The CyberWire Daily Podcast 7.9.21
Ep 1371 | 7.9.21

Kaseya continues to work through its REvil days, as does the US Administration. In other news, there’s cyberespionage in Asia, the PrintNightmare fix, and Black Widow as phishbait.


Dave Bittner: Kaseya continues to work through remediation of the VSA vulnerability exploited by REvil, with completion expected Sunday afternoon. And while REvil has made a nuisance of itself, this time, they may not have seen a big payday, at least not yet. The U.S. is still considering its retaliatory and other options in the big ransomware case. China's MSS is active against targets in Asia. Andrea Little Limbago from Interos looks at government access to data analysis. Our guest is Leon Gilbert from Unisys with data from their Digital Workplace Insights report. And scammers are baiting their hooks with "Black Widow" lures.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 9, 2021. We begin with an update on REvil's exploitation of Kaseya's VSA. Kaseya's CTO, Dan Timpson, posted a video late yesterday afternoon in which he provided a high-level overview of the steps the company was taking to fix the problems with its VSA software, whose modular design he credited with helping limit the scope of the attacks by REvil. Timpson made a point of listing the organization's Kaseya was working with as it responded to the ransomware attack - Mandiant, including its affiliate FireEye, the FBI, CISA and DIVD, as well as with partners, customers and researchers. Kaseya has fixed the vulnerabilities in both on-premises and cloud versions of VSA, he said, documented the updates and had them peer reviewed by the partners the company has engaged. A post on Kaseya's site indicates that patches for VSA's on-premises version are still scheduled for release this coming Sunday, July 11 at 4 p.m. Eastern time. That's also when Kaseya intends to begin deploying the fixes to its VSA software-as-a-service infrastructure. 

Dave Bittner: There's some question as to how successful the responsible REvil affiliate has actually been this time around. It's clearly succeeded at infecting both direct customers of Kaseya, as well as those customers' customers, the downstream victims of nth-party risk. The Wall Street Journal reports that ransomware infestations connected with the exploitation of Kaseya had by yesterday been found in six European countries. The Record reports that Kaseya's president and general manager for EMEA, Ronan Kirby, addressing a meeting convened by Belgium's CERT. Those six countries were the U.K., the Netherlands, Germany, Sweden, Norway and Italy. Eight of the 60 direct customers affected by the campaign are in Europe. Kaseya still thinks there are between 800 and 1,500 total downstream victims. That is customers of the MSPs who use Kaseya's VSA. But it's not clear how well the extortionists have actually done in collecting the ransom they've demanded. BleepingComputer has found only two victims who've paid any ransom at all, and so concludes that the responsible REvil affiliate is unlikely to get the big payday they're hoping for. REvil went after the software itself, the better to cast a broad net, and so passed up the now customary step of wiping or encrypting backups. So the victims may have simply opted to restore from backups and bite the bullet on any doxing that may develop later, unless, of course, there's some under-the-radar GoFundMe campaign that's quietly raising the $50 million the bad guys want. No, that's not going to happen. 

Dave Bittner: A U.S. response to the ransomware campaign remains under consideration. SecurityWeek writes that the U.S. administration faces pressure to do something about REvil's campaign. And it's clear that doing something increasingly means taking a whack at Russian interests, with U.S. military organizations doing a good bit of the whacking. The Pentagon has been circumspect about what it might be called upon to do. A Defense Department spokesman on Tuesday declined to discuss specific U.S. Cyber Command capabilities, plans or infrastructures. The spokesman said, quote, "We are all mindful of these growing threats to national security as well as to civilian infrastructure. We believe a U.S. response to those threats has got to be whole-of-government," end quote, as opposed to a purely military response. In this case, whole-of-government would probably mean, especially, the intelligence community and the Departments of State, Justice, Treasury, and Commerce. More coverage of this incident can be found on our CyberWire website. 

Dave Bittner: Recorded Future's Insikt Group reports finding what appears to be a Chinese cyberespionage campaign active against targets in Nepal, Taiwan, and the Philippines. The threat group, which Recorded Future tracks as Threat Activity Group 22 - TAG-22 - is interested in telecommunications, academic, research and development and government organizations in the three countries. It's also taken an interest in an airport and a university located in Hong Kong. The researchers believe TAG-22 used compromised GlassFish servers and Cobalt Strike for initial access, subsequently switching to its own bespoke backdoors for long-term persistence. 

Dave Bittner: They see some overlap with other activity other research groups have tracked. In particular, the infrastructure and the malware used against the targets in Hong Kong are significantly similar to Winnti Group activity reported by ESET and NTT Group. There are also some commonalities with the operation against the Mongolian certificate authority MonPass that Avast described, especially the deployment of Cobalt Strike. The ShadowPad and Winnti backdoors that were used to establish persistence have been used by the operators FireEye calls APT41 and that Microsoft calls Barium. Winnti has been a particular favorite of contractors working for China's MSS, its Ministry of State Security. The different operations have different objectives, but the campaign against targets in Taiwan seems most clearly focused on industrial espionage pursued in the interest of furthering Beijing's economic goals. 

Dave Bittner: Microsoft has issued a clarification regarding the patch it issued this week for the CVE-2021-34527 Windows Print Spooler vulnerability - that's PrintNightmare. Redmond says the patch is working as designed and urges users to apply it. The Microsoft Security Response Center investigated reports that the patch was ineffective and concluded that, quote, "all reports we have investigated have relied on the changing of default registry settings related to Point and Print to an insecure configuration," end quote. 

Dave Bittner: And finally, devotees of the Marvel Universe, are you looking forward to the new "Black Widow" movie? It premieres today, you know. Of course you know, moviegoers. We are not judging. There's no shame in being a fan. Some of us may already have our tickets. But use caution and discretion when you enjoy. Tech Republic and others are circulating a warning courtesy of Kaspersky that scammers are baiting their hooks with a lot of "Black Widow" bait. Steer clear, especially of offers of early, free or pirated streaming of the flick. Movies aren't distributed via executables attached to an email, nor does watching one normally require you to reveal your name, address, passwords, grandmother's maiden name and so on. As always, viewer beware. 

Dave Bittner: Coming out of the pandemic, workplace conversations are shifting to office reopenings, who's coming back and how often. And many employees report they like the flexibility of working from home and having more control over their schedules. The folks at Unisys recently published results from their latest Digital Workplace Insights report, which looks into these issues. Leon Gilbert is senior vice president and general manager of digital workplace services at Unisys, and he joins us with their findings. 

Leon Gilbert: The creation of the report really came from, where is the world going post COVID, all right? We all knew that, eventually, you know, the vaccine would come along, and we wanted to, you know, sponsor this report to say, OK, well, where's the world going to go with regard to work? What are people going to do after, you know, the vaccine is complete, and people start to think about what does work look like going forward? So that was our rationale for thinking about, you know, let's do this piece of research and let's think about, you know, what is next for digital workplace and next for employees of companies. 

Dave Bittner: Yeah. I mean, it's an interesting report for sure. One of the things that struck me was more than once, there's some disconnects between what the employees are saying are important to them and what the business leaders are saying are important to them - or at least how they're coming at some of these questions. Can you take us through some of those things that you found? 

Leon Gilbert: Yeah. No, I think it's a very valid question. You know, I think you look at some of those responses where you see the business leader says one thing and the employee says something else. But I think that there are some as well, Dave, where, you know, there is a - I would say there's a correlation. But there are absolutely some where - you know, if I take for example one of them where, I think, 51% of business leaders and - but 64% of employees agree that a work location schedule is most conducive to family life and an ideal experience, right? But, you know, it was only 50% of those business leaders but 64% of the employees. So there is definitely a gap there. 

Leon Gilbert: I think if I think about this at a more holistic basis, I think the race for talent in this global economy is huge. And business leaders really start to - need to start to really understand what their employees are looking for and what, you know, benefits and - that actually benefits them. It's not - no longer just a monetary discussion in my mind. I was reading something yesterday that the - you know, that said that, I think, people, even with a $30,000 salary increase, they would rather actually work from home than actually get the monetary increase, which I found, you know, astounding when I sat back and thought about it. But actually, it's true. I think people, you know, have found that they haven't skipped a beat since they've actually been at home, which has been hugely beneficial for companies. And I think it's opened a lot of people's eyes out, but there is still some thought process there that, you know, people have to be in the office. 

Leon Gilbert: For me, Dave, I think it is a mix, right? You're going to get what I would term a hybrid, where you have some in the office, some at home, and you maybe do two days on, three days off. And I think that also, you know, benefits both employee and employer. And I think that's where I see this industry - you know, I see, you know, the economy and the kind of world going. Yes, sure, Dave, you're going to get some companies where it's five days a week back in the office - thinking about banking, financial institutions. But others - right? - I think will be a lot more flexible. And they should be if they want to retain and attract the talent. 

Dave Bittner: Yeah. Some of the other findings in the report that were particularly interesting to me were you focused on communications between employers and the business leaders and how both of them value communication. But, you know, some - it seemed like the leaders were having a little more challenge with communication than some of the employees were. 

Leon Gilbert: Yeah. I think, you know, with the advent of, you know, all of the - of what we would term the collaboration and communications tools - let's just take Zoom as an example, right? Zoom isn't just about talking to your grandmother and doing fitness classes, right? It is - to me, it's about - you know, it's the way that people have learned to communicate through this pandemic. And - but I think it's the way that people will start to - primarily will communicate going forward, whether it's Zoom or other platforms, Teams, example. 

Leon Gilbert: But to me and to us as an organization, what is crucial is the way - the companies need to start thinking about, what is that experience, right? It is, what is that - you know, two people aren't left in a disparity, right? We want digital parity, but we also want experience parity. I think that was one thing that we saw during the research is - you know, and what's important to us is around the experience parity and whether you're in an office, whether you're at home that you are - you know, you have that same experience of those tools. And, you know, how you start to - you know, you don't want it where if you're in the office, you know, it doesn't work as well as at home. One thing we have to remember, Dave, when people start to go back to the office and start to use these tools, many offices weren't built for 200 people suddenly on video, right? So their network isn't necessarily strong enough if you think about that. So it's - companies are going to have to start thinking about their bandwidth. How do they measure that? And does that cause a disparity between those who are actually at home versus those who are in the office? 

Dave Bittner: Right. 

Leon Gilbert: So there's lots of factors to kind of - in this new hybrid world. 

Dave Bittner: That's Leon Gilbert from Unisys. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Andrea Little Limbago. She is vice president of research and analysis at Interos. Andrea, it's always great to have you back. I want to check in with you today on, I think, what we can perceive as being a growing trend of government access to data and this whole notion of, do governments need backdoors or not? What can you share with us today? 

Andrea Little Limbago: Yeah, I just completed a study looking at - at the country level - what governments are doing in the area of mandating government access to data. And so you can think of, on the one hand, you know, we hear an awful lot every single day about governments hacking into other systems and going in illegally. But for across the globe, we're really starting to see a growing trend of governments basically putting within their cybersecurity and internet laws a mandate that they can access data when they want to. And it ranges - I mean, there's a whole spectrum of - you know, from very well-codified rule of law - we need to have access, we need to show a warrant and when we want to have access within very discreet circumstances - to basically, you know, non-transparent. If a government comes to a company that is based in that country and says, we need this data, you are required by law to turn it over. 

Andrea Little Limbago: And so it has huge private sector implications. And that's - one of the aspects that I really wanted to look at was, you know, as the private sector is starting to think about where they're located across the globe in different ways than they used to previously, you know, looking at how the regulatory frameworks of those countries should impact those decisions. And I look at this as yet another cyber-risk when thinking about, you know, your global footprint. So it is something that is growing, with more and more countries starting to require that kind of access. 

Dave Bittner: And to be clear here, I mean, we're talking about democracies, right? I mean, different democracies are treating this in different ways. 

Andrea Little Limbago: So it's all - so it's across the board. And so that's where I'd say - so on the one hand, you know, you have democracies that are not at all allowing a lot of this, or if they do, it's a very - it's a scalpel, very transparent. All the way over to - you know, China has their law. That actually was interesting that the U.S. national counterterrorism - or counterintelligence and security center actually tweeted about China's laws on - if you are a company and you're based in China, here's some legal frameworks you need to be aware of as far as their security laws require access to that data. And so I think it's actually interesting that, you know, we have counterintelligence aspects of our government warning about other countries' laws and access to it. But those are kind of the extremes. But within the last few days, Mauritius, which is a fairly solid democracy - if you look at, like, on Freedom House and other kinds of democracy scales, they're a pretty solid democracy. And they just announced that they're exploring basically putting a certificate on all laptops to do sort of, you know, like a man-in-the-middle kind of access to encrypted data and decrypting it and having just complete access across the board, if they want to. 

Dave Bittner: Where is this? 

Andrea Little Limbago: In Mauritius. 

Dave Bittner: Wow. 

Andrea Little Limbago: So that's, you know, one of the ones that kind of, like, to me, is a striking outlier because it is a fairly solid democracy. But then it's taking in these tools of the authoritarian playbook. And that's what we see more and more. We see these tools being brought in. You know, India is another good example, where we have sort of this push towards greater data protection, but at the same time, internet blackouts, more surveillance going on, greater concerns about those kinds of information access and control. And so it's really - you know, it's something - absolutely keep an eye on. When we talk about the regulatory frameworks that are going on, we often think about data privacy laws, and that's great. 

Andrea Little Limbago: Those are absolutely something that - for companies and governments be aware of. But sort of the reverse is true, where, you know, under the auspices of greater security, national security and so forth, you may have to turn over your data. And it's not just your data. It's not just, you know, asking here and there for, perhaps, like, social media access and passwords and so forth. You know, at times, it's source code. and Russia has the source code requirement. And so companies have had to do that. And so that's - it diffuses across the globe. 

Andrea Little Limbago: And, you know, I think that's probably one of the more troubling aspects of it - is that, you know, these models and these models and these tactics don't just stay within - you know, within your - you know, the four. You're thinking about your China, Russia, North Korea and Iran. Those tactics really are starting to get adopted elsewhere. And Vietnam has a very strict cybersecurity law they passed in 2019 for much larger surveillance, you know, enforcing governments and companies to comply with data access when approached. You know, Kazakhstan, Uzbekistan - like, there's a just - it's a growing number that are really starting to apply a whole range of tools. And, you know, some of it's for censorship, and some of it is for greater surveillance. But at the end of the day, for private companies that are doing business in that - those parts of the world, you know, it's just another risk they need to be aware of. 

Dave Bittner: Right. How much of this - you know, for a global company who has, you know, their hand in businesses around the world, how much of this is based on geography? And how much of this is based on sort of citizenship? You know, GDPR famously reaches out to European citizens regardless of where they are. 

Andrea Little Limbago: Yep. Yeah. No, that's a good question. For a lot of these, it is within their own territory only. And so that's where you saw the notion of digital sovereignty or cyber sovereignty, where the governments want to have the control of that information within their own borders. What we're seeing, though - and this is recently - and we'll see what happens with China and their companies. You know, they're forbidding as well now their foreign companies for turning over data abroad. And so it's almost the reverse going on, too, now. So, you know, at the end of the day, it's for control. 

Dave Bittner: (Laughter). 

Andrea Little Limbago: And so for GDPR, it's - you know, it's protecting their citizens. So it's the flip side of it. For some of these other countries, it's really just complete information control as far as they possibly can but with a - you know, with a focus really on their own - within their own domestic borders. And that's the argument. And the concern, really, is not only that, you know, it's going on there and that other countries may adopt that kind of model. There's also - these countries are also taking and having bigger power in some of the international organizations that shape the standards and norms. And so you see this - when you hear about the push for cyber sovereignty at the U.N., for example, it's for pushing for more of these kind of norms that allow governments to do whatever they want within their borders, have complete access and so forth, all in their auspices of sovereignty, when really, it's for, you know, controlling the narrative and controlling information. And if those are the kind of norms and laws that are - you know, the policies that start getting passed at the IGOs, that also becomes troublesome. 

Dave Bittner: Yeah. I'm imagining an extreme situation where we start seeing data centers being installed in embassies. 

Andrea Little Limbago: Well, I mean, so that's a big issue - where the data centers are, right? I mean, that's - it absolutely has huge implication for the data centers, especially when you start thinking about some of the data localization requirements and the local data storage. But yeah, where the data centers are is going to - I think that's also going to be a big component as far as starting to think about, you know, where your risks are and knowing where your data is even flowing through and what kind of access there is in those areas. 

Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: All right. Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: If you need some companionship while you are puttering around the house this weekend, check out Research Saturday and my conversation with Daniel Kats from NortonLifeLock. We'll be discussing their research - encrypted chat apps doubling as illegal marketplaces. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.