CyberWire Daily - The source of Kaseya’s REvil key remains unknown. Cyber incident disrupts port operations at Cape Town and Durban. Updates on the Pegasus Project. And a guilty plea in a swatting case.
Episode Date: July 26, 2021Kaseya isn’t saying where it got its REvil decryptor. Transportation services disrupted at two major South African ports by an unspecified cyber incident. Another company is mentioned as an alleged ...source of abused intercept tools as the controversy over NSO Group’s Pegasus software continues. Johannes Ullrich from SANS on supply chains, development tools and insecure libraries. Our own Rick Howard looks at enterprise encryption. And a guilty plea gets a swatter five years: he got off easy. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/142 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Kaseya isn't saying where it got its R-Evil decryptor.
Transportation services are disrupted at two major South African ports by an unspecified cyber incident.
Another company is mentioned as an alleged source of abused intercept tools
as the controversy over NSO Group's Pegasus software continues.
Johannes Ulrich from SANS on supply chains, development tools, and insecure libraries.
Our own Rick Howard looks at enterprise encryption. And a guilty plea gets a swatter five years.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
July 26, 2021.
Kaseya continues its recovery from the R-Evil ransomware attack mounted against its VSA product.
The company's most recent update on the incident came out Friday afternoon and simply said that Kaseya was supplying the key
and helping customers decrypt files affected by the attack.
It's brief enough to quote in full,
quote, Kaseya's incident response team, assisted by Emsisoft,
continues to provide our customers with a decryption key
and help them to restore any encrypted data that was not previously restored from backup.
We have no reports of problems or issues with the decryptor, end quote. Where Kaseya got the
decryptor for our evil remains unclear. CNN reports that Kaseya is requiring businesses
that want to receive the key to sign a non-disclosure agreement before the decryptor is released to them.
Emsisoft, working with Kaseya, says that they verified that the key works as promised,
but it's not disclosing the key's origin either.
The NDA and Kaseya's declining to comment on where the key came from
has driven speculation that they paid the ransom,
although how that was accomplished with the R-Evil gang apparently on the lam isn't clear either.
But there are any number of possibilities.
There's some other private channel to the gang.
The key was developed by a private company.
The key was provided by a government that doesn't wish to compromise sources or methods and so on.
At this point,
speculation about a ransom payment remains just that, speculation.
At one o'clock this afternoon, Kaseya issued another update, apparently prompted by such speculation, in which they categorically deny paying ransom. Quote, Kaseya has maintained our
focus on assisting our customers, and when Kaseya obtained
the decryptor last week, we moved as quickly as possible to safely use the decryptor to help our
customers recover their encrypted data. Recent reports have suggested that our continued silence
on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could
be further from our goal. While each company must make its own decision
on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with
the criminals who perpetrated this attack, and we have not wavered from that commitment. As such,
we are confirming in no uncertain terms that Kaseya did not pay a ransom, either directly or
indirectly through a third party to obtain the decryptor, end quote.
The Daily Beast's Shannon Vavra tracks Kaseya's various statements about the source of the
decryptor, and there's still no clear account. It's worth noting, as ThreatPost does, that
decrypting one's locked files, a good thing in itself, still leaves open the possibility that
R-Evil could sell, publish,
or otherwise abuse data stolen over the course of the attack.
The South African ports of Cape Town and Durban last Thursday disclosed that operations had been
disrupted by an unspecified cyber attack, Reuters reports. According to IOL, the disruptions appear to be connected to problems at Johannesburg-based
and state-owned intermodal transport company Transnet, with road transportation to the port
of Durban also seeing the effects of the attack. Splash 24-7 says that Transnet has identified and
isolated the source of the incident, but that it's released no details of the cyberattack itself.
Services are resuming manually,
with priority going to refrigerated containers.
Last week, it had been reported that French authorities
had opened an investigation into a cyberespionage operation
conducted against French targets by Moroccan intelligence services
using NSO Group's Pegasus intercept tool.
Morocco World News has since claimed that this didn't happen.
Neither the tool nor the intelligence service is right.
French President Macron was not spied on by Moroccan intelligence services using NSO's Pegasus,
but rather by other unknown parties using tools delivered by the UAE-based company Dark Matter.
The Guardian quotes WhatsApp CEO Will Cathcart as saying that a 2019 campaign
that sought to surveil some 1,400 users of the messaging app
bore similarities to the intrusions Project Pegasus has reported.
Among those targeted were, he says,
senior government and security officials,
many of them in countries that are allied with the U.S.
WhatsApp is currently engaged in a lawsuit
against NSO Group over the incident.
The Pegasus project, of course,
is the cooperative journalistic investigation into NSO Group.
Amnesty International on Friday added to the material published
in connection with the investigation,
publishing more criticism of NSO Group's alleged role
as a key enabler of surveillance by repressive regimes.
Amnesty, while a long-standing critic of NSO Group,
would seek to generalize the issue to cover intercept tools in general.
The group's Friday report said, quote, Amnesty International is calling for an immediate
moratorium on the export, sale, transfer, and use of surveillance technology until there
is a human rights compliant regulatory framework in place.
NSO Group is licensed to export Pegasus software by the Israeli Ministry of Defense.
Amnesty International is calling on the Israeli government to revoke existing export licenses to NSO Group,
given the risk its spyware could be used for human rights violations.
In addition, NSO Group should immediately shut down client systems where there is credible evidence of misuse.
where there is credible evidence of misuse.
The organization, this is Amnesty, is also calling on the company to publish a human rights compliant transparency report
that discloses incidents of misuse of their products, destination countries,
contracts, and other information necessary to fully investigate
the possible occurrence of human rights abuses linked to their business.
possible occurrence of human rights abuses linked to their business, end quote.
NSO Group continues to deny that it acted improperly in selling any of its tools.
The sales were all correctly vetted, the company says, and if there was subsequent abuse,
that's the fault of the government customers, not NSO Group.
The CEO of NSO told Israel Hayyam that either Qatar or the BDS movement,
the Boycott, Divest, Sanction movement that advocates isolating Israel in the interest of the Palestinian cause, or possibly both, is the hidden hand guiding Project Pegasus.
The hidden hand of slander, government abuse, or corporate misconduct,
whatever the case may be, controlling the sale and abuse of intercept
tools is a difficult proposition. And finally, the dangerous and loathsome practice of swatting
that claimed another victim in 2020 has resulted in one guilty plea. The Washington Post reports
that Mr. Shane Sonderman, age 20, of Lauderdale County, Tennessee, was sentenced last week in Memphis federal court to five years in prison
after pleading guilty to one count of conspiracy.
In April of last year, police received a report that a 60-year-old man, Mark Herring,
had killed a woman and set up pipe bombs around his house,
which he would detonate if police showed up.
The police in Sumner County, Tennessee, did show up, guns drawn,
and ordered Herring to come out with his hands in sight.
Herring did so, but collapsed and subsequently died of a massive heart attack,
probably brought on by the stress of the raid.
The pettiness of the swatter's grievance is beyond belief.
Mr. Sonderman was a collector of desirable social media handles,
which he resold, and he wanted the At Tennessee handle
that Herring, a fan of the University of Tennessee's sports teams,
had created and used.
Herring didn't surrender the handle,
so Mr. Sonderman quickly escalated within a few hours to swatting.
Mr. Sonderman and his co-conspirator, an unnamed British miner,
had done similar things to at least five other people.
Their persuasion included having unordered cash-only pizza delivered to their marks,
placing phone calls and texts, falsely reporting fires,
threatening to kill family members, and so on.
The five years Mr. sonderman received seems a
bargain his attorney says that mr sonderman is young at the beginning of his life and that he
fell into bad chat company in discord and online gaming sites and that these became for him a royal
road to crime so it seems another case of the strange, savage disinhibition
the virtual world works on too many of those who frequent it.
For what it's worth, his lawyer says,
Mr. Sonderman regrets what happened.
Sincerely, for what it's worth.
Paul Herring is survived by three children and six grandchildren. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
and it is always a pleasure to welcome back to the show our own rick howard host of the cso perspectives podcast also our chief security officer and chief analyst rick welcome back
thanks dave so you just kicked off season six of your CSO Perspectives podcast. What is the general theme you're following for this season?
So for this season, we're going back to our cybersecurity first principle wall and filling in some of the blank spots.
You know, Dave, in past seasons, we did deep dives on two key strategies, intrusion, kill chain prevention, and zero trust.
But we hadn't yet gone too deep on another key and essential strategy
called resilience. Now, I remember you did do an episode on resilience back in season one. So,
let's just do a quick refresher here. What exactly are we talking about with resilience?
Yeah, you're right. So, in season one, episode nine, we introduced the concept of resiliency.
And by the way, we made the entire season one of CSO Perspectives available
on the ad supported side for anybody who wants to check it out.
But in that episode,
I put forth a resilience definition that I liked,
coined by two Stockholm University researchers,
Jana Sterna and Jelena Zratkovic.
How about that for a pronunciation?
Anyway.
They probably have a hard time saying our names.
I'm sure they do.
So they define resiliency as, I quote,
the ability to continuously deliver the intended outcome despite adverse cyber events, unquote.
And one adverse cyber event that seems to be having a moment this year is ransomware.
And network defenders should
look to their resiliency strategy in order to reduce the probability that ransomware groups
will successfully extort us in the future. Yeah, well, you're certainly right about ransomware
having a moment. I mean, obviously, we had the big splashy attacks against Colonial Pipeline
and JBS Food, and I saw the NBA recently got hit.
I know, the NBA, come on.
Yeah, if only they had resources, right? And we had the latest one against Kaseya.
And of course, that's just the tip of the iceberg there. Now, back to resilience. I mean,
can we use resiliency as the strategy to defeat things like ransomware?
What sort of tactics are you advocating to support that notion? So in order to have any chance here,
you have to get two, count them, two non-sexy resiliency basics right, okay? And it's encryption
and backups. And both sound easy when you say them fast, but it turns out it's very difficult to deploy them in any robust manner.
So in last week's episode, I talked about the state of encryption for the cybersecurity industry.
And in this week's episode, I talked to two of our subject matter experts at the Cyber Wire hash table to see how they approach the problem.
Wayne Moore, the CISO of a company called Simply Business, one of the UK's largest insurance providers to micro-businesses and landlords.
And Don Welch, the Penn State University's interim VP for IT and CIO.
All right. Well, we'll look forward to hearing all about that.
That is CSO Perspectives.
It is part of CyberWire Pro, and you can find out all about it over on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it is always great to have you back.
I wanted to touch today on supply chain issues.
This has certainly been a hot topic in the news lately. You got some specific things you wanted to touch today on supply chain issues. This has certainly been a hot topic in the news lately.
You got some specific things you wanted to touch on today.
Yeah. Now, we always talked about, when we talk about supply chains, these insecure libraries
that we all love to install and write duct tape around it to create software.
What I'm going to talk about is not those libraries themselves, but the tools
that we use to manage those libraries. Whatever programming language you use, it has some tool
that will automatically download dependencies because, well, you know, when you install a
library, you probably need like another dozen or so libraries that support that library. But in
nature of what these tools are doing, they often do execute code that they
receive with those libraries. So now essentially you allow the site that you download those
libraries for to execute code on the developer's machines. And that part has sort of gotten a
little bit more attention lately in a good and bad way. In a good way in that people are looking at it closer.
In a bad way, well, once they start looking,
they actually find problems with how libraries or how these tools are doing this.
Most lately, PHP, of all things, PHP has this composer tool,
which basically is the PHP way of managing your packages.
And when it downloads code, the site that actually tells you where to find those libraries will provide you with a URL.
And then it just appends those URLs to Git or whatever tool it uses to download these libraries.
Well, it didn't correctly sanitize those URLs.
So now you're able to add additional command line parameters to Git, which can then be used to
execute arbitrary code. So this could, first of all, be used to compromise developer machines.
In the case of a PHP, it could also be used to compromise the sites
that you're using to manage libraries. So packages, that's like the big repository for a PHP,
I believe something like 1.4 billion downloads every month. It runs Composer. It runs the tool
to download code. So you could compromise that library and get that famous snowball effect
we have seen with some of these supply chain attacks where,
hey, I'm attacking one developer, I'm using that to attack more developers,
and all of a sudden I have a compromise like they're spitting out of control.
Is there something that can be done here in terms of a chain of custody?
Dare I say, a blockchain of custody?
Well, who do you allow into this blockchain of custody?
That's part of the supply chain problem at Providence.
Do we know where the library came from?
But the great thing about,
the reason why some of these open source projects flourish
is there's a very low bar of entry
to actually get into that ecosystem.
And Apple has attempted some of that with its certificates,
but of course $100 gets you an Apple developer certificate.
That's maybe a high bar of entry for a hobbyist developer,
but not a high bar at all for a criminal that wants to steal your crypto coins.
Right. Is there a potential solution on the horizon here, or what sort of things do you recommend?
Well, I think really keep looking for flaws in these tools. That's, I think, the number one
issue we can do to secure the tools themselves.
Maybe make them a little bit more transparent to the developer that manages libraries to really see what they're doing, what code they're executing as part of installing those libraries.
That may help.
But I think for now, just let's try and get the obvious flaws out of the way before bad guys start exploiting them.
And then as always, where you manage libraries like this, so if internal mirrors are such of any repositories that you're building, that's your crown jewel as a developer.
So add additional layers of security to them.
Check if they all of a sudden start exfiltrating credentials or what sites they're connected to.
All right. Well, good information as always.
Johannes Ulrich, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. Thank you. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Trey Hester, Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.