The CyberWire Daily Podcast 7.7.21
Ep 1369 | 7.7.21

Kaseya works on patching VSA as Washington mulls retaliation and Moscow says it has nothing to do with it. Microsoft patches PrintNightmare. The Lazarus Group is back.


Dave Bittner: Kaseya continues to work on patching its VSA products. The U.S. mulls retaliation for the Kaseya ransomware campaign, as well as for Cozy Bear's attempt on the Republican National Committee and Fancy Bear's brute-forcing efforts. Russia denies any wrongdoing. Current events phishbait. Microsoft patches PrintNightmare. Joe Carrigan looks at recent updates to Google's Scorecards tool. Our guest is Umesh Sachdev of Uniphore, describing his entrepreneurial journey. And the Lazarus Group is back, phishing for defense workers.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 7, 2021. 

Dave Bittner: We begin with updates on the Kaseya ransomware incident. Kaseya had expected that it would be able to patch and restore its VSA software-as-a-service product by today, but technical problems its developers encountered have blocked the rollout. As of 8 a.m. Eastern Time today, the company was still working to resolve the issues it encountered. By the time of today's noon update, Kaseya reported having made some progress. With respect to the VSA on-premises product, Kaseya said, we will be publishing a runbook of the changes to make to on-premises environments by 3 p.m. U.S. Eastern Time today so customers can prepare for the patch release. The company promises an update on the VSA on-premises fix by 5 p.m. Eastern Daylight Time today. 

Dave Bittner: As far as updating the VSA software-as-a-service product, the company pushed the anticipated availability of a patch until tomorrow. Kaseya said, quote, "during the VSA SaaS deployment, an issue was discovered that has blocked the release. We are resolving the issue that is related to our SaaS infrastructure, and we plan on beginning to restore SaaS services no later than the evening of Thursday, July 8 U.S. time." 

Dave Bittner: Reuters quotes U.S. President Biden as offering yesterday a relatively upbeat preliminary assessment of the consequences of the ransomware campaign. Mr. Biden said, quote, "it appears to have caused minimal damage to U.S. businesses, but we're still gathering information. I feel good about our ability to be able to respond," end quote. 

Dave Bittner: That said, the U.S. government is continuing its investigation and is signaling an intention to do something about REvil and other gangs or privateers. Among other things, the U.S. administration said that it has communicated very clearly to Russian authorities that the U.S. wants the REvil operators brought to book. CBS News reported yesterday that White House press secretary Psaki said the U.S. had been in touch with Russian officials about the REvil operation and that if Russia doesn't take action against its ransomware gangs, quote, "we will," unquote. 

Dave Bittner: TASS is, of course, authorized to disclose that Russia not only had nothing to do with the attack and that it knew nothing about it and that, in fact, Moscow had heard nothing from Washington about the matter. So either the messages crossed one another or someone's telling a diplomatic whopper. The smart money's on the whopper. The Kremlin usually maintains it doesn't know anything and would like to see your evidence. 

Dave Bittner: The ransomware attack coming as it did so soon after cybersecurity figured prominently in the Russo-American summit has placed the U.S. administration under pressure to devise some effective retaliation that might deter such attacks. The Washington Post reports a growing sense that the U.S. must either win some public concessions from Russia quickly or punch back hard. Fortune asks why major cyberattacks tend to happen around holidays and gives the obvious answer - around holidays, people's minds tend to be elsewhere, people's bodies on vacation. 

Dave Bittner: The U.S. Republican National Committee said yesterday that one of its contractors had been breached by APT29 - that's Cozy Bear, Russia's SVR and the same outfit responsible for the initial compromise of the RNC's rival Democratic National Committee during the 2016 elections. The Hill reports that Synnex was the vendor breached and that the intrusion was accomplished through a cloud service. Bloomberg says there was no serious compromise of data and that the incident was quickly contained. 

Dave Bittner: The Kremlin in this case also says it didn't do nothing - nothing, they tell you. Bloomberg quotes Russia's official spokesman Dmitry Peskov as saying, quote, "we can only repeat that whatever happened, and we don't know specifically what took place here, this had no connection to official Moscow," end quote. 

Dave Bittner: Russian official denials of involvement aside, The New York Times contends that the cyber-espionage attempt against the RNC places President Biden under more pressure to develop some effective public response to Russian activities in cyberspace. The Washington Post quotes an unnamed senior U.S. official as saying, "no one thing is going to work alone. We're pushing everybody on all of these angles, whether it involves building resilience, using diplomacy or disrupting networks, and because we believe only together we will significantly impact this threat," end quote. 

Dave Bittner: Some significant portion of any response seems likely to be economic in nature. Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, and Matthew Rojansky, director of the Wilson Center's Kennan Institute, published an op-ed in The Washington Post yesterday in which they called for an ultimatum and were clear in what they recommended the else should be in or else. Quote, "before such devastating ransomware attacks become a routine occurrence, President Biden must deliver a quiet but forceful demand - Russian President Vladimir Putin must put an immediate stop to this activity or Washington will tighten the squeeze of sanctions on the Russian economy," end quote. 

Dave Bittner: APT28 - that's Fancy Bear, Russia's GRU - also remains active. Threatpost offers an account of Fancy Bear's ongoing brute-force and password-spraying campaign against Western targets, another campaign of which Moscow knows nothing - nothing, they tell you. 

Dave Bittner: Crisis draws opportunists, and the Kaseya ransomware incident appears to be no different in that respect. Malwarebytes notes that references to the Kaseya incident have begun appearing as phishbait in social engineering schemes, usually emails offering malicious links or attachments. The subjects suggest an offer of advice, warning or counsel in the matter of the Kaseya exploit. 

Dave Bittner: Jerome Segura, Director of Threat Intelligence at Malwarebytes, told us in an email exchange that, quote, "threat actors often use opportunistic themes in their campaigns, and we believe this is the case here. This Kaseya fake update is a Cobalt Strike payload and interestingly hosted on the same IP address used for another campaign pushing Dridex. In the past we've seen the same threat actor behind Dridex use Cobalt Strike," end quote. 

Dave Bittner: Treat such emails with the same caution you'd apply to notices of automatic renewals of services you don't remember signing up for or appeals for your cooperation from the widow of the late Prince What's His Name, formerly minister of oil or something out in Nigeria. 

Dave Bittner: Microsoft has released out-of-band patches for the PrintNightmare vulnerability. So take a look and consider applying them if they affect your systems. 

Dave Bittner: And finally, North Korean intelligence services haven't left the cyber-espionage game. AT&T Alien Labs describes the Lazarus Group's latest campaign, which involves phishing for employees of defense contractors, notably by impersonating Airbus, General Motors and Rheinmetall. There is, according to Alien Labs, a high emphasis on renaming system utilities - Certutil and Explorer - to obfuscate the adversary's activities. 

Dave Bittner: Their report adds, quote, "the documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors and Rheinmetall. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros." So Pyongyang has still got game. 

Dave Bittner: Our particular industry vertical is full of stories of hungry entrepreneurs, folks who believe they've come up with a product or service worth sharing with the rest of the world, with the dream of building a lucrative business or impactful nonprofit along the way. Umesh Sachdev is one such entrepreneur, currently CEO and co-founder of Uniphore, an enterprise AI and SaaS provider that recently announced $140 million in funding. He shares his insights on his entrepreneurial journey. 

Umesh Sachdev: Having been now an entrepreneur for over 20 years, in hindsight, there are a few things that are really important. First, having a very solid product market fit - having a strong validation from the market, from the customers that the problem that you're really trying to solve is indeed a large enough problem and one that's actually worth solving. But also, more importantly, as I've now realized - because I now mentor other early-stage founders, et cetera - the stage of life when somebody takes the plunge is a very, very important variable which can have a big impact on chances of success. And I have found that there are three stages of life which increase the chance of success tremendously for somebody to become a founder. 

Umesh Sachdev: One is really early on, right at the end of the education period in our life - much like me and my co-founder - because the phenomenon there is, first, the - there are less people dependent on the founders economically. The founders have a much longer runway. They just have to support themselves and probably, you know, a few other folk. The age there is also one of - where you're still in the formative years of your ideas, and there's a strong willingness to learn a lot of new things, and there's less to unlearn. So that age is one where the chances of success are higher. 

Umesh Sachdev: The second phase in life, to me, is towards the midlife. When somebody's spent, say, 20, 25 years in the career, gained enough experience, climbed the corporate ladder, seen scale and probably even financially saved enough for if they take the risk, if they do take the plunge, by this time, there's potentially a small family or some - you know, some other folks who are dependent financially on the founder. And so it's important to know that you have a three- or four-year runway for yourself and for your family. You've seen the scale. You've saved enough, and you're ready to take the plunge - because it's all about minimizing distractions when you're in the founding journey. 

Umesh Sachdev: And then the third phase for me is when you really run your first inning successfully. You're ready to retire from your corporate, you know, innings and jobs and whatever you're doing and - but you're still not ready to hang your boots. You still have the energy or that itch. And at that late stage in life is the third big opportunity where chances of success are higher. 

Umesh Sachdev: If you notice, across the three that I mentioned, the thing that's common is it's really about, have you taken care of everything else so your chances of being distracted are minimized? And if they are minimized, you're likely to invest almost all of your energy in building the business, in building the startup that you really want to build out. 

Dave Bittner: Our thanks to Umesh Sachdev from Uniphore for joining us. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story from the Hacker News website. And this is about some new tools that Google is providing. What's going on here, Joe? 

Joe Carrigan: So, Dave, no development - almost no development gets done anymore without the incorporation of some open-source project. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: And this has actually been a problem in a number of breaches. I think we talked about one that used a clone repository from somebody and turned it malicious, and that got integrated into some other breach. I can't remember exactly where that was. 

Dave Bittner: Right, right. And the folks who were using what they thought was that open-source code did not know that the problem had occurred, yeah. 

Joe Carrigan: Right, exactly. Well, Google has a product called Scorecard, which is available on GitHub, and you can just download it and use it. And what this tool does is it analyzes these repositories that you have and it develops a Scorecard - or a score for how risky the library is. 

Joe Carrigan: Now, this is a new version. That's what this article is talking about. And there are a number of improvements in the new edition or version of the software, and they include checking repositories for contributions from malicious authors or from compromised accounts, which is pretty good because that's how they're going to introduce backdoors into these code repositories. 

Joe Carrigan: So imagine you have a system that relies heavily on some network trafficking tool that you're using, and somebody just inserts a backdoor in that network trafficking tool. Now you have a backdoor in your product, and that's bad. They also have fuzzing. They also now do fuzzing, which is a way to test how good code is, right? 'Cause a lot of times that's how overflow - buffer overflow vulnerabilities are found - is through fuzzing. 

Dave Bittner: Oh, I see. So fuzzing puts a bit of - like a stress test on the code, as it were. 

Joe Carrigan: Right. It's essentially, I'm going to put random data into the code and see what happens. 

Dave Bittner: I see. Yup. 

Joe Carrigan: Also, it includes new static analysis tool and looks for signs of continuous integration/continuous deployment compromises. Also, it looks for bad dependencies. So if the dependency - you know, if you have a dependency to a known bad product, then it'll let you know. 

Dave Bittner: Interesting. So how would - what part of the workflow would you work this into? How does - what's - in your estimation, what's the proper place to use a tool like this? 

Joe Carrigan: Any time that you're doing configuration management and you said, I'm going to use this library, and we're going to use this version of this library, then you should run - if you're going to use this tool, run the tool on that version of the library. 

Dave Bittner: I see. All right, well, yeah, interesting development. New version of a free, openly available tool... 

Joe Carrigan: Right. 

Dave Bittner: ...That can help keep you out of trouble, right? 

Joe Carrigan: Yep. 

Dave Bittner: All right, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.