Cyber conflict sputters in Ukraine? Kaseya delays VSA patch, offers assistance to REvil’s victims. US mulls retaliation for privateering. PrintNightmare patch. Another extradition run at Julian Assange.
Dave Bittner: Hey, everybody. Dave here. Are you one of those people that skips ads in podcasts? Of course, we like the ads because we have a lot of great sponsors, and they help keep the lights on and great content coming to you every day. But we've got great news for the ad skippers among you. A CyberWire Pro subscription now gives you access to all your favorite CyberWire podcasts ad-free. That's right - ad-free. And you can still listen to them on your favorite apps. Visit thecyberwire.com/pro to subscribe and go ad-free and get all the other great benefits of a Pro subscription, too. That's thecyberwire.com/pro.
Dave Bittner: Ukrainian government websites may have come under an unspecified cyberattack early this week. Kaseya delays its VSA patch until Sunday and offers assistance to victims of VSA exploitations by REvil. The U.S. continues to mull its response to Russia over REvil and Cozy Bear. A small electric utility's business system go offline after a ransomware attack. Microsoft continues to grapple with PrintNightmare. Caleb Barlow from CynergisTek on the changing cyber insurance landscape. Our guest is Kwame Yamgnane from Qwasar on how he seeks to inspire minority kids to code. And the U.S. will try again to get Julian Assange extradited.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Thursday, June 8, 2021. While much of the news this week has been of rising tension in cyberspace between Moscow and Washington, cyber conflict hasn't left the rest of the world alone in the meantime. Reuters reports that on Tuesday afternoon, an unspecified cyberattack hit the official websites of Ukraine's president, the country's security services and other institutions. Service was restored quickly, and there's been no attribution of the attack. But Reuters does note the hybrid war Russia has been waging against Ukraine over the past decade.
Dave Bittner: The major story of the week remains, of course, REvil's exploitation of Kaseya's VSA to spread ransomware via MSPs who use VSA. Kaseya's CEO, Fred Voccola, in a video message posted at 9:45 Eastern Daylight Time last night said the new release time for a fixed and patched VSA will be this coming Sunday at 4 p.m. Eastern time. While Kaseya was confident the patches they developed had closed the vulnerabilities the extortionists exploited, Voccola said that third-party engineers and internal IT personnel recommended placing additional layers of security to protect against other exploits they may not foresee. The company also published a run book last night of changes to the on-premises version of VSA, which should enable customers to prepare themselves for the coming update. Voccola also alluded in his video to Kaseya Cares, a program initiated during the early days of the COVID-19 pandemic last year. Kaseya Cares provided direct assistance, both financial and advisory, to MSPs serving small to midsize businesses. He said they were extending similar help now to businesses affected by the VSA-propagated ransomware.
Dave Bittner: U.S. President Biden yesterday left a meeting with advisers and said that he will deliver a response to Russia's President Putin over the ransomware attacks on U.S. companies. The New York Times reports that Mr. Biden's vague statement - delivered as he was departing for a trip - left it unclear whether he was planning another verbal warning to Mr. Putin, similar to the one he issued three weeks ago during a one-on-one summit in Geneva, or would move ahead with more aggressive options to dismantle the infrastructure used by Russian-language criminal groups. But it's at least clear that the U.S. administration's belief is that Russia bears some responsibility for the Kaseya ransomware campaign, even if that responsibility goes no farther than tolerating criminal behavior. REvil is not a new group, and it's operated for some time without molestation or interference by Russian law enforcement or security organs. More evidence that REvil is following its practice of not hitting Russian targets was presented by Trustwave SpiderLabs, who, in their study of the operation against Kaseya, found that its ransomware packages avoided systems identifiable as Russian. The Times juxtaposes its account of deliberations about a response to REvil with a discussion of the U.S. administration's view of the attempt on the Republican National Committee, apparently by Russia's SVR. Mr. Biden said, quote, "the FBI is working with the RNC to determine the facts. I will know what I'm going to do tomorrow," end quote. Whether this represents a causal link or mere correlation in time and circumstance is unclear. But the focus of any U.S. response that may be under consideration in either case is Russia. The BBC quotes experts to the effect that the attempt to compromise the RNC looks like traditional espionage, but the Kaseya incident is another and arguably more serious matter altogether. The BBC thinks that sanctions and some arrangement that would secure Russian police cooperation against REvil are the two options the U.S. is most likely to avail itself of. Cooperation with Russian law enforcement seems unlikely, however, to be productive. MIT Technology Review has an account of how earlier attempts at such collaboration have fallen flat after initial promises of goodwill.
Dave Bittner: Kaseya's ability to cope with the attack has received starchy reviews from those who believe, like the sources CRN quotes in its when-will-they-ever-learn coverage that the company shouldn't have left itself vulnerable to this kind of exploit in the first place. The Dutch Institute for Vulnerability Disclosure says it discovered the zero-day in April and promptly notified Kaseya. Kaseya was in the process of addressing the issue when the attack hit. So arguably, the company's response was dilatory. It certainly came, unfortunately, just a bit too late. But it's also true that other organizations have been caught on the hop by an unexpected exploit before. Some other observers have given Kaseya much better notices. Electronic Engineering, for example, describes Kaseya as swiftly responding to contain the damage. The company's public communication about the incident has been regular and clear. The CyberWire has more extensive coverage on our website, where we continue to follow this story.
Dave Bittner: Other ransomware attacks also continue to surface. The Wiregrass Electric Cooperative, a small rural electrical utility in the U.S. state of Alabama, was hit with a ransomware attack that seems unrelated to the Kaseya incident. This seems not to be the long-feared assault on critical infrastructure or industrial control systems but rather the more familiar attack on an organization's IT. Business systems and not control systems were affected, SecurityWeek says. The cooperative says it did not lose any data, but it did take member account information and payment systems offline as a precaution.
Dave Bittner: KELA takes a look at the way ransomware gangs operate today and sees the division of labor one finds wherever craft develops into industry. In this case, there are five distinct stages in an attack, and they're increasingly entrusted to criminal specialists. They are code, code or acquire malware with the desired capabilities; spread, infect targeted victims; extract, maintain access to infected machines; and monetize, get profits from the attack.
Dave Bittner: Ars Technica writes that Microsoft's out-of-band patch that addressed the PrintNightmare vulnerability may be incomplete and that it might be possible for attackers to bypass the protections the fix put in place.
Dave Bittner: And finally, Britain's high court has agreed to hear a U.S. appeal of a lower court's denial of extradition in the case of Julian Assange. That denial had been predicated on fears that the American jails and prisons that would hold the WikiLeaks proprietor wouldn't be able to protect him from suicide. Mr. Assange faces U.S. federal espionage charges. The Wall Street Journal reports that American reassurances about conditions of confinement swayed the high court and specifically a promise that, should he be convicted, Mr. Assange wouldn't be held in a supermax correctional facility. According to The Washington Post, the U.S. Justice Department offered the prospect that Mr. Assange could serve out any sentence in an Australian prison. The gentleman is, of course, an Australian native. The date for the extradition hearing has not been set.
Dave Bittner: There are encouraging signs that cybersecurity is seeing its workforce grow more diverse. It's happening slowly. Kwame Yamgnane is CEO at Qwasar Silicon Valley. He joins us with thoughts on inspiring young people of color to pursue careers in cyber.
Kwame Yamgnane: There is not so much people of color right now in the U.S. who, like, really embrace the tech field as a career for them. If you take a look on statistics, like - especially if you take, like, tech giants like Google, Apple, Facebook and so on, like, the percentage of Black people in the tech, for example, is really under the ratio of what you have in the U.S. right now by three or four. So basically, there is, like, huge room for improvement there to have more kids who are able to embrace, like, career in the tech, especially from the diverse population and, like, the African American, for example.
Dave Bittner: And how can we go about inspiring these kids to take their place in cybersecurity?
Kwame Yamgnane: So it's a very good question. So first, I think there is a question of model role of people who can show to the kids, like, it's a career with, like, a lot of opportunities, like, six-figure-paying jobs. And there is no issue for them to get access to this kind of job, except that, today, it's difficult to find, like, for them this kind of role. So I think, like, to give access to more diverse people and more color people to the job in the tech, there is, like, multiple question here. The first one is a question of role model. Like, right now, if you see - like, usually, the, like, most of the people that are considered, like, the big leaders of the tech, it's difficult to have, like, Black people to show to the kids. And that's first thing. So it's important for them. It's important to have more and more Black people, more and more in the Black and the tech industry who can show the role to the kids. And the second part is, like, accessibility to this kind of education. To become a software engineer, a full-stack developer, all this kind of job - these require to get access to very high-hand education. And we know, like, there is a direct correlation between issues for the kids to get access to this kind of education on where they come from, who they are, from which social layer they are. So it's a big challenge that we have to solve.
Dave Bittner: Yeah, we see study after study that shows that, you know, diversity of thought, bringing in people from different backgrounds leads to better outcomes. Is this a matter of companies embracing that notion and making the investment to make sure that there's a pipeline for these folks to come into the industry?
Kwame Yamgnane: So correct. Obviously, there is, like, these kind of things, but there is, like, something that is slightly more difficult to understand, which is, like, when you create a company, a company is really connected to the culture of the founders. So it's - one of the most important piece inside a company is to have, like, really, the culture that fit with the founder. We want everybody to be aligned and to work together to the success of the company.
Dave Bittner: That's Kwame Yamgnane from Qwasar Silicon Valley.
Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO of CynergisTek. Caleb, it's always great to have you back. I wanted to check in with you today on cyber insurance, the kinds of things that you're seeing and tracking from your point of view. What's the latest?
Caleb Barlow: Well, Dave, it's a-changing, right? And, you know, cyber insurance, I think, was something that if you wind back five or 10 years, lots of insurance providers wanted to get in the market. It was relatively inexpensive. And I think a lot of CISOs and boards looked at it as a way to defer risk when the biggest thing you were potentially impacted with was the loss of data. So you insured that risk, which, you know, would often be maybe paying some regulatory fines and maybe having to notify the people whose data you lost. But...
Dave Bittner: Pay for some credit monitoring, right?
Caleb Barlow: Yeah, but...
Dave Bittner: (Laughter).
Caleb Barlow: ...That really isn't what we're seeing nowadays, right? I mean, some of these losses can easily total up 50, $60 million or more. There have been some breaches that have been well over 200, 300 million. And, you know, these insurers are starting to also get more sophisticated to realize that, well, maybe you don't have the right tools in place, and maybe I shouldn't insure you.
Dave Bittner: Yeah, I was going to ask about that. I mean, how much are the insurance companies sort of - I don't know - driving the conversation of saying, you know, I often think about - you know, if I want to insure my building, my insurer's going to come and say, well, you better have sprinklers. You better have fire extinguishers, you know, those sorts of things. Are the insurance companies able to guide things in those directions when it comes to cyber insurance?
Caleb Barlow: Well, they're kind of putting a toe in the water. And the challenge the insurers have is on one hand, they want to ask all these questions, but on the other hand, they still want to win your business. So, you know, I was looking at, you know, kind of our last renewal. And what I noticed is a few interesting questions pop up. Do you have two-factor authentication? And then later is - well, is it on everything or just, like, one thing?
Dave Bittner: (Laughter).
Caleb Barlow: And do you have EDR? And they actually knew what EDR was. They even listed the names of some companies, right? Now, the funny thing was nowhere on here did it ask things like, you know, is your network segmented? - and really basic stuff. But they're starting to ask a couple of the questions that you'd expect to see in an environment where things are more mature. Now, what they're not doing yet - and they're not going in yet and saying, hey, I actually need somebody to go in and do a full assessment of your security posture. I think that's coming at some point down the road. They're trying to gather as much information as they can from the outside. You know, there are a lot of tools out there that will do kind of attack surface visualization. They're using some of those tools, but you can see where it's headed.
Caleb Barlow: And here's the bigger thing, Dave. If you answer in the negative to some of these questions, a lot of these policies are going to step out. You know, we had a situation where we were - one of our supply chain vendors was breached - so it had nothing to do with us, right? - further on down the stream. And, you know, when we were going out to bid, we obviously had to disclose this 'cause it was an active incident, even though it was our - not ours. And we actually had one company step away. Nope, we're out. It's - and they didn't even bother to understand even what it was about, right? But you're also seeing a lot of folks specifically prohibit any SolarWinds claims, as an example.
Dave Bittner: Oh, interesting. I can't help wondering if we're headed towards a situation similar to flood insurance, where, you know, the federal government has to be a backstop because it's just not a good business for anybody else to be in.
Caleb Barlow: Well, I'll tell you, you know, I think what really got my attention was when Warren Buffett, one of his latest conversations - you know, he basically indicated, look. I only want so much coverage on cyber from all of my insurance companies. That really got my attention. I don't know if we're quite at the point where, you know, we need to kind of go the federal flood insurance route, although it's not the first time I've heard that conversation. I think the bigger point is insurance companies at some point here are going to start to get really smart, and they're going to start to understand what actually is your security posture. And do I feel comfortable underwriting you or not?
Dave Bittner: Yeah, yeah. All right. Well, Caleb Barlow, thanks for joining us.
Caleb Barlow: Thanks, Dave.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Could your company benefit by reaching our large and influential audience? Send us a note at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.