The CyberWire Daily Podcast 7.12.21
Ep 1372 | 7.12.21

Kaseya and REvil--the state of recovery. President Biden calls President Putin to ask for action on ransomware. Cyber incident in Iran. Ukraine says its naval website was hacked. Tracking ransom.


Dave Bittner: Kaseya has patched the VSA On-Premises and SaaS versions affected by REvil ransomware. The U.S. tries some straight talk about privateering with Russia. Russia's private internet poses some challenges for international security. Iranian rail and government sites were hit with a cyber incident over the weekend. Ukraine says Russian threat actors defaced its naval website. Carole Theriault looks at ethics in phishing simulations. Josh Ray from Accenture tracks real-world incident response trends. And tracking just how much the ransomware gangs are taking in.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 12, 2021. 

Dave Bittner: Kaseya yesterday afternoon pushed fixes for VSA's On-Premises and software-as-a-service versions. At 8 o'clock a.m., the company's update indicated that patching was proceeding quickly. 

Dave Bittner: They stated, "as posted in the previous update, we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS infrastructure prior to the 4 p.m. target. The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 a.m. U.S. Eastern Daylight Time. Our support team continues to work with VSA On-Premises customers who have requested assistance with this patch," end quote. 

Dave Bittner: The large-scale fix has, as one might expect, stressed Kaseya's systems. The company announced later this morning that, quote, "unplanned maintenance will be performed across the entire SaaS farm today, between 12 p.m. to 2 p.m. Eastern Daylight Time, with an expected downtime of 20 minutes. With the large number of users coming back online in a short window, we have seen some performance issues. We made some configuration changes to address and need to restart the servers for these to take effect and improve performance." 

Dave Bittner: In the company's Saturday evening video update, EVP Mike Sanders advised customers to clean up Active Directory and any users tied to the VSA, and specifically to remove any users who don't require access. He also recommended that customers install the FireEye agent to perform a deep scan of their VSA, ensuring that they have a clean environment. The Sunday afternoon updates required all users to change their passwords. All agents were set to suspended mode, and customers will have to turn them on as needed. 

Dave Bittner: In an hourlong phone call Friday, U.S. President Biden communicated his expectations concerning ransomware operations to Russian President Putin. Reuters reports that in President Biden's estimation the call went well and that he expects Russian cooperation against gangs like REvil. Mr. Biden said, quote, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," end quote. 

Dave Bittner: Should expected Russian cooperation not be forthcoming, President Biden said the U.S. was prepared to take certain actions on its own. He and administration officials declined to say what such actions might be. At the White House daily press conference on Friday, press secretary Psaki said President Biden, quote, "underscored the need for President Putin to take action to disrupt these ransomware groups," end quote. 

Dave Bittner: Her explanation offered Moscow a way of preserving deniability. Quote, "REvil operates in Russia and other countries around the world, and we do not have new information suggesting the Russian government directed these attacks. We also believe they have a responsibility to take action. The president made clear the United States will take any necessary action to defend its people and critical infrastructure," end quote. 

Dave Bittner: Russia's foreign ministry described the presidential phone call briefly and repeated its contention that Russia has heard nothing about this or any other cybercriminal activity over the past month. 

Dave Bittner: A post on the ministry's Facebook account said, quote, "in the context of recent reports on a series of cyberattacks ostensibly made from Russian territory, Vladimir Putin noted that despite Russia's willingness to curb criminal manifestations in the information space through a concerted effort, no inquiries on these issues have been received from U.S. agencies in the last month. At the same time, considering the scale and seriousness of the challenges in this area, Russia and the U.S. must maintain permanent, professional and nonpoliticized cooperation. This must be conducted through specialized information exchange channels between the authorized government agencies, through bilateral judicial mechanisms and while observing the provisions of international law," end quote. 

Dave Bittner: This doesn't sound like a clear promise of cooperation on ransomware, and hostile editorials have been slow to argue that the Kremlin will dismiss this kind of conversation as so much gas until the U.S. takes some action that hurts people who count in the Russian scheme of things. 

Dave Bittner: And the U.S. administration seems itself not to think that a ransomware fix will be either quick or easy. GovInfoSecurity says that unnamed senior U.S. officials frame the presidential conversation as one element of a broader push toward greater U.S. resilience with respect to ransomware and other cyberthreats. They also urge people to contain any expectations of swift results. The anonymous official said, quote, "so this is a broad campaign and won't have an immediate on-off effect like a light switch," end quote. 

Dave Bittner: There may be reason to think that Russia's RuNet initiatives may represent an attempt to position Russia operationally for more deniable hybrid warfare. While RuNet, which is shorthand for a set of initiatives generally aimed at creating a Russian internet that would be substantially distinct from the rest of the web, has generally been seen as serving the kind of domestic control and autarky that China's Great Firewall does, RuNet may have other objectives. 

Dave Bittner: The Atlantic Council has released a study of RuNet's implications for international security. One particularly dangerous result may be the ways in which RuNet could be used to stage and facilitate proxy attacks by criminals and privateers. 

Dave Bittner: Successful implementation of RuNet may also increase Moscow's sense of immunity from cyberattack, rendering deterrence less readily attainable. And, of course, isolation of the Russian internet will tend to make cybercriminals more dependent on state assistance to reach their victims, pushing more of them in the direction of privateering as opposed to simply freebooting. 

Dave Bittner: The AP reported Saturday that a cyber disruption affected websites belonging to Iran's transport and urbanization ministry. The incident occurred after Iranian state television said that the country's passenger rail system on Friday faced long delay following a cyberattack. According to Bloomberg, train tracking systems were affected, as were station entrances, exits and ticket booths. Message boards announced long delays due to cyberattacks, the Guardian says

Dave Bittner: No group has claimed responsibility for the incidents, and Iranian sources have so far offered no attribution. Iran's state-owned Press TV said that officials have confirmed a cyberattack, that investigation is in progress and that past attacks have been traceable to Israel and the U.S. 

Dave Bittner: Ukrainian officials said Friday that threat actors linked to Russia's government had compromised the website of the Ukrainian naval forces. According to Reuters, the aim appears to have been disinformation. The website compromise was used to publish, quote, "fake reports about the international Sea Breeze 2021 military drills," end quote. Russia has objected to the Black Sea exercise as a provocation. 

Dave Bittner: Finally, there's a lot of ransomware, but how much are victims actually paying? Well, more than one would like, but perhaps a bit less than fears would make it out to be. 

Dave Bittner: A new site, - spell and pronounce it ransom where, as in where's the ransom? - is offering a crowdsourced tracker of extortion payments. It puts 2021's running total at $32,723,453.28, with REvil so far the leading earner. Pretty soon, you're talking about real money. 

Dave Bittner: Phishing simulations are a popular way for organizations to help keep their employees sharp and attentive when it comes to spotting and reporting potentially dangerous email, but it is not without controversy, as the CyberWire's own Carole Theriault points out in this commentary. 

Carole Theriault: So, OK, no surprise - I'm a big fan of cybersecurity training. I think that is the way employees can learn how to spot the more subtle scams that happen, either through email, social media or any other method of communication that we use all the time. 

Carole Theriault: Now, there are some really great folks out there all over the world that provide services to companies to help train your staff. They may give presentations. Some might even do simulation attacks. And that is what I want to talk about today. 

Carole Theriault: So some would argue that the way to conduct these phishing simulations ethically is to first warn employees that these may happen and to keep an eye out so they don't feel completely blindsided by a simulation. It also helps them keep aware because, after all, it's the vigilance you want to encourage. That is the key to spotting stuff that may have bypassed your security infrastructures. 

Carole Theriault: Now, others like to surprise. So you do a phishing simulation without telling anybody. You then share the results, provide training and then give them warning that you're going to do another simulation, and lo and behold, your staff score lower than they originally did on the phishing simulation oh-look-we-were-duped scale. 

Carole Theriault: And honestly, I don't mind which approach someone takes as long as the whole goal is not about tricking your employees, but more about teaching them to be very careful. 

Carole Theriault: A recent phishing simulation took place in the U.K. at a rail company. And I would argue this pushes the boundaries as to what is acceptable in terms of a phishing simulation you would expect to be conducted by your work, but you be the judge. 

Carole Theriault: Basically, employees were thanked for their service during the global pandemic. Some had lost family members, some even had died. The phishing simulation sent an email offering a bonus for all their hard work, and they were asked to click on a link to see the message from the company chief and to receive the amount that they were going to be bonused. Of course, there was no bonus. This was all a phishing simulation. 

Carole Theriault: And as you can imagine, the staff were not best pleased, nor was the union, who called it crass and reprehensible. And you know what? I agree. There should be limits on what kind of tests we put people through. 

Carole Theriault: So if you're thinking of conducting a phishing simulation or something similar in your place of work, make sure you review the content that is going to be included in the simulation, and don't leave it all up to a third party to make the decisions for you. It can rear up some nasty surprises. This was Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and also global cyber defense lead at Accenture Security. Josh, always great to have you back. I wanted to touch base and see what sort of things you and your team are tracking when it comes to incident response trends. What are you guys seeing these days? 

Josh Ray: Yeah. Dave, I will say that over the past four months, our incident response team have observed a massive amount of breach activity. And this is being primarily driven by, you know, SolarWinds, as you can imagine, but also actors that are exploiting the vulnerabilities in the on-prem version of Microsoft Exchange Server. 

Josh Ray: Dave, I'm not exaggerating when I say that in my 20-plus years, I've rarely, if ever, seen this level of volume. And I'll say that these attacks have caused some really substantial impact to organizations and in many cases significantly degraded their ability to conduct business. 

Dave Bittner: Wow. I mean, is this an all-hands-on-deck kind of situation - not just, you know, with your own team, but are you hearing from your colleagues around the industry that, you know, maybe people are even stretched a little thin? 

Josh Ray: I think it is. And, you know, across the industry, we're really seeing multiple threat actor groups kind of jumping on the bandwagon. But, you know, specifically of note, you know, our team has observed the Ryuk and the Hades ransomware being leveraged for really what we consider big game hunting, right? And this is targeting across multiple industries to include transportation, logistics, retail and even telecommunications. 

Dave Bittner: What are you seeing in terms of how incident response teams engage? I mean, how much of it is able to be done remotely? How much of it is, you know, people having to get on airplanes and travel to places and bring, you know, the equipment with them? 

Josh Ray: Yeah, we've been able to adapt our operations to primarily, you know, service clients remotely. And it was actually kind of funny that, you know, when you're talking about how do you adapt your own operations, I mean, the threat has kind of pivoted things as well, too. And it's actually been outlined really nicely. We recently wrote a blog about the Hades ransomware and kind of outlined some of the MITRE ATT&CK techniques observed in some mitigations. 

Josh Ray: But one of the things that was most interesting about how the Hades group is operating - or the threat group, rather - is, you know, how they were focusing on disabling endpoint defenses to include EDR. And they really adapted their TTPs to run more I guess what we'd call kind of hands-on keyboard operations. And this is really to inflict the maximum amount of damage and capture much higher potential payouts. 

Dave Bittner: So when one of your clients reaches out and they kind of throw up that bat-signal and they say, you know, we need help here, what are some of the things that they can do to make sure that that interaction is going to be a successful one? 

Josh Ray: Yeah. I would say, Dave, it actually starts even before the bat-signal goes up - right? - so ensuring that they have a robust crisis management, incident response and disaster recovery plans and really making sure that they have COOP plans that account for that ransomware or wiper attacks. You know, always - patching is always top of mind - making sure they're able to do that to the highest level. But, you know, considering deploying endpoint detection, EDR, across their environment and really making sure that they've got at least 90% coverage there is really critical. 

Josh Ray: We always talk about, you know, robust password policies as being kind of table stakes and using multifactor, you know, wherever possible. But, you know, if you're looking at RDP connections, which is how a lot of these threats, you know, are moving laterally, making sure that, you know, VPN and network level authentication is enabled. 

Josh Ray: And then, you know, finally, the last two things that we always talk about is really encrypting the data at rest wherever possible and protecting those keys - right? - to make sure that they're not storing credentials in files and scripts that are on shared locations, right? These might sound like common sense type of things, but it's really about kind of continuously training your users and making sure that the team that is helping to get the folks in a position to be successful have all the information upfront so that they can make sure that, you know, these things don't occur to begin with. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.