CyberWire Daily - Kaseya continues to work through its REvil days, as does the US Administration. In other news, there’s cyberespionage in Asia, the PrintNightmare fix, and Black Widow as phishbait.
Episode Date: July 9, 2021Kaseya continues to work through remediation of the VSA vulnerability exploited by REvil, with completion expected Sunday afternoon. And while REvil has made a nuisance of itself, this time they may n...ot have seen a big payday, or at least not yet. The US is still considering its retaliatory and other options in the big ransomware case. China’s MSS is active against targets in Asia. Andrea Little Limbago from Interos looks at Government access to data analysis. Our guest is Leon Gilbert from Unisys with data from their Digital Workplace Insights report. And scammers are baiting their hooks with Black Widow lures. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/131 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Kaseya continues to work through remediation of the VSA vulnerability exploited by R-Evil with completion expected Sunday afternoon.
And while R-Evil has made a nuisance of itself, this time they may not have seen a big payday, at least not yet.
The U.S. is still considering its retaliatory and other options in the big ransomware case.
China's MSS is active against targets in Asia.
in the big ransomware case.
China's MSS is active against targets in Asia.
Andrea Little-Limbago from Interos looks at government access to data analysis.
Our guest is Leon Gilbert from Unisys
with data from their Digital Workplace Insights report.
And scammers are baiting their hooks
with Black Widow lures.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 9th, 2021. We begin with an update on R-Evil's exploitation of Kaseya's VSA.
Kaseya CTO Dan Timpson posted a video late yesterday afternoon in which he provided a high-level overview of the steps the company was taking
to fix the problems with its VSA software,
whose modular design he credited with helping limit the scope of the attacks by Areval.
Timson made a point of listing the organizations Kaseya was working with as it responded to the
ransomware attack. Mandiant, including its affiliate FireEye, the FBI, CISA, and DIVD, as well as with partners, customers, and researchers.
Kaseya has fixed the vulnerabilities in both on-premises and cloud versions of VSA, he said,
documented the updates, and had them peer-reviewed by the partners the company has engaged.
A post on Kaseya's site indicates that patches for VSA's on-premises version
are still scheduled for release this coming Sunday, July 11th at 4 p.m. Eastern Time. That's
also when Kaseya intends to begin deploying the fixes to its VSA software-as-a-service infrastructure.
There's some question as to how successful the responsible R-Evil affiliate has actually been this time around.
It's clearly succeeded at infecting both direct customers of Kaseya, as well as those customers' customers,
the downstream victims of nth-party risk.
The Wall Street Journal reports that ransomware infestations connected with the exploitation of Kaseya
had, by yesterday, been found in six European countries.
The Record reports that Kaseya's president and general manager for EMEA, Ronan Kirby,
addressing a meeting convened by Belgium's CERT,
those six countries were the UK, the Netherlands, Germany, Sweden, Norway, and Italy.
Eight of the 60 direct customers affected by the campaign are in Europe.
Kaseya still thinks there are between 800 and 1,500 total downstream victims,
that is, customers of the MSPs who use Kaseya's VSA.
But it's not clear how well the extortionists have actually done
in collecting the ransom they've demanded.
Bleeping Computer has found only two victims who've paid any ransom at all,
and so concludes that the responsible REvil affiliate is unlikely to get the big payday they're hoping for.
REvil went after the software itself, the better-to-cast-abroad net,
and so passed up the now customary step of wiping or
encrypting backups. So the victims may have simply opted to restore from backups and bite the bullet
on any doxing that may develop later. Unless, of course, there's some under-the-radar GoFundMe
campaign that's quietly raising the $50 million the bad guys want. No, that's not going
to happen. A U.S. response to the ransomware campaign remains under consideration. Security
Week writes that the U.S. administration faces pressure to do something about our evil's campaign,
and it's clear that doing something increasingly means taking a whack at Russian interests,
with U.S. military organizations doing a good bit of the whacking.
The Pentagon has been circumspect about what it might be called upon to do.
A Defense Department spokesman on Tuesday declined to discuss specific U.S. Cyber Command capabilities, plans, or infrastructures.
The spokesman said, quote,
We are all mindful of these growing threats to national security as well as to civilian infrastructure. We believe a U.S. response
to those threats has got to be whole of government, end quote, as opposed to a purely military
response. In this case, whole of government would probably mean, especially, the intelligence community and the Departments of State, Justice, Treasury, and Commerce.
More coverage of this incident can be found on our CyberWire website.
Recorded Futures' Insect Group reports finding what appears to be a Chinese cyberespionage campaign active against targets in Nepal, Taiwan, and the Philippines. The threat group,
which recorded future tracks as Threat Activity Group 22, TAG-22, is interested in telecommunications,
academic research and development, and government organizations in the three countries.
It's also taken an interest in an airport and a university located in Hong Kong. The researchers believe
TAG-22 used compromised GlassFish servers and Cobalt Strike for initial access, subsequently
switching to its own bespoke backdoors for long-term persistence. They see some overlap
with other activity other research groups have tracked. In particular, the infrastructure and
the malware used against the targets in Hong Kong
are significantly similar to Winti Group activity reported by ESET and NTT Group.
There are also some commonalities with the operation against the Mongolian Certificate Authority,
MONPAS, that Avast described, especially the deployment of Cobalt Strike.
The Shadowpad and Winti backdoors
that were used to establish persistence have been used by the operators FireEye calls APT41
and that Microsoft calls Barium. Winti has been a particular favorite of contractors working for
China's MSS, its Ministry of State Security. The different operations have different
objectives, but the campaign against targets in Taiwan seems most clearly focused on industrial
espionage pursued in the interest of furthering Beijing's economic goals. Microsoft has issued
a clarification regarding the patch it issued this week for the CVE-2021-34-527
Windows Print Spooler Vulnerability, that's Print Nightmare. Redmond says the patch is working as
designed and urges users to apply it. The Microsoft Security Response Center investigated reports that
the patch was ineffective and concluded that, quote, all reports we have investigated have relied on the changing of default registry settings
related to point and print to an insecure configuration, end quote.
And finally, devotees of the Marvel Universe,
are you looking forward to the new Black Widow movie?
It premieres today, you know.
Of course, you know, moviegoers, we are not judging.
There's no shame in being a fan. Some of us may already have our tickets. But use caution and
discretion when you enjoy. Tech Republic and others are circulating a warning, courtesy of
Kaspersky, that scammers are baiting their hooks with a lot of Black Widow bait. Steer clear, especially, of offers of early, free, or pirated streaming of the flick.
Movies aren't distributed via executables attached to an email,
nor does watching one normally require you to reveal your name, address, passwords,
grandmother's maiden name, and so on.
As always, viewer beware. Visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Coming out of the pandemic, workplace conversations are shifting to office reopenings,
who's coming back and how often.
And many employees report they like the flexibility of working from home and having more control over their schedules.
The folks at Unisys recently published results from their latest Digital Workplace Insights report, which looks into these issues.
Leon Gilbert is Senior Vice President and General Manager of Digital Workplace Services at Unisys, and he joins us with their findings.
The creation of the report really came from where is the world going post-COVID?
is the world going post-COVID? We all knew that eventually the vaccine would come along,
and we wanted to sponsor this report to say, okay, where's the world going to go with regards to work? What are people going to do after the vaccine is complete and people start to think
about what does work look like going forward? So that was our rationale for thinking about,
So that was our rationale for thinking about, you know, let's some disconnects between what the employees are
saying are important to them and what the business leaders are saying are important to them, or at
least how they're coming at some of these questions. Can you take us through some of those things that
you found? Yeah, no, I think it's a very valid question. I think you look at some of those
responses where you see the business leader says one thing and the employee says something else.
But I think there are some as well, Dave, where I would say there's a correlation.
But there are absolutely some where, if I take, for example, one of them where I think 51% of business leaders but 64% of employees agree that a work location schedule is most conducive to
family life and an ideal experience, right? But, you know, it's only 50% of those business leaders,
but 64% of the employees. So there is definitely a gap there. I think if I think about this
on a more holistic basis, I think the race for talent in this global economy is huge
and business leaders really need to start to really understand what their employees are
looking for and what benefits and that actually benefits them. It's no longer just a monetary
discussion in my mind. I was reading something yesterday that said that I think people, even with a $30,000 salary increase, they would rather
actually work from home than actually get the monetary increase, which I found astounding when
I sat back and thought about it. But actually, it's true. I think people have found that they
haven't skipped a beat since
they've actually been at home, which has been hugely beneficial for companies. And I think
it's opened a lot of people's eyes out, but there is still some thought process there that people
have to be in the office. For me, Dave, I think it is a mix, right? You're going to get what I
would term a hybrid, where you have some in the office,
some at home,
and you maybe do two days on, three days off.
And I think that also benefits
both employee and employer.
And I think that's where I see this industry,
I see the economy and the kind of world going.
Yes, for sure, Dave,
you're going to get some companies
where it's five days a week back in the office
thinking about banking, financial institutions, but sure, Dave, you're going to get some companies where it's five days a week back in the office thinking about banking, financial institutions.
But others, right, I think will be a lot more flexible and they should be if they want to retain and attract the talent.
interesting to me where you focused on communications between employers and the business leaders and how both of them value communication. But it seemed like the leaders
were having a little more challenge with communication than some of the employees were.
Yeah, I think with the advent of what we would term the collaboration and communications tools,
let's just take Zoom as an example, right?
Zoom isn't just about talking to your grandmother
and doing fitness classes, right?
To me, it's the way that people have learned to communicate
through this pandemic.
But I think it's the way that people will start to,
primarily will communicate going forward, whether it's Zoom way that people will start to, primarily, will communicate going
forward, whether it's Zoom or other platforms, Teams, example. But to me and to us as an
organization, what is crucial is that companies need to start thinking about what is that experience,
right? What is that, you know, the two people aren't left in a in a disparity right we want digital parity
but we also want experience parity i think that was one thing that we saw during the research is
you know and what's important to us is around the experience parity and and whether you're in an
office whether you're at home that you are you know you have that same experience of those tools and how you start to, you don't want it where
if you're in the office, it doesn't work as well as at home.
One thing we have to remember, Dave,
when people start to go back to the office
and start to use these tools,
many offices weren't built for 200 people
suddenly on video, right?
So their network isn't necessarily strong enough,
if you think about that.
So companies are going to have to start thinking about
their bandwidth, how do they measure that,
and does that cause a disparity between those
who are actually at home versus those who are in the office?
So there's lots of factors in this new hybrid world.
That's Leon Gilbert from Unisys.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLimbago.
She is Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back. I want to check in with you today on,
I think, what we can perceive as being a growing trend of government access to data and this whole
notion of do governments need back doors or not. What can you share with us today?
Yeah, I just completed a study looking at the country level, what governments are doing
in the area of mandating government access to data. And so you can think about on the one hand, we hear an awful lot every single day
about governments hacking into other systems and going in illegally. But for across the globe,
we're really starting to see a growing trend of governments basically putting within their
cybersecurity and internet laws the mandate that they can access data when they want to.
And it ranges, and there's a whole spectrum of, you know, from very well codified rule of law,
we need to have access, we need to show a warrant, and then we want to have access
within very discrete circumstances, to basically, you know, non-transparent. If a government comes
to a company that is based in that country and says,
we need this data, you are required by law to turn it over. And so it has huge private sector implications. And that's one of the aspects that I really wanted to look at was, as the private
sector is starting to think about where they're located across the globe in different ways than
they used to previously, looking at how the regulatory frameworks of those countries
should impact those decisions. And I look at this as yet another cyber risk when thinking about your global footprint.
So it is something that is growing with more and more countries starting to require that kind of access.
And to be clear here, I mean, we're talking about democracies, right?
I mean, different democracies are treating this in different ways.
So it's across the board.
Different democracies are treating this in different ways.
So it's across the board.
So on the one hand, you have democracies that are not at all allowing a lot of this.
Or if they do, it's a scalpel, very transparent.
All the way over to China has their law.
It actually was interesting that the U.S. National Counterintelligence and Security Center actually tweeted about China's laws on, if you are a company and you're based in China,
here's some legal frameworks you need to be aware of as far as their security laws require access to that data.
And so I think it's actually interesting that we have counterintelligence aspects of our
government warning about other countries' laws and access to it.
But those are kind of the extremes.
But within the last few days, Mauritius,
which is a fairly solid democracy,
if you look at like on Freedom House
and other kinds of democracy scales,
they're a pretty solid democracy.
And they just announced that they're exploring,
basically putting a certificate on all the laptops
to do sort of like a man in the middle
kind of access to encrypted data and decrypting it
and having just complete access across the board
if they want to.
Where is this?
In Mauritius.
Wow.
So that's one of the ones that kind of,
like to me, is a striking outlier
because it is a fairly solid democracy,
but then it's taking in these tools
of the authoritarian playbook.
And that's what we see more and more.
We see these tools being brought in.
India is another good example
where you have sort of this push towards greater data protection,
but at the same time, internet blackouts, more surveillance going on,
and greater concerns about those kinds of information access and control.
And so it's really something to absolutely keep an eye on.
When we talk about the regulatory frameworks that are going on,
we often think about data privacy laws,
and that's great.
Those are absolutely something that for companies
and governments to be aware of.
But sort of the reverse is there, true,
where under the auspices of greater security,
national security, and so forth,
you may have to turn over your data.
And it's not just your data.
It's not just asking here and there
perhaps for social media access
and passwords and so forth.
At times, it's source code.
That's the end.
Russia has the source code requirement.
And so companies have had to do that.
And so it diffuses across the globe.
And I think that's probably one of the more troubling aspects of it is that these models and these tactics don't just stay within the core.
You think about China, Russia, North Korea, and Iran.
But those tactics really are starting to get adopted elsewhere.
I mean, Vietnam has a very strict cybersecurity law
they passed in 2019 for much larger surveillance,
forcing governments and companies to comply
with data access when approached.
Kazakhstan, Uzbekistan, it's a growing number
that are really starting to apply a whole range of tools. Some of you know, some of it's for censorship and some of it is for
greater surveillance. But at the end of the day, for private companies that are, you know,
doing business in that, those parts of the world, it's just another risk they need to be aware of.
Right. How much of this, you know, for a global company who has, you know, their hand in businesses
around the world, how much of this is based on geography and how much of this is based on sort of citizenship?
GDPR famously reaches out to European citizens regardless of where they are.
Yep.
Yeah, I know.
It's a good question.
For a lot of these ideas, it's within their own territory only.
For a lot of these ideas, it's within their own territory only.
And so that's where you sort of the notion of digital sovereignty or cyber sovereignty,
where the governments want to have the control of that information within their own borders.
What we're seeing, though, and this is recently, we'll see what happens with China and their companies.
They're forbidding as well now their foreign companies for turning over data abroad.
And so it's almost the reverse going on too now.
So at the end of the day,
it's for control. And so for GDPR, it's protecting their citizens. So it's the flip side of it.
For some of these other countries, it's really just complete information control as far as they possibly can, but with a focus really on their own, within their own domestic borders. And then
that's the argument. And the concern really is not only that it's going on there
and that other countries may adopt that kind of model,
but there's also, these countries are also taking
and having bigger power in some international organizations
that shape the standards and norms.
And so you see, when you hear about the push for cyber sovereignty
at the UN, for example, it's for pushing for more of these kind of norms
that allow governments to do whatever they want within their borders,
have complete access and so forth, all in the auspices of sovereignty, when really it's for controlling the narrative and controlling the information.
And if those are the kind of norms and laws that are, you know, the policies that start getting passed at the IGOs, that also becomes troublesome.
Yeah, I'm imagining an extreme situation where we start seeing data centers being installed in embassies.
Well, I mean, that's a big issue, where the data centers are, right?
I mean, it absolutely has huge implications for the data centers,
especially when you start thinking about some of the data localization requirements
and the local data storage.
But yeah, where the data centers are,
I think that's also going to be a big component
as far as starting to think about where your risks are
and knowing where your data is even flowing through
and what kind of access there is in those areas.
All right, well, Andrea Little-Limbago,
thanks for joining us.
All right, thanks, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
If you need some companionship while you're puttering around the house this weekend,
check out Research Saturday.
And my conversation with Daniel Katz from Norton LifeLock will be discussing their research,
encrypted chat apps doubling as illegal marketplaces.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.