By the CyberWire staff
REvil exploits Kaseya vulnerability to deliver ransomware.
Last Friday Kaseya sustained an attack by REvil ransomware operators on its widely used VSA remote management product. Huntress Labs warned that ransomware had been deployed through VSA on-premises servers beginning around 11:00 AM EDT. It was a direct attack in which the attackers exploited a zero-day vulnerability (CVE-2021-30116) that had been responsibly disclosed by the Dutch Institute for Vulnerability Disclosure (DIVD) and that Kaseya was in the process of fixing. Huntress stated, "We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers."
The effects of the attack have been worldwide, roughly tracking the MSP market penetration of VSA, with the US and Germany showing the highest rates of infestation. Around sixty Kaseya customers are believed to have been directly affected, but since these tended to be MSPs, the ransomware in turn flowed to those customers' customers, whom it's affected indiscriminately. Kaseya thinks there are between eight-hundred and fifteen-hundred total downstream victims, that is, customers of the MSPs who use Kaseya's VSA.
The Wall Street Journal reports that ransomware infestations connected with the exploitation of Kaseya had, by Thursday, been found in six European countries. The Record reports that Kaseya's president and general manager for EMEA, Ronan Kirby, addressing a meeting convened by Belgium's CERT, those six countries were the UK, the Netherlands, Germany, Sweden, Norway, and Italy. Eight of the sixty direct customers affected by the campaign are in Europe.
The REvil operators demanded a total of $70 million to unlock all of the victims' data. BleepingComputer has found only two victims who've paid any ransom, and concludes that the responsible REvil affiliate is unlikely to get the big payday they're hoping for. The article suggests that the criminals failed to exfiltrate data, relying simply on making the files unusable instead. If so, that would represent a departure from the double extortion—encryption plus data theft—that has become the norm in ransomware campaigns. BleepingComputer suggests another reason for the apparent lack of criminal success. REvil went after the software itself, the better to cast a broad net, and so passed up the now customary step of wiping or encrypting backups. "[A]n MSP and multiple victims encrypted during the attack told BleepingComputer that none of their backups were affected, and they chose to restore rather than paying a ransom." So the victims may have simply opted to restore from backups and bite the bullet on any doxing that may develop later.
Sophos has written up a technical analysis of the incident: "The outbreak was delivered via a malicious update payload sent out to VSA servers, and in turn to the VSA agent applications running on managed Windows devices. It appears this was achieved using a zero-day exploit of the server platform. This gave REvil cover in several ways: it allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code—reflected in anti-malware software exclusions that Kaseya requires for set-up for its application and agent “working” folders. Anything executed by the Kaseya Agent Monitor is therefore ignored because of those exclusions—which allowed REvil to deploy its dropper without scrutiny."
Earn a Master's in Cybersecurity Part-Time & Online at Georgetown.
Looking to advance your cybersecurity career? Check out Georgetown University's graduate program in Cybersecurity Risk Management. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Explore the program.
Kaseya's response to the incident.
Kaseya's CEO Fred Voccola said on Wednesday that the new release time for a patched VSA will be this coming Sunday at 4:00 PM EDT. While Kaseya was confident the patches they'd developed had closed the vulnerabilities the extortionists exploited, Voccola said that third-party engineers and internal IT personnel recommended placing additional layers of security in place to protect against other exploits they may not foresee. The company has also published a run book of changes to the on-premises version of VSA, which should enable customers to prepare themselves for the coming update.
Kaseya also warned on Friday that the incident is being used as phishbait: "As previously communicated, spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments. Spammers may also be making phone calls claiming to be a Kaseya Partner reaching out to help. Kaseya IS NOT having any partners reach out – DO NOT respond to any phone calls claiming to be a Kaseya Partner. DO NOT click on any links or download any attachments in emails claiming to be a Kaseya advisory."
Kaseya's ability to cope with the attack has received harsh reviews from those who believe, like the sources CRN quotes, that the company shouldn't have left itself vulnerable to this kind of exploit. The Dutch Institute for Vulnerability Disclosure says it discovered the zero-day in April and promptly notified Kaseya. Kaseya was in the process of addressing the issue when the attack hit, so arguably the company's response was dilatory. It certainly came just a bit too late.
Others have given Kaseya much better notices. Electronic Engineering describes Kaseya as "swiftly responding" to contain the damage. The company's public communication about the incident has been regular and clear. And the DIVD stated, "From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."
Ransomware operations.
Ransomware gangs are showing a tendency to go after the relatively soft targets legacy industrial control systems present, ZDNet reports. (Control Global observes that some such attacks may initially be difficult to recognize as such.)
Industrial concerns have also recently been the targets of more traditional ransomware, the sort that steals and encrypts sensitive data. BleepingComputer reports that the chemical distributor Brenntag has disclosed that the DarkSide gang during an April attack obtained access to personal information that included "social security number, date of birth, driver's license number, and select medical information."
Crisis draws opportunists, and the Kaseya ransomware incident appears to be no different in that respect. Malwarebytes notes that references to the Kaseya incident have begun appearing as phishbait in social engineering schemes, usually emails offering malicious links or attachments. The subjects suggest an offer of advice, warning, or counsel in the matter of the Kaseya exploit.
The Wiregrass Electric Cooperative, a small rural electrical utility in the US state of Alabama, was hit with a ransomware attack that seems unrelated to the Kaseya incident. Business systems and not control systems were affected, SecurityWeek says. The cooperative says it did not lose any data, but it did take "member account information and payment systems offline" as a precaution.
KELA takes a look at the way ransomware gangs operate today and sees the division of labor one finds wherever craft develops into industry. In this case there are four distinct stages in an attack, and they're increasingly entrusted to criminal specialists: "Code (code or acquire malware with the desired capabilities), Spread (infect targeted victims), Extract (maintain access to infected machines)" and "Monetize (get profits from the attack)."
8th Layer Insights, exploring the Human side of security.
The CyberWire is excited to announce a new addition to our CyberWire Network podcast line-up: 8th Layer Insights. In the show, Perry Carpenter and a host of experts explore the complexities of human nature and their effect on security and risk. If you haven’t heard about it yet, here is your chance to give it a listen. We hope you enjoy it, and be sure to subscribe.
Cozy Bear sniffs around the RNC, and Fancy Bear is still brute-forcing credentials.
The US Republican National Committee (RNC) said that one of its contractors had been breached by APT29 (Cozy Bear, Russia's SVR and the same outfit responsible for the initial compromise of the RNC's rival Democratic National Committee during the 2016 elections). TheHill reports that Synnex was the vendor breached, and that the intrusion was accomplished through a cloud service. Bloomberg says there was no serious compromise of data, and that the incident was quickly contained. Bloomberg also quotes Russia as denying involvement, as Moscow's official spokesman Dmitry Peskov said, “We can only repeat that whatever happened, and we don’t know specifically what took place here, this had no connection to official Moscow."
Russian official denials of involvement aside, the New York Times contends that the cyberespionage attempt against the RNC places President Biden under more pressure to develop some effective public response to Russian activities in cyberspace.
APT28 (Fancy Bear, Russia's GRU) also remains active. Threatpost offers an account of Fancy Bear's ongoing brute-force and password-spraying campaign against Western targets.
Get up to speed on cyber and stay there with CyberWire Pro.
CyberWire Pro is a premium service specifically designed for the busy professional. Our team of expert researchers curates the latest news in cybersecurity, business, policy, privacy, and disinformation, providing an extraordinary amount of content that is searchable and accessible, all under one clean platform. Learn more about CyberWire Pro.
Cyberattack reported in Ukraine.
Reuters reports that on Tuesday afternoon an unspecified cyberattack hit the official websites of Ukraine's president, the country's security services, and other institutions. Service was restored quickly, and there's been no attribution of the attack, but Reuters does note the hybrid war Russia has been waging against Ukraine over the past decade.
Chinese cyberespionage campaign active against Asian targets.
Recorded Future's Insikt Group reports finding what appears to be a Chinese cyberespionage campaign active against targets in Nepal, Taiwan, and the Philippines. The threat group, which Recorded Future tracks as Threat Activity Group 22 (TAG-22), is interested in telecommunications, academic, research and development, and government organizations in the three countries. The researchers believe TAG-22 used compromised GlassFish servers and Cobalt Strike for initial access, subsequently switching to its own "bespoke" backdoors for persistence.
Nine credential harvesting apps ejected from Google Play.
Ars Technica reports that Google has expelled nine apps from its Play Store. They were all discovered by Dr. Web to be stealing Facebook credentials, and they were, in descending order of popularity: PIP Photo, Processing Photo, Rubbish Cleaner, Inwell Fitness, Horoscope Daily, App Lock Keep, Lockit Master, Horoscope Pi, and App Lock Manager. Google has also banned the apps' developers from its ecosystem.
Online gamers under attack.
Online gamers are proving increasingly attractive to threat actors, TechRadar reports, as criminals and others follow people's interests online: the more gamers, the more attacks. Sometimes the attacks come from within what for lack of a better word we must call the gaming "community." One such has been defacing Apex Legends to complain about people cheating in Titanfall, the Record reports.
Grow your brand, generate leads, and fill that sales funnel.
Each month our programs reach over a quarter of a million unique listeners that care about cybersecurity, including some of the most influential leaders and decision-makers in the industry. From the Fortune 10 to emerging startups, we have options to help you reach your goals and to fit your budget. Contact us today to get our media kit and learn about sponsorship opportunities.
Patch news.
Ars Technica wrote early this week that Microsoft's out-of-band patch that addressed the PrintNightmare vulnerability may be incomplete, and that it might be possible for attackers to bypass the protections the fix put in place.
Since then, Microsoft has issued a clarification regarding the patch it issued this week for the CVE-2021-34527 Windows Print Spooler vulnerability (PrintNightmare). Redmond says the patch is working as designed, and urges users to apply it. The Microsoft Security Response Center investigated reports that the patch was ineffective and concluded that "All reports we have investigated have relied on the changing of default registry settings related to Point and Print to an insecure configuration."
Crime and punishment.
The UK will hear an appeal of a decision against extraditing Wikileaks proprietor Julian Assange to the US on espionage charges. The Wall Street Journal reports that US reassurances about conditions of confinement swayed the High Court.
Moroccan police have arrested a hacker accused of carrying out various cybercrimes since 2009, Interpol announced on Tuesday. Interpol explained, "Acting under the signature name of ‘Dr Hex’, the suspect is believed to have targeted thousands of unsuspecting victims over several years through global phishing, fraud and carding activities involving credit card fraud. He is also accused of defacing numerous websites by modifying their appearance and content, and targeting French-speaking communications companies, multiple banks and multinational companies with malware campaigns. The suspect is also alleged to have helped develop carding and phishing kits, which were then sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims."
Researchers at Group-IB discovered Dr. Hex's real-world identity by following an email address contained in one of the phishing kits to uncover the individual's online footprint. Group-IB explained, "The email mentioned in the phishing kit enabled Group-IB threat intelligence analysts find the alleged attacker’s YouTube channel signed up under the same name — Dr HeX. In the description to one of the videos, the attacker left a link leading to an Arabic crowd funding platform, which enabled Group-IB researchers to record another name associated with the cybercriminal. According to the DNS data analysis, this name was used to register at least two domains, which were created using the email from the phishing kit."
Courts and torts.
The European Commission executive vice-president and competition commissioner Margrethe Vestager stated last week that Apple cannot use security and privacy concerns to restrain competition in the App Store, Reuters reports. Vestager told Reuters, "I think privacy and security is of paramount importance to everyone. The important thing here is, of course, that it's not a shield against competition, because I think customers will not give up neither security nor privacy if they use another app store or if they sideload."
Policies, procurements, and agency equities.
The US Government is continuing its investigation into the Kaseya incident and is signalling an intention to do something about REvil and other gangs or privateers. Among other things, the US Administration said that it has communicated very clearly to Russian authorities that the US wants the REvil operators brought to book. CBS News reported on Tuesday that White House press secretary Psaki said that the US had been in touch with Russian officials about the REvil operation, and that if Russia doesn't take action against its ransomware gangs, "we will." TASS is, of course, authorized to disclose that Russia not only had nothing to do with the attack, and that it knew nothing about it, but that in fact Moscow had heard nothing from Washington about the matter.
The ransomware attack, coming as it did so soon after cybersecurity figured prominently in the Russo-American summit, has placed the US Administration under pressure to devise some effective retaliation that might deter such attacks. The Washington Post reports a growing sense that the US must "either win some public concessions from Russia quickly or punch back hard." The Pentagon has been circumspect about what it might be called upon to do. A Defense Department spokesman on Tuesday declined to discuss specific US Cyber Command capabilities, plans, or operations. "We are all mindful of these growing threats to national security as well as to civilian infrastructure," the spokesman said, adding, "We believe... a US response to those threats has got to be whole-of-government" as opposed to a purely military response. In this case "whole-of-government" would probably mean, especially, the Intelligence Community and the Departments of State, Justice, Treasury, and Commerce.