Cybersecurity Saturday

Bleeping Computer brings us up to date on the Kaseya cyberattack:

The REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya’s VSA servers to perform a massive and widespread attack without actually accessing a victim’s network.

This tactic led to the most significant ransomware attack in history, with approximately 1,500 individual businesses encrypted in a single attack.

Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected.

The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims.

There’s a lesson in there for both sides.

Cyberscoop provides background on the REvil gang.

[REvil is] one of the more prominent ransomware-as-a-service groups, experts say, in which other criminals can use a strain of ransomware on a rental or subscription basis, or in exchange for a share of the payments. That business model lowers the barrier for anyone to get into the business of ransomware, because it requires no technical expertise in developing the code itself. It’s a trend that’s contributed to the rise of the ransomware phenomenon.

On the good guys side

  • The Wall Street Journal reports that “New York City has become the first major American metropolitan area to open a real-time operational center to protect against cybersecurity threats, regional officials said. Set in a lower Manhattan skyscraper, the center is staffed by a coalition of government agencies and private businesses, with 282 partners overall sharing intelligence on potential cyber threats. Its members range from the New York Police Department to Amazon.com Inc. and International Business Machines Corp. to the Federal Reserve Bank and several New York healthcare systems. Until last week, the two-year effort known as New York City Cyber Critical Services and Infrastructure was completely virtual.”
  • Cyberscoop informs us that “Few people, if any, seem to grasp the breadth and cost of the scourge, as there are no legal requirements for victims to disclose when they pay hackers to unlock their network.  That, combined with the suspicious that most victims don’t, report their digital extortion payments, makes it harder for law enforcement and security firms to combat attacks, or even understand how to fight them. That’s the impetus behind a project that Stanford University student and security researcher Jack Cable launched on Thursday, dubbed “Ransomwhere,” a plan to track payments to bitcoin addresses associated with known ransomware gangs. “Having public transparency around the impact of ransomware, especially as we’re proposing and considering different actions to try to combat ransomware — we’ll need a way of seeing whether those actions actually work,” Cable said in an interview with CyberScoop.”

On July 6, according to CISA, “Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service.”

For other news, here is a link to Bleeping Computer’s The Week in Ransomware.