CyberWire Daily - The Kaseya ransomware incident. Ransomware threats to industrial firms. Malicious Android apps stole Facebook credentials. The Tokyo Olympics and cyber risk.
Episode Date: July 6, 2021Updates on the Kaseya ransomware incident, as REvil strikes again. Concerns about other ransomware attacks against industrial targets rise. Google expels credential-stealing apps from the Play Store. ...Online gamers draw various threat actors. Carole Theriault examines the elements that could put you in the crosshairs for ransomware. Ben Yelin has an update on the Facebook antitrust case. And the Tokyo Olympic Games will be on alert for cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/128 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on the Kaseya ransomware incident as our evil strikes again.
Concerns about other ransomware attacks against industrial targets rise.
Google expels credential-stealing apps from the Play Store.
Online gamers draw various threat actors.
Carol Terrio examines the elements that could put you in the crosshairs for ransomware.
Ben Yellen has an update on the Facebook antitrust case.
And the Tokyo Olympic
Games will be on alert for cyber attacks. From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, July 6, 2021.
On Friday, Kaseya sustained a ransomware attack on its widely used VSA product. The attack, as it propagated through the managed
service providers who use Kaseya VSA, has affected users worldwide. Huntress Labs warned on Friday
that ransomware had been deployed through VSA on-premises servers beginning around 11 a.m.
Eastern Time. The attack was not, contrary to earlier speculation, a supply chain attack. Kaseya has
ruled out any unauthorized alteration of its code base, which would be a supply chain attack in the
narrowest sense of the term. Rather, it was a direct attack in which the attackers exploited
a zero-day vulnerability, specifically CVE-2021-30116, that had been responsibly disclosed by the Dutch Institute for Vulnerability Disclosure
and that Kaseya was in the process of fixing.
How the attackers learned of the vulnerability is unknown.
The effects of the attack have been worldwide, roughly tracking the MSP market penetration of VSA,
with the US and Germany showing the highest rates of infestation.
Between 40 and 60 Kaseya customers are believed to have been directly affected,
but since these tended to be MSPs,
the ransomware in turn flowed to those customers' customers,
whom it affected indiscriminately.
The record this morning put the tally of affected organizations at more than 1,500.
Reuters reports that victims include schools, small public sector bodies,
travel and leisure organizations, credit unions, and accountants.
Another Reuters update speculates that individual organizations' recovery could take weeks.
Early indications were that the ransomware
was R-Evil, and subsequent ransom demands have seen the R-Evil gang, widely regarded as a Russian
privateer and the same threat actor responsible for the recent high-profile attack on JBS Foods,
claim credit, so we can regard that as a confirmation. After victims were initially quoted individual ransoms at varying rates,
Bleeping Computer reports that the gang appears to have settled on its final offer,
which would be $70 million in Bitcoin,
for which it promises to release decryptors to all the victims,
which suggests that they're looking for a collective payment.
Kaseya's Monday update said that, quote, the attackers were able to exploit zero-day
vulnerabilities in the VSA product to bypass authentication and run arbitrary command
execution. This allowed the attackers to leverage the standard VSA product functionality to deploy
ransomware to endpoints. There is no evidence that Kaseya's
VSA codebase has been maliciously modified. This statement is the basis for not calling
the incident a supply chain attack in the strictest sense. But the attack on Kaseya
resembles supply chain attacks in certain important respects, particularly the way in
which it represents a fourth-party risk.
The customers of Kaseya's MSP customers are particularly affected. Kaseya itself has been
issuing regular situation updates since it disclosed the incident at 4 p.m. ET Friday.
It learned of the attack when customers began reporting unusual behavior on endpoints managed by VSA and then saw ransomware being executed on those endpoints.
The company yesterday posted the following summary advice on mitigation,
quote,
All on-premises VSA servers should continue to remain offline
until further instructions from Kaseya about when it is safe to restore operations.
A patch will be required to
be installed prior to restarting the VSA and a set of recommendations on how to increase your
security posture. We have been advised by our outside experts that customers who experienced
ransomware and receive communication from the attackers should not click on any links. They
may be weaponized. End quote.
Kaseya has brought in Mandiant to help with assistance and remediation.
The U.S. Cybersecurity and Infrastructure Security Agency
has urged users of the software to immediately shut down their servers
and to follow the mitigation advice Kaseya has issued.
The FBI has seconded CISA and solicited information from victims of the attack.
R-Evil claimed responsibility for the attack, and there's no reason to doubt them,
and the obvious motive is money. The gang is looking for a $70 million payout,
but the fluctuating ransom demands, which only settled on the final $70 million demand after a few days, are curious, as is the consolidation of the demands.
Whom does our evil expect to pay?
Kaseya? A government? That seems unlikely to happen.
A consortium of MSPs? Any of these are possible.
But the disruption the attack caused seems at least as significant as the financial damage.
If our evil is an example of what Cisco's Talos calls privateers,
it's reasonable to look for some motive that would serve the sponsoring state's interests.
In this case, Axios may be on to something.
Quote,
Coming just two weeks after President Biden's personal warning to Vladimir
Putin during the Geneva summit, the attack looks like the Russians thumbing their nose at the tough
talk, end quote. The U.S. has said it's investigating the incident, and there have been rumblings about
retaliation if retaliation proves to be in order, but it's still early. While the attack propagated through Kaseya is the highest
profile ransomware incident currently in progress, ransomware gangs are showing a tendency to go
after the still relatively soft targets legacy industrial control systems present, ZDNet reports.
Control Global observes that some such attacks may initially be difficult to recognize as such.
Industrial concerns have also recently been the targets of more traditional ransomware,
the sort that steals and encrypts sensitive data.
Bleeping Computer reports that the chemical distributor Brentog has disclosed that the Darkside gang,
during an April attack, obtained access to personal information that included social security number,
date of birth, driver's license number, and select medical information.
Ars Technica reports that Google has expelled nine apps from its Play Store.
They were all discovered by Dr. Web to be stealing Facebook credentials,
and they were, in descending order of popularity,
Pip Photo, Processing Photo, Rubbish Cleaner,
InWell Fitness, Horoscope Daily, AppLockKeep,
LocketMaster, Horoscope Pie, and AppLockManager.
Google has also banned the app's developers
from its ecosystem.
Online gamers are providing increasingly attractive to threat
actors, TechRadar reports, as criminals and others follow people's interests online.
The more gamers, the more attacks. Sometimes the attacks come from within, for what lack of a
better word we must call the gaming community. One such has been defacing Apex Legends to complain about people cheating
in Titanfall, the record reports. And finally, as the Tokyo Olympic Games arrive,
concerns about cyberattacks aimed at disrupting them rises, according to The Hill. What would
the possible motivations be? Embarrassing Japan's government would be one of them.
Tokyo has devoted considerable attention to securing the games since they were scheduled,
and reasons of geopolitics or the simple skid lulls would both be sufficient motivation for cyber attack.
Nothing so far, but the authorities are on alert. Do you know the status of your compliance controls right now? Like, right now? We know that
real-time visibility is critical for security, but when it comes to our GRC programs, we rely on
point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Ransomware attacks generally fall into two categories.
The somewhat random, opportunistic variety, where the attackers are scanning and spraying the internet for potential victims,
or the more targeted, deliberate kind.
Our UK correspondent Carol Terrio ponders what it takes to find yourself in the ransomware crosshairs.
Ah, ransomware.
To pay or not to pay, that is the eternal question that our industry is being plagued with.
On one side, it is clear that we should not pay.
We should not be indulging malicious actors who elect to steal or lock up our data and refuse to give it back unless we part with money.
Some argue, quite rightly, that if we pay, we're actually helping fund this illegal industry.
But let's think of the flip side.
Say a ransomware attack is successful on a critical infrastructure,
and this attack prevents you from providing that service.
So, for example, a hospital, a health center, a government service.
Suddenly, you are facing this situation of,
if we pay, we can then provide services again to our residents. If we do not,
they have to pay the price of our downtime. Of course, the second issue is, will they actually
release the data that they've stolen or encrypted in exchange for the money that we pay? These are
difficult, difficult issues that impact business continuity, customer service, brand reputation, and one I guarantee you every company would want to avoid.
So let's look at that.
What are reasons that you might be targeted by ransomware?
Maybe your software or devices are outdated and harboring vulnerabilities. Maybe the browsers
or operating systems are no longer being patched on all systems. Maybe you don't have a backup plan
or it's lapsed and you haven't checked it recently. Or maybe your staff are not properly cyber secure
enough to spot scams and phishing attacks and social engineering attacks.
We're seeing a ton of ransomware out there. It's no joke. So take the opportunity to make sure
that your systems are secure, your people are informed and vigilant so that you don't have
to deal with this messy, unpleasant ransomware attack.
This was Carol Theriault for the Cyber Wire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting, I don't know, ruling came down, memo, whatever it was.
You'll explain it to us regarding the thing about Facebook and the government going after them for antitrust.
Unpack it for us here, Ben.
Sure.
So this week, a federal judge in the District of Columbia dismissed two antitrust lawsuits,
one brought by the Federal Trade Commission at the federal level,
obviously, and another brought by 46 state attorneys general. So the allegations,
there were kind of two separate allegations that were part of this case. The first is that Facebook tried to buy out their competitors when they purchased Instagram and WhatsApp
in 2012 and 2014, respectively, and that action violated our
antitrust principles. And the other allegation is that Facebook controls more than 60%,
and that's sort of the magic threshold of the social networking market and therefore makes it
liable under our antitrust statutes, particularly the Sherman Act, to be broken up as a monopoly.
What the judge here is saying is that the FTC in particular didn't properly allege
with the required specificity that Facebook really does control 60% of that market.
And the reason is it doesn't really properly define exactly what that market is.
What counts as social networking? Is it,
you know, the peer-to-peer interactions on Facebook? Is it the news feed? Is it the messaging?
Because that definition is so nebulous and so hard to define, you know, a judge isn't going to
proceed with the case until they're sure that the FTC has met that threshold.
And the judge here is saying that they haven't met it,
that they're frankly not even really close to having properly defined what that function is. So the judge can't make a determination whether Facebook has a monopoly
because they don't have a full understanding of what the market is.
So the judge has punted the case back to the FTC as it relates to that federal
case, telling them that they have 30 days to amend their complaint and include more specificity as to
why they think Facebook has a monopoly, why there is a valid antitrust case here.
How can you properly define that social networking market? I think that's going to be
very difficult for the FTC to do, not just because it's a short timeline, a 30-day timeline, but
in general, it's just really difficult to define what makes up social networking for the purposes
of this antitrust suit. I think this is a big win for Facebook. They seem very pleased with
the decision. They have said that they are competing with their rivals in the industry,
including up-and-coming players like TikTok,
to win the support of consumers.
That there are lots of places on the internet
for you to do some of the things that you do on Facebook,
to try and post a viral video.
You do have choices.
And I think Facebook has made that argument. They've made it reasonably. And at least for now,
a federal judge has been convinced that there isn't enough evidence to this point
that there's an antitrust violation. I wonder if, for example, if you looked at Facebook's
own marketing messages, you know, the messages that
they put out to potential advertisers who want to take advantage of their ad tech, seems to me like
that would be the place where Facebook would define it themselves, where they'd say, you know,
here at Facebook, we have, you know, 75% of the eyeballs and engagement is 80% of, you know,
and people spend two times as much time on Facebook
as they do on Twitter.
And obviously I'm making all that up,
but does any of that come into play?
It seems to me like we're,
or are the companies being intentionally fuzzy themselves
in not wanting to define these things?
Well, I mean, I think they probably change their messaging
depending on who they're talking to. I think of their legal pleadings and filings, I mean, I think they probably change their messaging depending on who they're
talking to. I think of their legal pleadings and filings, you know, they might say that they
actually don't have a market corner. But for the purposes of advertising, and obviously, you know,
you have to be careful here because you can't commit fraud. But for the purposes of advertising,
you might make a claim that, you know, we have 80% of the eyeballs on this type of video platform, etc.
But just because you have a large portion of the audience,
just because you have a market share,
doesn't per se mean that it's a violation of antitrust principles.
And that's what the judge is saying here,
that yes, Facebook makes a lot of money.
They have a lot of customers, billions of
them. But what exactly is the monopoly that they have here? What do they have a monopoly on?
And that's something that the FTC was given the opportunity to explain, and they just were not
able to properly explain it. So you can't just simply say, well, Facebook is big. There's no other entity like
Facebook. Therefore, you have an antitrust violation. You have to really define, you know,
is Facebook, you know, completely cornering the market on X, on video sharing, on messaging,
on, you know, news feeds. And separately from the issue of whether they've tried to buy out some of their
competitors, which is an issue in this case, it does seem like in each of those areas there is
proper competition out there, especially as we've seen a proliferation of other social networks
that serve similar but distinct purposes. So that's why I'm skeptical that even if the FTC is able to come up with a
revised complaint, they're going to be able to succeed. And remember, we're not even yet at the
merits of the antitrust claim. This is a dismissal of the case in its entirety because the judge is
saying the FTC didn't come up with a legally recognizable claim without properly defining what the market is
for the purpose of antitrust here.
Wow.
All right.
Well, we will watch this one as it plays out.
Ben Yellen, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find
Grumpy Old Geeks where all the fine podcasts
are listed, and check out
the Recorded Future podcast, which I also
host. The subject there is
threat intelligence, and every week we talk
to interesting people about timely
cybersecurity topics. That's at
recordedfuture.com slash podcast.
The Cyber Wire podcast
is proudly produced
in Maryland
out of the startup studios
of Data Tribe
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Justin Savy,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.