The source of Kaseya’s REvil key remains unknown. Cyber incident disrupts port operations at Cape Town and Durban. Updates on the Pegasus Project. And a guilty plea in a swatting case.
Dave Bittner: Hey, everybody - Dave here. Did you know that the CyberWire is the world's largest B2B cybersecurity podcast network? Each month, our popular programs reach over a quarter of a million unique listeners that care about cybersecurity, including some of the most influential leaders and decision-makers in the industry. More than 80% of our audience are part of the decision-making process at their organizations, and more than 70% reported checking out the sponsor's website after hearing an ad. The CyberWire is one of the best ways to grow your brand, generate leads and fill that sales funnel. From the Fortune 10 to emerging startups, we have options to help you reach your goals and to fit your budget. Our podcasts are sold out for this year, but we're now booking 2021 and beyond. Contact us today by visiting thecyberwire.com/sponsors to learn more. And tell them Dave sent you.
Dave Bittner: Kaseya isn't saying where it got its our REvil decryptor. Transportation services are disrupted at two major South African ports by an unspecified cyberincident. Another company is mentioned as an alleged source of abused intercept tools as the controversy over NSO Group's Pegasus software continues. Johannes Ullrich from SANS on supply chains, development tools and insecure libraries. Our own Rick Howard looks at enterprise encryption, and a guilty plea gets a swatter five years.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 26, 2021.
Dave Bittner: Kaseya continues its recovery from the REvil ransomware attack mounted against its VSA product. The company's most recent update on the incident came out Friday afternoon and simply said that Kaseya was supplying the key and helping customers decrypt files affected by the attack. It's brief enough to quote in full. Quote, "Kaseya's incident response team, assisted by Emsisoft, continues to provide our customers with the decryption key and help them to restore any encrypted data that was not previously restored from backup. We have no reports of problems or issues with the decryptor," end quote.
Dave Bittner: Where Kaseya got the decryptor for REvil remains unclear. CNN reports that Kaseya is requiring businesses that want to receive the key to sign a nondisclosure agreement before the decryptor is released to them. Emsisoft, working with Kaseya, says that they verified that the key works as promised. But it's not disclosing the key's origin, either. The NDA and Kaseya's declining to comment on where the key came from has driven speculation that they paid the ransom - although how that was accomplished with the REvil gang apparently on the lam isn't clear either.
Dave Bittner: But there are any number of possibilities - there's some other private channel to the gang; the key was developed by a private company; the key was provided by a government that doesn't wish to compromise sources or methods and so on. At this point, speculation about a ransom payment remains just that - speculation. At 1 o'clock this afternoon, Kaseya issued another update, apparently prompted by such speculation, in which they categorically deny paying ransom. Quote, "Kaseya has maintained our focus on assisting our customers. And when Kaseya obtained the decryptor last week, we moved as quickly as possible to safely use the decryptor to help our customers recover their encrypted data. Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal. While each company must make its own decision on whether to pay the ransom, Kaseya decided, after consultation with experts, to not negotiate with the criminals who perpetrated this attack. And we have not wavered from that commitment. As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom, either directly or indirectly, through a third party to obtain the decryptor," end quote.
Dave Bittner: The Daily Beast's Shannon Vavra tracks Kaseya's various statements about the source of the decryptor, and there's still no clear account. It's worth noting, as a Threatpost does, that decrypting one's locked files - a good thing in itself - still leaves open the possibility that REvil could sell, publish or otherwise abuse data stolen over the course of the attack.
Dave Bittner: The South African ports of Cape Town and Durban, last Thursday, disclosed that operations had been disrupted by an unspecified cyberattack, Reuters reports. According to IOL, the disruptions appear to be connected to problems at Johannesburg-based and state-owned intermodal transport company Transnet, with road transportation to the port of Durban also seeing the effects of the attack. Splash 24/7 says that Transnet has identified and isolated the source of the incident, but that it's released no details of the cyberattack itself. Services are resuming manually, with priority going to refrigerated containers.
Dave Bittner: Last week, it had been reported that French authorities had opened an investigation into a cyberespionage operation conducted against French targets by Moroccan intelligence services using NSO Group's Pegasus intercept tool. Morocco World News has since claimed that this didn't happen. Neither the tool nor the intelligence service is right. French President Macron was not spied on by Moroccan intelligence services using NSO's Pegasus, but rather by other unknown parties using tools delivered by the UAE-based company Dark Matter.
Dave Bittner: The Guardian quotes WhatsApp CEO Will Cathcart as saying that a 2019 campaign that sought to surveil some 1,400 users of the messaging app bore similarities to the intrusions project Pegasus has reported. Among those targeted were, he says, senior government and security officials, many of them in countries that are allied with the U.S. WhatsApp is currently engaged in a lawsuit against NSO Group over the incident. The Pegasus project, of course, is the cooperative journalistic investigation into NSO Group. Amnesty International on Friday added to the material published in connection with the investigation, publishing more criticism of NSO Group's alleged role as a key enabler of surveillance by repressive regimes.
Dave Bittner: Amnesty, while a longstanding critic of NSO Group, would seek to generalize the issue to cover intercept tools in general. The group's Friday report said, quote, "Amnesty International is calling for an immediate moratorium on the export, sale, transfer and use of surveillance technology until there is a human rights-compliant regulatory framework in place. NSO Group is licensed to export Pegasus software by the Israeli Ministry of Defense. Amnesty International is calling on the Israeli government to revoke existing export licenses to NSO Group, given the risk its spyware could be used for human rights violations. In addition, NSO Group should immediately shut down client systems where there is credible evidence of misuse. The organization - this is Amnesty - is also calling on the company to publish a human rights compliant transparency report that discloses incidents of misuse of their products, destination countries, contracts and other information necessary to fully investigate the possible occurrence of human rights abuses linked to their business," end quote.
Dave Bittner: NSO Group continues to deny that it acted improperly in selling any of its tools. The sales were all correctly vetted, the company says. And if there was subsequent abuse, that's the fault of the government customers, not NSO Group. The CEO of NSO told Israel Hayom that either Qatar or the BDS movement - the Boycott, Divestment, Sanction Movement that advocates isolating Israel in the interest of the Palestinian cause, or possibly both - is the hidden hand guiding project Pegasus. The hidden hand of slander, government abuse or corporate misconduct - whatever the case may be - controlling the sale and abuse of intercept tools is a difficult proposition.
Dave Bittner: And finally, the dangerous and loathsome practice of swatting that claimed another victim in 2020 has resulted in one guilty plea. The Washington Post reports that Mr. Shane Sonderman, age 20, of Lauderdale County, Tenn., was sentenced last week in Memphis federal court to five years in prison after pleading guilty to one count of conspiracy. In April of last year, police received a report that a 60-year-old man, Mark Herring, had killed a woman and set up pipe bombs around his house, which he would detonate if police showed up. The police in Sumner County, Tenn., did show up, guns drawn, and ordered Herring to come out with his hands in sight. Herring did so, but collapsed and subsequently died of a massive heart attack, probably brought on by the stress of the raid.
Dave Bittner: The pettiness of the swatter's grievance is beyond belief. Mr. Sonderman was a collector of desirable social media handles, which he resold. And he wanted the @Tennessee handle that Herring, a fan of the University of Tennessee sports teams, had created and used. Herring didn't surrender the handle. So Mr. Sonderman quickly escalated within a few hours to swatting. Mr. Sonderman and his coconspirator, an unnamed British miner, had done similar things to at least five other people. Their persuasion included having unordered cash-only pizza delivered to their marks, placing phone calls and texts, falsely reporting fires, threatening to kill family members and so on. The five years Mr. Sonderman received seems a bargain. His attorney says that Mr. Sonderman is young, at the beginning of his life and that he fell into bad chat company in Discord and online gaming sites, and that these became for him a royal road to crime. So it seems another case of the strange, savage disinhibition the virtual world works on too many of those who frequent it. For what it's worth, his lawyer says Mr. Sonderman regrets what happened sincerely - for what it's worth. Paul Herring is survived by three children and six grandchildren.
Dave Bittner: And it is always a pleasure to welcome back to the show our own Rick Howard, host of the "CSO Perspectives" podcast, also our chief security officer and chief analyst. Rick, welcome back.
Rick Howard: Thanks, Dave.
Dave Bittner: So you just kicked off Season 6 of your "CSO Perspectives" podcast. What is the general theme you're following for this season?
Rick Howard: So for this season, we're going back to our cybersecurity first principle wall and filling in some of the blank spots. You know, Dave, in past seasons, we did deep dives on two key strategies, intrusion, kill chain prevention and zero trust. But we hadn't yet gone too deep on another key and essential strategy called resilience.
Dave Bittner: Now, I remember you did do an episode on resilience back in Season 1. So let's just do a quick refresher here. What exactly are we talking about with resilience?
Rick Howard: Yeah. You're right. So in Season 1, Episode 9, we introduced the concept of resiliency. And by the way, we made the entire Season 1 of "CSO Perspectives" available on the ad-supported side for anybody who wants to check it out. But in that episode, I put forth a resilience definition that I liked coined by two Stockholm University researchers, Janis Stirna and Jelena Zdravkovic. How about that for pronunciation.
Rick Howard: Anyway...
Dave Bittner: They probably have a hard time saying our names. So...
Rick Howard: I'm sure they do.
Dave Bittner: (Laughter).
Rick Howard: So they define resiliency as, I quote, "the ability to continuously deliver the intended outcome despite adverse cyber events," unquote. And one adverse cyber event that seems to be having a moment this year is ransomware. And network defenders should look to their resiliency strategy in order to reduce the probability that ransomware groups will successfully extort us in the future.
Dave Bittner: Yeah. Well, you're certainly right about ransomware having a moment. I mean, obviously, we had the big, splashy attacks against Colonial Pipeline and JBS Food. And I saw the NBA recently got hit. And, of course, there was...
Rick Howard: I know. The NBA, come on (laughter).
Dave Bittner: Yeah. If only they had resources, right?
Rick Howard: (Laughter).
Dave Bittner: And we had the latest one against Kaseya. And, of course, that's just the tip of the iceberg there. Now back to resilience. I mean, can we use resiliency as the strategy to defeat things like ransomware? What sort of tactics are you advocating to support that notion?
Rick Howard: So in order to have any chance here, you have to get two - count them, two - non-sexy resiliency basics right, OK? And it's encryption and backups. And both sound easy when you say them fast. But it turns out it's very difficult to deploy them in any robust manner. So in last week's episode, I talked about the state of encryption for the cybersecurity industry. And in this week's episode, I talked to two of our subject matter experts at the CyberWire hash table to see how they approach the problem. Wayne Moore, the CISO of a company called Simply Business, one of the U.K.'s largest insurance providers to microbusinesses and landlords, and Don Welch, the Penn State University's interim VP for IT and CIO.
Dave Bittner: All right. Well, we'll look forward to hearing all about that. That is "CSO Perspectives." It is part of CyberWire Pro. And you can find out all about it over on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, it is always great to have you back. I wanted to touch today on supply chain issues. So this has certainly been a hot topic in the news lately. You got some specific things you wanted to touch on today.
Johannes Ullrich: Yeah. Now, we always, you know, talked about when we talk about supply chains of these insecure libraries that we all love to install and sort of, you know, write duct tape around it to create software. What I'm going to talk about is not those libraries themselves but the tools that we use to manage those libraries. Whatever programming language you use, it has some tool that will automatically download dependencies because, well, you know, when you install a library, you probably need, like, another dozen or so libraries that support that library. But in nature of what these tools are doing, they often do execute code that they receive with those libraries.
Johannes Ullrich: So now essentially you allow the site that you download those libraries for to execute code on the developer's machines. And that part has sort of gotten a little bit more attention lately in a good and bad way - in a good way in that people are looking at it closer - in a bad way - well, once they start looking, they actually find problems with how libraries - or how these tools are doing this. Most lately, PHP of all things - PHP has this composer tool, which basically is the PHP way of managing your packages. And when it downloads code, the site that actually tells you where to find those libraries will provide you with a URL. And then it just appends those URLs to Git or whatever tool it uses to download these libraries. Well, it didn't correctly sanitize those URLs.
Johannes Ullrich: So now you're able to add additional command line parameters to Git, which can then be used to execute arbitrary code. So this could, first of all, be used to compromise developer machines. In the case of a PHP, it could also be used to compromise the sites that you're using to manage libraries. So Packagist - that's, like, the big repository for a PHP - I believe something like 1.4 billion downloads every month. It runs Composer. It runs the tool to download code. So you could compromise that library and then sort of get that - you know, that famous snowball effect we have seen with some of these supply chain attacks where, hey, I'm attacking one developer. I'm using that to attract more developers. And all of a sudden, I have a compromise like this sort of spinning out of control.
Dave Bittner: Is there something that can be done here in terms of a chain of custody, dare I say, a blockchain of custody?
Johannes Ullrich: Well, who do you allow into this blockchain of custody? So...
Dave Bittner: Right, right.
Johannes Ullrich: ...That's part of the supply chain problem at Providence. You know, do we know where the library came from? But the great thing about - the reason why some of these open-source projects flourish is there's a very low bar of entry to actually get into that ecosystem. And, you know, Apple has attempted some of that with its certificates. But of course, you know, a hundred dollars gets you an Apple developer certificate. That's maybe a high bar of entry for a hobbyist developer but not a high bar at all for a criminal that wants to steal your crypto coins.
Dave Bittner: Right. Is there a potential solution on the horizon here? Or what sort of things do you recommend?
Johannes Ullrich: Well, I think really, you know, keep looking for flaws in these tools. That's, I think, the number one issue we can do to secure the tools themselves. Maybe make them a little bit more transparent to the developer that manages libraries to really see what they're doing, what code they're executing as part of installing those libraries. That may help. But I think for now just, you know, let's try and get the obvious flaws out of the way before bad guys start exploiting them. And then, as always, you know, where you manage libraries like this, the sort of internal mirrors or such of any repositories that you're building, that's your crown jewel as a developer. So add additional layers of security to them. Check if the office - have them start exfiltrating credentials or, you know, what sites they're connecting to.
Dave Bittner: All right. Well, good information is always - Johannes Ullrich, thanks for joining us.
Johannes Ullrich: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Could your company benefit by reaching our large and influential audience? Send us a note at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.