Kaseya fixes VSA (and the US wants Russian action against REvil).
Kaseya this past Sunday afternoon pushed fixes for VSA's on-premises and SaaS versions. At 8:00 AM the company's update indicated that patching was proceeding quickly:
"As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch."
The general consensus is that REvil operates with at the least the knowledge of, and probably with the tacit approval and encouragement, of the Russian government. The joint enforcement action the US has requested of Russia has not materialized, GovInfoSecurity notes. Moscow is standing on ceremony as it expresses its commitment to the rule of law (as the Register puts it, "with a straight face") but so far there are few if any signs of Russian authorities taking action against the gangs that operate with impunity from its territory.
In an hour-long phone call on Friday, July 9th, US President Biden communicated his expectations concerning ransomware operations to Russian President Putin. Reuters reports that in President Biden's estimation the call "went well," and that he expects Russian cooperation against gangs like REvil. Should expected Russian cooperation not be forthcoming, President Biden said the US was prepared to take certain actions on its own. He and Administration officials declined to say what such actions might be. At the White House daily press conference on Friday, Press Secretary Psaki said President Biden "underscored the need for President Putin to take action to disrupt these ransomware groups.”
The CyberWire's coverage of the incident so far may be found here:
REvil disappears.
REvil's disappearance early Tuesday morning from its usual online haunts (including the HappyBlog) remains unexplained. The New York Times and others note that the vanishing followed a US request that Russia do something about ransomware gangs operating from its territory, but it's unclear what connection that had with the American démarche. The Washington Post summarizes three likely alternative explanations:
- "The Kremlin bent under U.S. pressure and forced REvil to close up shop."
- "U.S. officials tired of waiting for Kremlin cooperation and launched a cyber operation that took REvil offline."
- "REvil’s operators were feeling the heat and decided to lay low for awhile."
REvil's operators may simply be rebranding, as they are generally believed to have done in 2019 when REvil appeared shortly after GandCrab announced that it was disbanding.
TASS says Russian authorities know nothing about REvil's vanishing act. News outlets (including Spiegel and the Moscow Times) review the leading lines of speculation about the disappearance: some Russian enforcement action, an American takedown, or simply REvil's going on the lam, but little new light has been shed on the matter. Consensus holds, however, that relaxing vigilance against ransomware attacks would be unwise.
Scam warnings continue as criminals dangle Kaseya phishbait.
Kaseya has continued to warn that its ransomware incident continues to be used as phishbait by scammers: "Reminder: Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments or phone [calls] claiming to be Kaseya Partners – DO NOT click on links or download attachments and DO NOT respond to phone calls claiming to be a Kaseya Partner."
Microsoft and Citizen Lab report on a "private-sector offensive actor."
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported on the activities of a "private-sector offensive actor," a company that would characterize itself as a lawful intercept vendor. The company, which Microsoft assigned the name "Sourgum," is selling intercept tools to governments that are using them to monitor the communications of journalists, dissidents, and other people in bad odor with the regime. The intercept software itself, which exploits now-patched Windows zero-days, Microsoft calls "DevilsTongue." Targets of the surveillance tool have been found in the Palestinian Authority (which had about half the victims identified), Israel, Iran, Lebanon, Yemen, Spain (specifically Catalonia), the United Kingdom, Turkey, Armenia, and Singapore. As Microsoft observes, the location of a target isn't perfectly correlated with a government using Sourgum. International targeting of individuals is common, and none of the countries listed are necessarily users of DevilsTongue.
Microsoft acknowledged the University of Toronto's Citizen Lab for its assistance in the investigation, and Citizen Lab identifies Sourgum as the Tel Aviv-based company whose original name was Candiru. Candiru's past customers are believed to include Uzbekistan, Qatar, Singapore, Saudi Arabia, and the United Arab Emirates. The company has been through several rebrandings since its founding in 2014. In 2017 it became DF Associates Ltd., in 2018 "Grindavik Solutions Ltd," in 2019 "Taveta Ltd." and, finally, in 2020, it assumed its current name, "Saito Tech Ltd." Some of the corporate names appear to be low-cunning gestures toward misdirection: Grindavik is a town in Iceland, Taveta in Kenya, and Saito in Japan. Citizen Lab and others reporting the incident have generally been sticking to the first name the company did business as.
Facebook takes down Iranian hacking campaign.
Facebook on Thursday said it had disrupted an operation by the Iranian threat group Tortoiseshell, whose fake personae used Facebook in an initial catphishing approach to military personnel and people who work in the defense and aerospace sector. Most of the intended targets were in the US, with some in Europe. Tortoiseshell used Facebook to establish contact and trust, eventually hoping to persuade its prospects to contact them in other ways, and those other ways were where the malware payloads were delivered. Tortoiseshell is thought to have connections with APT34 (Helix Kitten) and APT35 (Charming Kitten). The tools it deploys against its targets include remote access Trojans, device and network reconnaissance tools, and keyloggers, many of which were developed by Mahak Rayan Afraz (MRA), a Tehran-based IT company associated with the Islamic Revolutionary Guard Corps.
Trickbot returns.
Trickbot, the Russophone cybercriminal network heavily involved in ransomware, has returned, the Daily Beast reports. Trickbot and the gang behind it, Wizard Spider, had been disrupted in October of 2020 by US Cyber Command and various industry actors (Microsoft prominent among them). It's now resurfaced with a new VNC (Virtual Network Computing) module that Bitdefender describes as including "new functionalities for monitoring and intelligence gathering." The renewed Trickbot seems involved in creating the Diavol ransomware strain Fortinet described early this month. The resurgence is an example of the resilience of criminal organizations, which survive both takedowns and arrests of (some) key figures.
Iranian rail service disrupted by cyberattack.
The Associated Press reported last Saturday that a "cyber disruption" affected websites belonging to Iran's Transport and Urbanization Ministry. The incident occurred after Iranian state television said that the country's passenger rail system on Friday faced “long delay following [a] cyber attack." According to Bloomberg, train tracking systems were affected, as were station entrances, exits, and ticket booths. Message boards announced “long delays due to cyber-attacks,” the Guardian says. No group has claimed responsibility for the incidents, and Iranian sources have so far offered no attribution. Iran's state-owned Press TV said that officials have confirmed a cyberattack, that investigation is in progress, and that past attacks have been traceable to Israel and the US.
SolarWinds fixes a zero-day undergoing active exploitation in the Wild.
SolarWinds is addressing a zero-day unrelated to last year's widespread exploitation of its services for cyberespionage, Ars Technica reports. SolarWinds, which credits Microsoft with alerting it to the problem, has issued an update to fix the vulnerability in its file transfer software. "The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions," the company said. "A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system." The vulnerability has been exploited in the wild, the Record reports, but neither SolarWinds nor Microsoft have provided much detail on the nature of the exploitation. BleepingComputer reports that a China-based threat group possibly implicated in the attacks has in the past been associated with operations against the US Defense Industrial Base, but it's unclear what the current incident's victimology has been.
Chinese cyberespionage campaigns hit Myanmar and the Philippines.
Kaspersky this week outlined the activities of a Chinese APT (tracked as "Luminous Moth") engaged in cyberespionage against Southeast Asian targets. Myanmar and the Philippines are receiving most of the group's attention.
Kaspersky says Luminous Moth has an affinity with “HoneyMite,” the threat actor better known as Mustang Panda. The current campaign, which began with operations against Myanmar but has since shifted to the Philippines, is unusual in that it combines high volumes with highly targeted approaches to a relatively small number of targets—”sweeping attacks for the chosen few,” as Securelist’s headline puts it. The attacks have typically begun by spearphishing, and then subsequently spread through malicious payloads carried by USB drives.
Post-exploitation, the operation relies on a bogus Zoom application to identify and exfiltrate data of interest. Some of the victims were also infected with a Chrome cookie-stealer.
Exploit broker and zero-day attacks.
Google's Threat Analysis Group Wednesday blogged about four campaigns it's found in the wild that exploited zero-days. One extensive campaign, targeting mostly European government officials and believed to be the work of a Russian intelligence service, used LinkedIn spam to push malicious links. Three other campaigns, including some used against Armenian targets, appear to have been sold to various unnamed governments by a zero-day broker. While Google's estimation is that a single broker was behind the sales, CyberScoop sees Google's report as exposing a growing market for zero-days.
Ukrainian naval website compromised to serve Russian disinformation.
Ukrainian officials said Friday that threat actors linked to Russia's government had compromised the website of the Ukrainian Naval Forces. According to Reuters, the aim appears to have been disinformation: the website compromise was used to publish "fake reports about the international Sea Breeze-2021 military drills." Russia has objected to the Black Sea exercise as a provocation.
Russia advances plans for RuNet.
The Atlantic Council has released a study of the implications of "RuNet," shorthand for a set of initiatives generally aimed at creating a Russian Internet that would be substantially distinct from the rest of the Web. While internal security, control, and economic autarky are among the objectives Moscow is pursuing, one particularly dangerous result will be RuNet's utility in facilitating proxy attacks by criminals and privateers.
Patch news.
On Patch Tuesday, Microsoft issued fixes for three zero-days exploited in the wild: two Windows kernel privilege escalation issues (CVE-2021-31979 and CVE-2021-33771) and one scripting engine memory corruption flaw (CVE-2021-34448). CISA released advisories on twenty-one industrial control system products. A CISA emergency directive also required Federal agencies to apply mitigations to Windows Print Spooler vulnerabilities.
Crime and punishment.
The US State Department's Diplomatic Security Service this morning offered a reward of up to $10 million for "information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act." The announcement particularly calls out cyberespionage and cybersabotage (although not under those names) and the related threat of ransomware. The offer is being tendered under State's Rewards for Justice Program, which the Department has operated since 1984.
Rewards for Justice, the State Department says, has paid more than $200 million to over a hundred tipsters since its inception. Most of the rewards have gone for tips that helped prevent terrorist activity; the program’s use against ransomware is significant in that it marks the seriousness with which the US Government seems to be treating ransomware. Providing tips can be risky, and the State Department knows this. To help ease the minds and secure the safety of potential informants, State writes:
“Commensurate with the seriousness with which we view these cyber threats, the Rewards for Justice program has set up a Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources. The RFJ program also is working with interagency partners to enable the rapid processing of information as well as the possible relocation of and payment of rewards to sources. Reward payments may include payments in cryptocurrency.”
Peter Levashov, the Russian national who in September copped a guilty plea to US Federal charges addressing his role in the creation and operation of the Kelihos spam botnet, is now up for sentencing. The Government Memorandum in Aid of Sentencing recommends that the US District Court for the District of Connecticut follow sentencing guidelines in the case, making no case for unusual leniency or stringency in the matter of Mr. Levashov. Those guidelines call for imposition of a sentence of between twelve and fourteen-and-a-half years.
Courts and torts.
The New York Department of Financial Services (NYDFS) has reached a $1.8 million settlement with two life insurers over data breach violations that led to successful phishing attacks and exposed customer data. According to the National Law Review, the two companies "allegedly violated the NY Cybersecurity Regulation by failing to implement MultiFactor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls approved in writing by the Companies. Additionally, the NYDFS alleged the Companies falsely certified compliance with the NY Cybersecurity Regulation in 2018 because MFA was not fully implemented."
Policies, procurements, and agency equities.
Huawei is unlikely to receive a reprieve, as the present US Administration has, through the Commerce Department's Bureau of Industry and Security, reasserted its predecessors' strictures against the Chinese company, Fox Business reports.
The US Cybersecurity and Infrastructure Security Agency (CISA, “the nation’s risk advisor,” as it calls itself in the announcement) has released advice for managed service providers and small-to-medium businesses on how they might harden their systems against ransomware and cyberespionage. The advice is familiar but useful, brief and well-founded. Its overarching advice about how to think about the threat, whether criminal or state directed, is to understand that "these actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers. Compromises of MSPs can have globally cascading effects and introduce significant risk—such as ransomware and cyber espionage—to their customers."
Fortunes of commerce.
Ransomware continues to exact a heavy toll. Direct payments alone have been hefty. The ransomwhe.re site, a crowdsourced tracker of extortion payments, puts 2021's running total at $32,723,453.28.