CyberWire Daily - Kaseya and REvil--the state of recovery. President Biden calls President Putin to ask for action on ransomware. Cyber incident in Iran. Ukraine says its naval website was hacked. Tracking ransom.
Episode Date: July 12, 2021Kaseya has patched the VSA on-premises and SaaS versions affected by REvil ransomware. The US tries some straight talk about privateering with Russia, but with what effect remains to be seen. Russia�...�s autarkic Internet poses some challenges for international security. Iranian rail and government sites were hit with a cyber incident over the weekend. Ukraine says Russian threat actors defaced its Naval website. Carole Theriault looks at ethics in phishing simulations. Josh Ray from Accenture tracks real world incident response trends. And tracking just how much the ransomware gangs are taking in. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/132 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Kaseya has patched the VSA on-premises and SaaS versions affected by our evil ransomware.
The U.S. tries some straight talk about privateering with Russia.
Russia's private Internet poses some challenges for international security.
Iranian rail and government sites were hit with a cyber incident over the weekend.
Ukraine says Russian
threat actors defaced its naval website. Kirill Terio looks at ethics in fishing simulations.
Josh Ray from Accenture tracks real-world incident response trends
and tracking just how much the ransomware gangs are taking in.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, July 12th, 2021. Kaseya yesterday afternoon pushed fixes for VSA's on-premises and software-as-a-service versions.
At 8 o'clock a.m., the company's update indicated that patching was proceeding quickly. They stated, as posted in the previous update, we released the patch to VSA on-premises customers and began deploying to our VSA SaaS infrastructure prior to the 4 p.m. target.
The restoration of services is now complete with 100% of our SaaS customers live as of 3.30 a.m.
U.S. Eastern Daylight Time. Our support team continues to work with VSA on-premises customers
who have requested assistance with this patch.
End quote.
The large-scale fix has, as one might expect, stressed Kaseya's systems.
The company announced later this morning that, quote,
unplanned maintenance will be performed across the entire SAS farm today
between 12 p.m. to 2 p.m. EDT with an expected downtime of 20 minutes.
With the large number of users coming back online in a short window,
we have seen some performance issues.
We made some configuration changes to address
and need to restart the servers for these to take effect and improve performance.
In the company's Saturday evening video update, EVP Mike Sanders advised customers to clean up
Active Directory and any users tied to the VSA, and specifically to remove any users who don't
require access. He also recommended that customers install the FireEye agent to perform a deep
scan of their VSA, ensuring that they have a clean environment. The Sunday afternoon updates
required all users to change their passwords. All agents were set to suspended mode,
and customers will have to turn them on as needed.
In an hour-long phone call Friday, U.S. President Biden communicated his expectations
concerning ransomware operations to Russian President Putin. Reuters reports that in
President Biden's estimation, the call went well and that he expects Russian cooperation against
gangs like are evil. Mr. Biden said, quote, I made it very clear to him that the
United States expects when a ransomware operation is coming from his soil, even though it's not
sponsored by the state, we expect them to act if we give them enough information to act on who that
is, end quote. Should expected Russian cooperation not be forthcoming, President Biden said the U.S.
was prepared to take certain actions on its own.
He and administration officials declined to say what such actions might be.
At the White House daily press conference on Friday, Press Secretary Psaki said President Biden, quote,
underscored the need for President Putin to take action to disrupt these ransomware groups, end quote.
Her explanation offered Moscow a way of ransomware groups, end quote. Her explanation
offered Moscow a way of preserving deniability, quote, our evil operates in Russia and other
countries around the world, and we do not have new information suggesting the Russian government
directed these attacks. We also believe they have a responsibility to take action. The president
made clear the United States will take any necessary
action to defend its people and critical infrastructure, end quote. Russia's foreign
ministry described the presidential phone call briefly and repeated its contention that Russia
has heard nothing about this or any other cyber criminal activity over the past month.
A post on the ministry's Facebook account said,
quote, in the context of recent reports on a series of cyber attacks ostensibly made from
Russian territory, Vladimir Putin noted that despite Russia's willingness to curb criminal
manifestations in the information space through a concerted effort, no inquiries on these issues
have been received from U.S. agencies in the last month.
At the same time, considering the scale and seriousness of the challenges in this area,
Russia and the U.S. must maintain permanent professional and non-politicized cooperation.
This must be conducted through specialized information exchange channels between the
authorized government agencies, through bilateral bilateral judicial mechanisms and while observing the provisions of international law.
This doesn't sound like a clear promise of cooperation on ransomware,
and hostile editorials have been slow to argue that the Kremlin will dismiss this kind of conversation
as so much gas until the U.S. takes some action that hurts people who count in the Russian scheme of things.
And the U.S. administration seems itself not to think that a ransomware fix will be either quick or easy.
GovInfo Security says that unnamed senior U.S. officials frame the presidential conversation
as one element of a broader push toward greater U.S. resilience with respect to ransomware and other cyber threats.
They also urged people to contain any expectation of swift results.
The anonymous official said, quote,
So this is a broad campaign and won't have an immediate on-off effect like a light switch, end quote.
There may be reason to think that Russia's RUNET initiatives may represent an attempt to position Russia operationally for more deniable hybrid warfare,
while RUNET, which is shorthand for a set of initiatives generally aimed at creating a Russian Internet that would be substantially distinct from the rest of the web, has generally been seen as serving the kind of domestic control and autarky that China's Great Firewall does,
RUNET may have other objectives.
The Atlantic Council has released a study of RUNET's implications for international security.
One particularly dangerous result may be the ways in which RUNET could be used to stage and facilitate proxy attacks by criminals and privateers.
Successful implementation of RUNET may also increase Moscow's sense of immunity from cyber attack, rendering deterrence less readily attainable.
And, of course, isolation of the Russian Internet will tend to make cybercriminals more dependent on state assistance
to reach their victims, pushing more of them in the direction of privateering as opposed to simply
freebooting. The AP reported Saturday that a cyber disruption affected websites belonging
to Iran's Transport and Urbanization Ministry. The incident occurred after Iranian state television said that the
country's passenger rail system on Friday faced long delay following a cyber attack.
According to Bloomberg, train tracking systems were affected, as were station entrances,
exits, and ticket booths. Message boards announced long delays due to cyber attacks,
the Guardian says. No group has claimed responsibility for
the incidents, and Iranian sources have so far offered no attribution. Iran's state-owned
Press TV said that officials have confirmed a cyber attack, that investigation is in progress,
and that past attacks have been traceable to Israel and the U.S.
Ukrainian officials said Friday that threat actors linked to Russia's government had compromised
the website of the Ukrainian naval forces.
According to Reuters, the aim appears to have been disinformation.
The website compromised was used to publish, quote, fake reports about the international
Sea Breeze 2021 military drills, end quote.
Russia has objected to the Black Sea exercise as
a provocation. Finally, there's a lot of ransomware, but how much are victims actually paying?
Well, more than one would like, but perhaps a bit less than fears would make it out to be.
A new site, Ransomware, spell and pronounce it ransom-ware,
as in wears the ransom,
is offering a crowdsource tracker of extortion payments.
It puts 2021's running total at $32,723,453.28,
with R-Evil so far the leading earner.
Pretty soon you're talking about real money.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak.io. to spotting and reporting potentially dangerous email. But it is not without controversy,
as the CyberWire's own Carol Terrio points out in this commentary.
So, okay, no surprise.
I'm a big fan of cybersecurity training.
I think that is the way employees can learn how to spot the more subtle scams that happen either through email, social media, or any other method
of communication that we use all the time. Now there's some really great folks out there all
over the world that provide services to companies to help train your staff. They may give presentations,
some might even do simulation attacks. And that is what I want to talk about today.
So some would argue that the way to conduct these phishing simulations ethically is to first warn employees that these may happen and to keep an eye out so they don't feel completely blindsided by a simulation.
It also helps them keep aware because, after all,
it's the vigilance you want to encourage.
That is the key to spotting stuff
that may have bypassed your security infrastructures.
Now, others like to surprise.
So you do a phishing simulation without telling anybody.
You then share the results,
provide training, and then give the warning that you're going to do another simulation.
And lo and behold, your staff score lower than they originally did on the phishing simulation,
oh look, we were duped scale. And honestly, I don't mind which approach someone takes as long as the whole goal is not about tricking your employees,
but more about teaching them to be very careful.
A recent phishing simulation took place in the UK at a rail company.
And I would argue this pushes the boundaries as to what is acceptable.
In terms of a phishing simulation, you'd expect to be conducted by your work, but you be the judge.
Basically, employees were thanked for their service during the global pandemic.
Some had lost family members. Some even had died.
The phishing simulation sent an email offering a bonus for all
their hard work. And they were asked to click on a link to see the message from the company chief
and to receive the amount that they were going to be bonused. Of course, there was no bonus.
This was all a fishing simulation. And as you can imagine, the staff were not best pleased,
nor was the union, who called it crass and reprehensible.
And you know what? I agree.
There should be limits on what kind of tests we put people through.
So, if you're thinking of conducting a phishing simulation
or something similar in your place of work, make sure you review the content
that is going to be included in the simulation and don't leave it all up to a third party to
make the decisions for you. It can rear up some nasty surprises. This was Carol Theriault for the Cyber Wire. with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And I'm pleased to be joined once again by Josh Ray. He is Managing Director and also Global Cyber Defense Lead at Accenture Security.
Josh, always great to have you back.
I want to touch base and see what sort of things you and your team are tracking
when it comes to incident response trends.
What are you guys seeing these days?
Yeah, Dave, I will say that over the past four months,
our incident response team have observed a massive amount of breach activity.
And this is being primarily driven by solar winds, as you can imagine, but also actors that are exploiting the vulnerabilities in the on-prem version of Microsoft Exchange Server.
Dave, I'm not exaggerating when I say that.
In my 20-plus years, I've rarely, if ever, seen this level of volume.
And I'll say that these attacks have caused some really substantial impact to organizations
and, in many cases, significantly degraded their ability to conduct business.
Wow.
I mean, is this an all-hands-on-deck kind of situation, not just with your own team,
but are you hearing from your colleagues around the industry that maybe people are even stretched a little thin?
I think it is. And across the industry, we're really seeing multiple
threat actor groups kind of jumping on the bandwagon. But specifically of note,
our team has observed the Ryuk and the Hades ransomware being leveraged for really what we consider big game hunting.
And this is targeting across multiple industries to include transportation, logistics, retail, and even telecommunications.
What are you seeing in terms of how incident response teams engage?
I mean, how much of it is able to be done remotely?
How much of it is, you know, people having to get on airplanes
and travel to places and bring, you know, the equipment with them?
Yeah, we've been able to adapt our operations
to primarily, you know, service clients remotely.
And it was actually kind of funny that, you know,
when you're talking about how do you adapt your own operations, I mean, the threat has kind of pivoted things as well, too. And it's
actually been outlined really nicely. We recently wrote a blog about the Hades ransomware and kind
of outlined some of the MITRE attack techniques observed and some mitigations. But one of the things that was most interesting about
how the Hades group is operating, or the threat group rather, is how they were focusing on
disabling endpoint defenses to include EDR. And they really adapted their TTPs to run more,
I guess what we call kind of hands-on keyboard operations.
And this is really to inflict the maximum amount of damage and capture much higher potential payouts.
So when one of your clients reaches out and they kind of throw up that bat signal
and they say, you know, we need help here,
what are some of the things that they can do to make sure
that that interaction is going to be a successful one? Yeah, I would say, Dave, it actually starts even before the bat signal goes
up, right? So ensuring that they have a robust crisis management, incident response, and disaster
recovery plans, and really making sure that they have COOP plans that account for that ransomware
or wiper attacks. You know, Always patching is always top of mind,
making sure they're able to do that to the highest level. But
considering deploying endpoint detection, EDR across their environment,
and really making sure that they got at least 90% coverage
there is really critical. We always talk about
robust password policy
as being kind of table stakes
and using multi-factor wherever possible.
But if you're looking at RDP connections,
which is how a lot of these threats are moving laterally,
making sure that VPNs and network level authentication
is enabled.
And then finally, the last two things
that we always talk about is really encrypting the data
at rest wherever possible and protecting those keys, right?
To make sure that they're not storing credentials
in files and scripts that are on shared locations, right?
These might sound like common sense type of things,
but it's really about kind of continuously training
your users and making sure that the team
that is
helping to get the folks in a position to be successful have all the information up front
so that they can make sure that, you know, these things don't occur to begin with.
Hmm. All right. Well, Josh Ray, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.