't be held in a
supermax correctional facility. According to the Washington Post, the U.S. Justice Department
offered the prospect that Mr. Assange could serve out any sentence in an Australian prison.
The gentleman is, of course, an Australian native.
The date for the extradition hearing has not been set.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. There are encouraging signs that cybersecurity is seeing its workforce grow more diverse.
It's happening slowly.
Kwame Yamgane is CEO at Quasar Silicon Valley.
He joins us with thoughts on inspiring young people of color to pursue careers in cyber.
There is not so much people of color right now in the U.S.
who really embrace the tech field as a career for them.
If you take a look on statistics, especially if you take tech giants like Google, Apple, Facebook, and so on,
giants like Google, Apple, Facebook, and so on, like the percentage of black people in the tech, for example, is really under the ratio of what you have in the US right now
by three or four.
So basically, there is like a huge room for improvement there to have more kids who are able to embrace a career in the tech,
especially from the diverse population and
African-American, for example.
And how can we go about inspiring these kids to take
their place in cybersecurity?
It's a very good question.
So first, I think there is a question of model,
model role of people who can show to the kids
like it's a career with like a lot of opportunities,
like six-figure paying jobs,
and there is no issue for them to get access
to this kind of of job except that
today it's difficult to find like for them this kind of role so i think like to give access to
more diverse people and more color people to the to the job in the tech, there is like multiple questions here.
The first one is a question of role model.
Like right now, if you see like usually like most of the people that are considered like the big leaders of the tech,
it's difficult to have like black people to show to the kids.
And that's the first thing.
So it's important for them. It's important to have more and more black people to show to the kids. And that's the first thing. So it's important for them.
It's important to have more and more black people,
more and more in the black and the tech industry
who can show the role to the kids.
And the second part is like the accessibility
to this kind of education.
To become a software engineer, a full stack developer,
all this kind of job,
this requires to get access to very high-end education.
And we know there is a direct correlation
between issues for the kids to get access
to this kind of education on where they come from,
who they are, from which social layer they are.
So it's a big challenge that we have to solve.
We see study after study that shows that diversity of thought,
bringing in people from different backgrounds, leads to better outcomes.
Is this a matter of companies embracing that notion
and making the investment to make sure that there's a pipeline for these
folks to come into the industry? So, correct. Obviously, there is like this kind of things,
but there is like something that is slightly more difficult to understand, which is like,
when you create a company, a company is really connected to the culture of the founders. So it's one of the most
important pieces inside a company is to have like really the cultures that fit with the founder.
We want everybody to be aligned and to work together to the success of the company.
That's Kwame Yamgane from Quasar Silicon Valley. Cyber threats are evolving every second, and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Caleb Barlow. He is the CEO of Synergistech.
Caleb, it's always great to have you back.
I wanted to check in with you today on cyber insurance,
the kinds of things that you are seeing and tracking from your point of view.
What's the latest?
Well, Dave, it's a changing, right?
And, you know, cyber insurance, I think, was something that if you wind back five or ten years,
lots of insurance providers wanted to get in the market.
It was relatively inexpensive.
And I think a lot of CISOs and boards looked at it as a way to defer risk.
When the biggest thing you were potentially impacted with was the loss of data.
So you insured that risk, which would often be maybe paying some regulatory fines and maybe having
to notify the people whose data you lost. Pay for some credit monitoring, right?
Yeah, but that really isn't what we're seeing nowadays, right? I mean, some of these losses
can easily total up $50, $60 million or more. There have been some breaches that have been
well over $200, $300 million. And, you. And these insurers are starting to also get more
sophisticated to realize that, well, maybe you don't have the right tools in place and maybe
I shouldn't insure you. Yeah, I was going to ask you about that. I mean, how much are the insurance
companies sort of, I don't know, driving the conversation of saying, I often think about,
if I want to insure my building, my insurer is going to come and say, well, you better have sprinklers.
You better have fire extinguishers, you know, those sorts of things.
Are the insurance companies able to guide things in those directions when it comes to cyber insurance?
Well, they're kind of putting a toe in the water.
And the challenge the insurers have is, on one hand, they want to ask all these questions.
But on the other hand, they still want to win your business. So, you know, I was looking at, you know,
kind of our last renewal. And what I noticed is a few interesting questions pop up.
Do you have two factor authentication? And then later is, well,
is it on everything or just like one thing? And do you have,
do you have EDR? And they actually knew what EDR was.
They even listed the names of some companies.
Now, the funny thing was, nowhere on here did it ask things like,
is your network segmented? And really basic stuff. But they're
starting to ask a couple of the questions that you'd expect to see
in an environment where things are more mature. Now, what they're not doing yet,
and they're not going in yet and saying,
hey, I actually need somebody to go in and do a full assessment of your security posture.
I think that's coming at some point down the road. They're trying to gather as much information as they can from the outside.
There are a lot of tools out there that will do kind of attack surface visualization.
They're using some of those tools.
But you can see where it's headed. Here's the bigger thing, Dave. If you answer
in the negative to some of these questions, a lot of these policies are going to
step out. We had a situation where
one of our supply chain vendors was breached, so it had nothing to do with us
further on down the stream.
When we were going out to bid, we obviously had to disclose this because it was an active incident, even though it was not ours.
We actually had one company step away.
Nope, we're out.
They didn't even bother to understand even what it was about.
But you're also seeing a lot of folks specifically prohibit any SolarWinds
claims, as an example. Oh, interesting. I can't help wondering if we're headed towards a situation
similar to flood insurance, where, you know, the federal government has to be a backstop because
it's just not a good business for anybody else to be in. Well, I'll tell you, you know, I think
what really got my attention was when
Warren Buffett, one of his latest conversations, you know, he basically indicated, look,
I only want so much coverage on cyber from all of my insurance companies. And that really got
my attention. I don't know if we're quite at the point where, you know, we need to kind of go the
federal flood insurance route, although it's not the first time I've heard that conversation.
I think the bigger point is insurance companies at some point here are going to start to get really smart, and they're going to start to understand what actually is your security posture and do I feel comfortable underwriting you or not.
Yeah, yeah.
All right.
Well, Caleb Barlow, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.
That's ai.domo.com.