CyberWire Daily - Kaseya works on patching VSA as Washington mulls retaliation and Moscow says it has nothing to do with it. Microsoft patches PrintNightmare. The Lazarus Group is back.
Episode Date: July 7, 2021Kaseya continues to work on patching its VSA products. The US mulls retaliation for the Kaseya ransomware campaign, as well as for Cozy Bear’s attempt on the Republican National Committee and Fancy ...Bear’s brute-forcing efforts. (Russia denies any wrongdoing.) Current events phishbait. Microsoft patches PrintNightmare. Joe Carrigan looks at recent updates to Google’s Scorecards tool. Our guest Umesh Sachdev of Uniphore describes his entrepreneurial journey. And the Lazarus Group is back, phishing for defense workers. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/129 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Kaseya continues to work on patching its VSA products.
The U.S. mall's retaliation for the Kaseya continues to work on patching its VSA products. The U.S. mulls retaliation for the Kaseya ransomware campaign,
as well as for Cozy Bear's attempt on the Republican National Committee
and Fancy Bear's brute forcing efforts.
Russia denies any wrongdoing.
Current events fish bait.
Microsoft patches print nightmare.
Joe Kerrigan looks at recent updates to Google's scorecards tool.
Our guest is Yumesh Sashdev of Unifor, describing his entrepreneurial journey.
And the Lazarus Group is back fishing for defense workers.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 7th, 2021.
We begin with updates on the Kaseya ransomware incident.
We begin with updates on the Kaseya ransomware incident.
Kaseya had expected that it would be able to patch and restore its VSA software-as-a-service product by today,
but technical problems its developers encountered have blocked the rollout.
As of 8 a.m. ET today, the company was still working to resolve the issues it encountered.
By the time of today's noon update, Kaseya reported having made some progress.
With respect to the VSA on-premises product, Kaseya said, We will be publishing a runbook of the changes to make to on-premises environments
by 3 p.m. U.S. Eastern Time today so customers can prepare for the patch release.
today so customers can prepare for the patch release. The company promises an update on the VSA on-premises fix by 5 p.m. EDT today. As far as updating the VSA software-as-a-service product,
the company pushed the anticipated availability of a patch until tomorrow. Kaseya said,
During the VSA SaaS deployment, an issue was discovered that has blocked the
release. We are resolving the issue that is related to our SAS infrastructure, and we plan
on beginning to restore SAS services no later than the evening of Thursday, July 8th, U.S. time.
Reuters quotes U.S. President Biden as offering yesterday a relatively upbeat preliminary assessment of the consequences of the ransomware campaign.
Mr. Biden said, quote, It appears to have caused minimal damage to U.S. businesses, but we're still gathering information.
I feel good about our ability to be able to respond, end quote.
That said, the U.S. government is continuing its investigation and is signaling an intention to do something about Reval and other gangs or privateers.
Among other things, the U.S. administration said that it has communicated very clearly to Russian authorities
that the U.S. wants the Reval operators brought to book.
CBS News reported yesterday that White House Press Secretary Psaki said
the U.S. had been in touch with Russian officials about the RIVL operation and that if Russia
doesn't take action against its ransomware gangs, quote, we will, unquote. TASS is, of course,
authorized to disclose that Russia not only had nothing to do with the attack and that it knew
nothing about it and that, in fact, Moscow had heard nothing from Washington about the matter.
So either the messages crossed one another, or someone's telling a diplomatic whopper.
The smart money's on the whopper.
The Kremlin usually maintains it doesn't know anything and would like to see your evidence.
The ransomware attack, coming as it did so soon after
cybersecurity figured prominently in the Russo-American summit, has placed the U.S.
administration under pressure to devise some effective retaliation that might deter such
attacks. The Washington Post reports a growing sense that the U.S. must either win some public
concessions from Russia quickly or punch back hard.
Fortune asks why major cyberattacks tend to happen around holidays and gives the obvious answer.
Around holidays, people's minds tend to be elsewhere, people's bodies on vacation.
The U.S. Republican National Committee said yesterday
that one of its contractors had been breached by APT29.
That's Cozy Bear, Russia's SVR, and the same outfit responsible for the initial compromise
of the RNC's rival Democratic National Committee during the 2016 elections.
The Hill reports that Cinex was the vendor breached and that the intrusion was accomplished
through a cloud service.
Bloomberg says there was no serious compromise of data and that the incident was quickly contained.
The Kremlin, in this case, also says it didn't do nothing. Nothing, they tell you. Bloomberg quotes Russia's official spokesman Dmitry Peskov as saying, quote, we can only repeat that whatever
happened, and we don't know specifically what took place here, this had no connection to official Moscow, end quote. Russian official
denials of involvement aside, the New York Times contends that the cyber espionage attempt against
the RNC places President Biden under more pressure to develop some effective public response to
Russian activities in cyberspace.
The Washington Post quotes an unnamed senior U.S. official as saying, No one thing is going to work alone. We're pushing everybody on all of these angles,
whether it involves building resilience, using diplomacy, or disrupting networks.
And because we believe only together, we will significantly impact this threat.
and because we believe only together, we will significantly impact this threat.
Some significant portion of any response seems likely to be economic in nature.
Dmitry Alperovitch, chairman of the Silverado Policy Accelerator, and Matthew Rozanski, director of the Wilson Center's Kennan Institute,
published an op-ed in the Washington Post yesterday in which they called for an ultimatum
and were clear in what they recommended the else should be in or else, quote,
before such devastating ransomware attacks become a routine occurrence,
President Biden must deliver a quiet but forceful demand.
Russian President Vladimir Putin must put an immediate stop to this activity
or Washington will tighten the squeeze of sanctions
on the Russian economy, end quote. APT 28, that's Fancy Bear, Russia's GRU, also remains active.
Threat Post offers an account of Fancy Bear's ongoing brute force and password spraying campaign
against Western targets, another campaign of which Moscow knows nothing.
Nothing, they tell you. Crisis draws opportunists, and the Kaseya ransomware incident
appears to be no different in that respect. Malwarebytes notes that references to the
Kaseya incident have begun appearing as fish bait in social engineering schemes,
usually emails offering malicious
links or attachments. The subjects suggest an offer of advice, warning, or counsel in the matter
of the Kaseya exploit. Jerome Segura, director of threat intelligence at Malwarebytes, told us in
an email exchange that, quote, threat actors often use opportunistic themes in their campaigns, and we believe this is the case here.
This Kaseya fake update is a Cobalt Strike payload, and interestingly, hosted on the same IP address used for another campaign pushing Drydex.
In the past, we've seen the same threat actor behind Drydex use Cobalt Strike.
use Cobalt Strike, end quote.
Treat such emails with the same caution you'd apply to notices of automatic renewals of services you don't remember signing up for,
or appeals for your cooperation from the widow of the late Prince What's-His-Name,
formerly Minister of Oil or something out in Nigeria.
Microsoft has released out-of-band patches for the print nightmare vulnerability,
so take a look and consider applying them if they affect your systems.
And finally, North Korean intelligence services haven't left the cyber espionage game.
AT&T Alien Labs describes the Lazarus Group's latest campaign,
which involves phishing for employees of defense contractors,
notably by impersonating Airbus, General Motors, and Rheinmetall. There is, according to Alien Labs,
a high emphasis on renaming system utilities CERT-Util and Explorer to obfuscate the
adversary's activities. Their report adds, quote, the documents attempted to impersonate
new defense contractors and
engineering companies like Airbus, General Motors, and Rheinmetall. All of these documents contain
macro malware, which has been developed and improved during the course of this campaign
and from one target to another. The core techniques for the three malicious documents are the same,
but the attackers attempted to reduce the potential detections
and increase the faculties of the macros.
So, Pyongyang has still got game.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Our particular industry vertical is full of stories of hungry entrepreneurs,
folks who believe they've come up with a product or service worth sharing with the rest of the world,
with the dream of building a lucrative business or an impactful nonprofit along the way.
Umesh Sashdev is one such entrepreneur, currently CEO and co-founder of Unifor,
an enterprise AI and SaaS provider that recently announced $140 million in funding.
He shares his insights on his entrepreneurial journey.
Having been now an entrepreneur for over 20 years,
in hindsight, there are a few things that are really important.
First, having a very solid product market fit,
having a strong validation from the market, from the customers,
that the problem that you're really trying to solve is indeed a large enough problem and one that's actually worth
solving. But also more importantly, as I've now realized, because I now mentor other early states
founders, et cetera, the stage of life when somebody takes the plunge is a very,
very important variable, which can have a big impact on chances of success.
And I've found that there are three stages of life which increase the chance of success
tremendously for somebody to become a founder. One is really early on, right at the end of the education period in our life much like me and my
co-founder because the phenomenon there is first the there are less people dependent on on the
founders economically the founders have a much longer runway they just have to support themselves and probably a few other folk.
The age there is also one of where you're still in the formative years of your ideas,
and there's a strong willingness to learn a lot of new things, and there's less to unlearn.
So that age is one where the chances of success are higher. The second phase in life, to me, is towards the
midlife. When somebody spent, say, 20-25 years in the career, gained enough experience, climbed the
corporate ladder, seen scale, and probably even financially saved enough for if they take the
risk, if they do take the plunge, by this time, there's
potentially a small family or some other folks who are dependent financially on the founder.
And so it's important to know that you have a three or four-year runway for yourself,
for your family.
You've seen the scale, you've saved enough, and you're ready to take the plunge. Because it's all about minimizing distractions
when you're in the founding journey.
And then the third phase for me is
when you really run your first inning successfully,
you're ready to retire from your corporate innings and jobs
and whatever you're doing,
but you're still not ready to hang your boots.
You still have the energy or that itch
and at that late stage in life is the third big opportunity where chances of success are higher
if you notice across the three that i mentioned the thing that's common is it's really about have
you taken care of everything else so your chances of being distracted are minimized?
And if they are minimized,
you're likely to invest almost all of your energy
in building the business and building the startup
that you really want to build out.
Our thanks to Umesh Sashdev from Unifor for joining us. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Interesting story from the Hacker News website,
and this is about some new tools that Google is providing.
What's going on here, Joe?
So, Dave, no development, almost no development,
gets done anymore without the incorporation of some open source project. Yeah. Right? Yeah.
And this has actually been a problem in a number of breaches. I think we talked about one
that used a cloned repository from somebody and turned it malicious, and that got integrated into
some other breach. I can't remember exactly where that was.
Right, right.
And the folks who were using what they thought was that open source code
did not know that the problem had occurred.
Right, exactly.
Well, Google has a product called Scorecard,
which is available on GitHub,
and you can just download it and use it.
And what this tool does is it analyzes these repositories that you have.
And it develops a scorecard or a score for how risky the library is.
Now, this is a new version.
That's what this article is talking about.
And there are a number of improvements in the new edition or version of the software.
And they include checking repositories for contributions from malicious authors or from compromised accounts, which is pretty good
because that's how they're going to introduce backdoors
into these code repositories.
So imagine you have a system
that relies heavily on some network trafficking tool
that you're using
and somebody just inserts a backdoor
in that network trafficking tool.
Now you have a backdoor in your product
and that's bad.
They also have fuzzing.
They also now do fuzzing
which is a
a way to
test
how good
code is
right?
Because
a lot of times
that's how
overflow
buffer overflow
vulnerabilities are found
is through fuzzing.
Oh I see.
So fuzzing puts a bit of
like a stress test
on the code?
Right.
It's
essentially I'm going to put random data into the code and see what happens. I see. So fuzzing puts a bit of a stress test on the code? Right. Essentially, I'm going to put random data into the code and see what happens.
I see. Yep.
Also includes a new static analysis tool and looks for signs of continuous integration slash continuous deployment compromises.
Also looks for bad dependencies.
So if you have a dependency to a known bad
product, then it'll let you know. Interesting. So how would, what part of the workflow would
you work this into? How does, what's, in your estimation, what's the proper place to use a
tool like this? Anytime that you're doing configuration management and you've said,
I'm going to use this library and we're going to use this version of this library,
then you should run, if you're going to use this tool, run the tool on that version of the library.
I see. I see. All right. Well, yeah, interesting development. New version of a free,
openly available tool that can help keep you out of trouble, right?
Yep.
All right.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Justin Sabe, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you back here tomorrow. Thank you. also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.