The Kaseya ransomware incident. Ransomware threats to industrial firms. Malicious Android apps stole Facebook credentials. The Tokyo Olympics and cyber risk.
Dave Bittner: Updates on the Kaseya ransomware incident as REvil strikes again. Concerns about other ransomware attacks against industrial targets rise. Google expels credential-stealing apps from the Play Store. Online gamers draw various threat actors. Carole Theriault examines the elements that could put you in the crosshairs for ransomware. Ben Yelin has an update on the Facebook antitrust case. And the Tokyo Olympic Games will be on alert for cyberattacks.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 6, 2021.
Dave Bittner: On Friday, Kaseya sustained a ransomware attack on its widely used VSA product. The attack, as it propagated through the managed service providers who use Kaseya VSA, has affected users worldwide. Huntress Labs warned on Friday that ransomware had been deployed through VSA on-premises servers beginning around 11:00 a.m. Eastern Time.
Dave Bittner: The attack was not, contrary to earlier speculation, a supply chain attack. Kaseya has ruled out any unauthorized alteration of its code base, which would be a supply chain attack in the narrowest sense of the term. Rather, it was a direct attack in which the attackers exploited a zero-day vulnerability, specifically CVE-2021-30116, that had been responsibly disclosed by the Dutch Institute for Vulnerability Disclosure and that Kaseya was in the process of fixing. How the attackers learned of the vulnerability is unknown.
Dave Bittner: The effects of the attack have been worldwide, roughly tracking the MSP market penetration of VSA, with the U.S. and Germany showing the highest rates of infestation. Between 40 and 60 Kaseya customers are believed to have been directly affected, but since these tended to be MSPs, the ransomware in turn flowed to those customers' customers, whom it affected indiscriminately. The Record this morning put the tally of affected organizations at more than 1,500. Reuters reports that victims include schools, small public-sector bodies, travel and leisure organizations, credit unions and accountants. Another Reuters update speculates that individual organizations' recovery could take weeks.
Dave Bittner: Early indications were that the ransomware was REvil, and subsequent ransom demands have seen the REvil gang - widely regarded as a Russian privateer and the same threat actor responsible for the recent high-profile attack on JBS Foods - claimed credit, so we can regard that as a confirmation. After victims were initially quoted individual ransoms at varying rates, BleepingComputer reports that the gang appears to have settled on its final offer, which would be $70 million in Bitcoin, for which it promises to release decryptors to all the victims, which suggests that they're looking for a collective payment.
Dave Bittner: Kaseya's Monday update said that, quote, "the attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified," end quote.
Dave Bittner: This statement is the basis for not calling the incident a supply chain attack in the strictest sense. But the attack on Kaseya resembles supply chain attacks in certain important respects, particularly the way in which it represents a fourth-party risk. The customers of Kaseya's MSP customers are particularly affected.
Dave Bittner: Kaseya itself has been issuing regular situation updates since it disclosed the incident at 4 p.m. Eastern Time Friday. It learned of the attack when customers began reporting unusual behavior on endpoints managed by VSA and then saw ransomware being executed on those endpoints.
Dave Bittner: The company yesterday posted the following summary advice on mitigation. Quote, "all on-premises VSA servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. We have been advised by our outside experts that customers who experienced ransomware and received communication from the attackers should not click on any links. They may be weaponized," end quote.
Dave Bittner: Kaseya has brought in Mandiant to help with assistance and remediation. The U.S. Cybersecurity and Infrastructure Security Agency has urged users of the software to immediately shut down their servers and to follow the mitigation advice Kaseya has issued. The FBI has seconded CISA and solicited information from victims of the attack.
Dave Bittner: REvil claimed responsibility for the attack, and there's no reason to doubt them. And the obvious motive is money. The gang is looking for a $70 million payout. But the fluctuating ransom demands, which only settled on the final $70 million demand after a few days, are curious, as is the consolidation of the demands. Whom does REvil expect to pay? - Kaseya, a government - that seems unlikely to happen - a consortium of MSPs? Any of these are possible, but the disruption the attack caused seems at least as significant as the financial damage.
Dave Bittner: If REvil is an example of what Cisco's Talos calls privateers, it's reasonable to look for some motive that would serve the sponsoring state's interests. In this case, Axios may be on to something. Quote, "coming just two weeks after President Biden's personal warning to Vladimir Putin during the Geneva summit, the attack looks like the Russians thumbing their nose at the tough talk," end quote. The U.S. has said it's investigating the incident, and there have been rumblings about retaliation if retaliation proves to be in order, but it's still early.
Dave Bittner: While the attack propagated through Kaseya is the highest-profile ransomware incident currently in progress, ransomware gangs are showing a tendency to go after the still relatively soft targets legacy industrial control systems present, ZDNet reports. Control Global observes that some such attacks may initially be difficult to recognize as such.
Dave Bittner: Industrial concerns have also recently been the targets of more traditional ransomware, the sort that steals and encrypts sensitive data. BleepingComputer reports that the chemical distributor Brenntag has disclosed that the DarkSide gang during an April attack obtained access to personal information that included Social Security number, date of birth, driver's license number and select medical information.
Dave Bittner: Ars Technica reports that Google has expelled nine apps from its Play Store. They were all discovered by Dr. Web to be stealing Facebook credentials. And they were, in descending order of popularity, PIP Photo, Processing Photo, Rubbish Cleaner, Inwell Fitness, Horoscope Daily, App Lock Keep, Lockit Master, Horoscope Pi and App Lock Manager. Google has also banned the apps' developers from its ecosystem.
Dave Bittner: Online gamers are providing increasingly attractive to threat actors, TechRadar reports, as criminals and others follow people's interests online. The more gamers, the more attacks. Sometimes the attacks come from within, for what lack of a better word we must call the gaming community. One such has been defacing Apex Legends to complain about people cheating in Titanfall, The Record reports.
Dave Bittner: And finally, as the Tokyo Olympic Games arrive, concerns about cyberattacks aimed at disrupting them rises, according to The Hill. What would the possible motivations be? Embarrassing Japan's government would be one of them. Tokyo has devoted considerable attention to securing the Games since they were scheduled. And reasons of geopolitics or the simple skid lulz (ph) would both be sufficient motivation for cyberattack. Nothing so far, but the authorities are on alert.
Dave Bittner: Ransomware attacks generally fall into two categories - the somewhat random, opportunistic variety where the attackers are scanning and spraying the internet for potential victims or the more targeted, deliberate kind. Our U.K. correspondent Carole Theriault ponders what it takes to find yourself in the ransomware crosshairs.
Carole Theriault: Ah, ransomware - to pay or not to pay? That is the eternal question that our industry is being plagued with.
Carole Theriault: On one side, it is clear that we should not pay. We should not be indulging malicious actors who elect to steal or lock up our data and refuse to give it back unless we part with money. Some argue, quite rightly, that if we pay, we're actually helping fund this illegal industry.
Carole Theriault: But let's think of the flip side. Say a ransomware attack is successful on a critical infrastructure and this attack prevents you from providing that service - so, for example, a hospital, a health center, a government service. Suddenly, you are facing this situation of, if we pay, we can then provide services again to our residents. If we do not, they have to pay the price of our downtime.
Carole Theriault: Of course, the second issue is will they actually release the data that they've stolen or encrypted in exchange for the money that we pay? These are difficult, difficult issues that impact business continuity, customer service, brand reputation and one I guarantee you every company would want to avoid.
Carole Theriault: So let's look at that. What are reasons that you might be targeted by ransomware? Maybe your software or devices are outdated and harboring vulnerabilities. Maybe the browsers or operating systems are no longer being patched on all systems. Maybe you don't have a backup plan, or it's lapsed and you haven't checked it recently. Or maybe your staff are not properly cybersecure enough to spot scams and phishing attacks and social engineering attacks.
Carole Theriault: We're seeing a ton of ransomware out there. It's no joke. So take the opportunity to make sure that your systems are secure, your people are informed and vigilant so that you don't have to deal with this messy, unpleasant ransomware attack. This was Carole Theriault for the CyberWire.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting - I don't know - ruling came down - memo, whatever it was; you'll explain it to us - regarding the...
Ben Yelin: A thing, yeah.
Dave Bittner: A thing about Facebook and the government going after them for antitrust. Unpack it for us here, Ben.
Ben Yelin: Sure. So this week, a federal judge in the District of Columbia dismissed two antitrust lawsuits, one brought by the Federal Trade Commission at the federal level, obviously, and another brought by 46 state attorneys general.
Ben Yelin: So the allegations - there are kind of two separate allegations that were part of this case. The first is that Facebook tried to buy out their competitors when they purchased Instagram and WhatsApp in 2012 and 2014 respectively and that that action violated our antitrust principles. And the other allegation is that Facebook controls more than 60%, and that's sort of the magic threshold, of the social networking market and, therefore, makes it liable under our antitrust statutes, particularly the Sherman Act, to be broken up as a monopoly.
Ben Yelin: What the judge here is saying is that the FTC in particular didn't properly allege with the required specificity that Facebook really does control 60% of that market. And the reason is it doesn't really properly define exactly what that market is. What counts as social networking? Is it, you know, the peer-to-peer interactions on Facebook? Is it the news feed? Is it the messaging?
Ben Yelin: Because that definition is so nebulous and so hard to define, you know, a judge isn't going to proceed with the case until they're sure that the FTC has met that threshold. And the judge here is saying that they haven't met it, that they're frankly not even really close to having properly defined what that function is. So they - the judge can't make a determination whether Facebook has a monopoly because they don't have a full understanding of what the market is.
Ben Yelin: So Face - the judge has pointed - has punted the case back to the FTC, as it relates to that federal case, telling them that they have 30 days to amend their complaint and include more specificity as to, you know, why they think Facebook has a monopoly, why there is a valid antitrust case here. How can you properly define that social networking market? I think that's going to be very difficult for the FTC to do not just because it's a short timeline, a 30-day timeline, but in general, it's just really difficult to define what makes up social networking for the purposes of this antitrust suit.
Ben Yelin: I think this is a big win for Facebook. They seem very pleased with the decision. They have said that, you know, they are competing with their rivals in the industry, including up-and-coming players like TikTok, to win the support of consumers, that there are lots of places on the internet for you to do some of the things that you do on Facebook, to try and post a viral video. You do have choices.
Dave Bittner: Right.
Ben Yelin: And I think Facebook has made that argument. They've made it reasonably. And at least for now, a federal judge has been convinced that there isn't enough evidence to this point that there's an antitrust violation.
Dave Bittner: I wonder if, for example, if you looked at Facebook's own marketing messages - you know, the messages that they put out to potential advertisers who want to take advantage of their ad tech - seems to me like that would be the place where Facebook would define it themselves, where they'd say, you know, here at Facebook we have, you know, 75% of the eyeballs, and engagement is 80% of - you know, people spend two times as much time on Facebook as they do on Twitter. And obviously I'm making all that up. But does any of that come into play? It seems to me like we're - or are the companies being intentionally fuzzy themselves in not wanting to define these things?
Ben Yelin: Well, I mean, I think they probably change their messaging depending on who they're talking to. I think of their legal pleadings and filings. You know, they might say that they actually don't have a market corner. But for the purposes of advertising - and obviously, you know, you have to be careful here 'cause you can't commit fraud.
Dave Bittner: Right.
Ben Yelin: But for the purposes of advertising, you might make a claim that, you know, we have 80% of the eyeballs on this type of, you know, video platform, et cetera. But just because you have a large portion of the audience, just because you have a market share doesn't per se mean that it's a violation of antitrust principles.
Ben Yelin: And that's what the judge is saying here - that, yes, Facebook makes a lot of money. They have a lot of customers - billions of them. But what exactly is the monopoly that they have here? What do they have a monopoly on? And that's something that the FTC was given the opportunity to explain, and they just were not able to properly explain it.
Ben Yelin: So you can't just simply say, well, Facebook is big. There's no other entity like Facebook. Therefore, you have an antitrust violation. You have to really define, you know, what it is - Facebook, you know, completely cornering the market on X, on video sharing, on messaging, on, you know, news feeds - and separately from the issue of whether they've tried to buy out some of their competitors, which is an issue in this case. It does seem like in each of those areas there is proper competition out there, especially as we've seen a proliferation of other social networks that serve similar but distinct purposes.
Ben Yelin: So that's why I'm skeptical that even if the FTC is able to come up with a revised complaint they're going to be able to succeed. And remember, we're not even yet at the merits of the antitrust claim. This is a dismissal of the case in its entirety because the judge is saying the FTC didn't come up with a legally recognizable claim without properly defining what the market is for the purpose of antitrust here.
Dave Bittner: Wow. All right, well, we will watch this one as it plays out. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Could your company benefit by reaching our large and influential audience? Send us a note at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.