Responses to the Kaseya incident. A Lazarus Group sighting. Ongoing GRU, SVR campaigns. PrintNightmare patched.

Dateline Miami, Dublin (and maybe Moscow): Kaseya supply chain compromise.

Update Regarding VSA Security Incident (Kaseya) Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.

Developments in the Kaseya ransomware attack: recovery and response. (The CyberWire) As Kaseya continues to move closer toward normal operations and capacity, the US considers defensive and retaliatory options.

UPDATED: Thousands attacked as REvil ransomware hijacks Kaseya VSA (Malwarebytes Labs) A reported, severe ransomware attack against Kaseya VSA means the safest, quickest option is to shutdown Kaseya VSA servers now.

Kremlin says no US inquiries received over hacker attack on IT software company (TASS) It was reported earlier that the enterpise based in Dublin and with US headquarters in Miami was attacked by the hackers that were demanding a ransom of $44,900

Biden says ransomware attack caused ‘minimal damage’ to U.S. companies (Reuters) President Joe Biden said on Tuesday the ransomware attack centered on the Florida information technology firm Kaseya seems to have inflicted only “minimal damage” on American businesses.

Up to 1,500 businesses could be affected by a cyberattack carried out by a Russian group. (New York Times) “It totally sucks,” said the chief executive of the software company Kaseya, which was compromised Friday along with some of its customers.

Who’s behind the Kaseya ransomware attack – and why is it so dangerous? (the Guardian) The breach has affected hundreds of businesses around the world, and experts fear the worst is yet to come

Hackers behind holiday crime spree demand $70 million, say they locked 1 million devices (NBC News) <p>The hacker gang behind an international crime spree that played out over the Fourth of July weekend says it has locked more than a million individual

Number of victims in major ransomware attack still unclear (ABC News) The company whose software was exploited in the biggest global ransomware attack on record says it so far it appears that fewer than 1,500 businesses were compromised

Kaseya supply chain attack impacts more than 1,000 companies (TechRepublic) The REvil group is claiming that over 1 million devices have been infected and is demanding $70 million for a universal decryption key.

A Ransomware Attack Hit Up To 1,500 Businesses. A Cybersecurity Expert On What’s Next ( Dmitri Alperovitch says the scale of the attack, on software from U.S. firm Kaseya, is unprecedented. He wants President Biden to threaten sanctions on Russia for allowing cybercriminals to operate.

Kaseya: cyberattack never a threat, no infrastructure impact (Federal News Network) Software company Kaseya says the cyberattack it experienced over the July 4th holiday weekend but that it was never a threat and had no impact on critical infrastructure…

What Happened in the Kaseya VSA Supply Chain Attack (Panorays) As if the SolarWinds attack wasn’t enough, the Kaseya VSA supply chain attack is likely to affect thousands of businesses. Here’s what you need to know.

Kaseya says 50 MSPs were affected by cyberattack (CRN) Vendor says patch for on-premise customers will be available within 24 hours after SaaS servers come back online

Kaseya Patches Imminent After Zero-Day Exploits, 1,500 Impacted (Threatpost) REvil ransomware gang lowers price for universal decryptor after massive worldwide ransomware push against Kaseya security vulnerability CVE-2021-30116.

Kaseya ransomware supply chain attack: What you need to know ( Read Charlie Osborne explain everything there is to know about the Kaseya ransomware supply chain attack on ZDNet : Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. It appears that attackers have carried out

Hackers demand $70 million to end biggest ransomware attack on record (CBS News) Russia-linked group REvil infected thousands of victims in at least 17 countries via software company Kaseya, experts say.

Biden Directs ‘Full Resources’ to Respond to Kaseya Ransomware Attack (MeriTalk) The White House and key Federal agencies have been working since July 2 to assist in the response to the Kaseya ransomware attack, as President Biden gets set to meet this week with an interagency group taking a longer look at the ransomware problem.

Ransomware group REvil conducts 15 cyberattacks per week over 2 months, research shows (Fox Business) REvil, a ransomware group linked to Russian hackers, has conducted 15 cyberattacks per week over two months.

With ransomware attacks multiplying, US moves to bolster defenses (The Christian Science Monitor) As the private sector fends off more ransomware attacks, the federal government’s stepped-up efforts include the first national cyber director.

Kaseya ransomware attackers say: “Pay $70 million and we’ll set everyone free” (Naked Security) Are you feeling generous? Do you want to help others? These cybercriminals are hoping someone is and does…

Cyberattack on Kaseya Nets More Than 1,000 Victims, $70M Ransom Demand (Dark Reading) The provider of remote monitoring and management services warns customers to not run its software until a patch is available and manually installed.

Kaseya supply chain attack: What you need to know (Expel) A new ransomware attack upheaved the beginning of Fourth of July weekend. Fortunately, there are steps you can take right now to stay safe. Find out what’s happening and how Expel is looking ahead.

Hackers Demand $70 Million as Kaseya Ransomware Victim Toll Nears 1,500 Firms (SecurityWeek) IT management software maker Kaseya says up to 1,500 businesses are affected by the REvil ransomware attack, but claims to have found no evidence of malicious modifications to code.

Swedish Grocery Chain Coop Latest Victim of Kaseya Cyberattack (The Food Institute) Coop, one of Sweden’s largest supermarket chains, was forced to close some 500 stores due to an ongoing cyberattack affecting organizations around the world.

CompTIA Members Offer Aid to Victims of Ransomware Attack (CompTIA) Cybersecurity expert members providing assistance to industry peers, Rapid Response Team formed, CompTIA ISAO resources made available

Software Vendor Hack Leads To Ransomware Spree (Law360) Up to 1,500 businesses around the globe are recovering from ransomware attacks after a cyberattack on software vendor Kaseya, the company said Tuesday, in the latest case of hackers exploiting security flaws in the software supply chain.

What is a supply chain cyber attack? (Quartz) Supply chain hacks represent a growing cyber threat with the potential to greatly magnify the damage of a single security breach.

Attacks, Threats, and Vulnerabilities

Lazarus campaign TTPs and evolution (AT&T) Executive summary

AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S. and Europe. This assessment is based on malicious documents believed to have been delivered by Lazarus during the last few months (spring 2021). However, historical analysis shows the lures used in this campaign to be in line with others used to target these

Kubernetes Used in Brute-Force Attacks Tied to Russia’s APT28 (Threatpost) The ongoing attacks are targeting cloud services such as Office 365 to steal passwords and password-spray a vast range of targets, including in U.S. and European governments and military.

Russia ‘Cozy Bear’ Breached GOP as Ransomware Attack Hit (Bloomberg) Hackers part of ‘Cozy Bear,’ people familiar with matter say. RNC official says ‘no indication’ computer systems hacked.

RNC says contractor breached in hack, GOP data secure (TheHill) The Republican National Committee (RNC) on Tuesday acknowledged that one of its contractors had been breached by hackers linked to Russia but said its data had not been accessed. 

The Republican National Committee said a third-party Microsoft IT contractor was breached in cyber attack last week, but no GOP data stolen (Yahoo) The breach comes less than a month after President Joe Biden warned Russian President Vladimir Putin about cyberattacks at a June 16 summit.

Security Agencies Warn on Russian GRU Global ‘Brute Force’ Campaign (MeriTalk) According to a joint advisory from the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and U.K.’s National Cyber Security Centre (NCSC), hackers from the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit – widely known as Fancy Bear or APT28 – utilized Kubernetes clusters to infiltrate targets in their global brute force campaign from mid-2019 through early 2021.

SolarWinds Hackers Still Targeting Microsoft, Focus on Support Staff (TechNewsWorld) Microsoft recently disclosed that it too was no doubt a victim of the same Russian-based hacker gang responsible for the SolarWinds onslaught. As some of the details surrounding the cyberattack become known, the bleak disclosures might justifiably cause a sniffled gasp indicating that if Microsoft can be breached, what hope is left for everyone else?

It’s Too Easy to Troll Like a Russian (Defense One) We’re scholars, but amateurs, and we found it alarming how quickly we imagined a personalized misinformation campaign with actual publicly available data.

Researcher Describes Potential Impact of Recently Patched SonicWall NSM Flaw (SecurityWeek) The vulnerability could allow an attacker to inject OS commands and access both the NSM platform and the underlying operating system.

Western Digital Users Face Another RCE (Threatpost) Say hello to one more zero-day and yet more potential remote data death for those who can’t/won’t upgrade their My Cloud storage devices.

Data breach at third-party provider exposes medical information of US healthcare patients (The Daily Swig | Cybersecurity news and views) Multiple hospitals affected by the cyber incident

Remote Workforce Monitoring Brings Up Privacy Concerns (Security Boulevard) The pandemic paved the way for expanded remote work possibilities, but companies looking to ensure employees remain on the job while at home have led some

Audacity clarifies privacy policy over spyware allegations (Computing) The first version of the privacy policy mentioned sharing data with potential buyers, governments and law enforcement

Security Patches, Mitigations, and Software Updates

Microsoft pushes emergency update for Windows PrintNightmare zero-day (BleepingComputer) Microsoft has released the KB5004945 emergency security update to fix the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service impacting all Windows versions. However, the patch is incomplete and the vulnerability can still be locally exploited to gain SYSTEM privileges.

Microsoft issues emergency Windows patch to fix critical ‘PrintNightmare’ vulnerability (The Verge) Microsoft has rated this as a critical issue.

Microsoft releases out-of-band fix for PrintNightmare vulnerability (The Record by Recorded Future) Microsoft has released an emergency out-of-band security update today to patch a critical vulnerability—more commonly known as PrintNightmare— that impacts the Windows Print Spooler service and which can allow remote threat actors to take over vulnerable systems.

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Philips
Equipment: Vue PACS
Vulnerabilities: Cleartext Transmission of Sensitive Information, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Authentication, Improper Initialization, Use of a Broken or Risky Cryptographic Algorithm, Protection Mechanism Failure, Use of a Key Past its Expiration Date, Insecure Default Initialization of Resource, Improper Handling of Unicode Encoding, Insufficiently Protected Credentials, Data Integrity Issues, Cross-site Scripting, Improper Neutralization, Use of Obsolete Function

Moxa NPort IAW5000A-I/O Series Serial Device Server (CISA) 1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Moxa
Equipment: NPort IAW5000A-I/O Series Wireless Device Server
Vulnerabilities: Classic Buffer Overflow, Stack-based Buffer Overflow, Improper Input Validation, OS Command Injection

Security Compass Releases Research Report: The State of Threat Modeling in 2021 (BusinessWire) Security Compass today published the results of a new report, “The State of Threat Modeling in 2021.

Peter Cochrane: The coming epidemic of data exfiltration (Computing) As people move jobs, they not only take their sought-after skills and abilities, they also take all their documents, data and stored knowledge with them

Dell’s UK senior VP: ‘The cybersecurity threat is critical’ (CRN) Speaking at a press roundtable event, Dayne Turbitt discusses the challenges facing the tech industry including cybersecurity and supply issues

Cyber Warfare Is The Last Competitive Advantage No One Sees & Why SolarWinds Is The Wakeup Call No One Heard. (Forbes) There’s no cybersecurity strategy good enough to win a cyberwar. Sure, everyone talks a good game, but the very structure of American (and other businesses around the globe) makes it nearly impossible to, for example, deliberately and significantly reduce EBITDA to prepare for cyber warfare.

Databarracks | Over half of businesses now have a policy on whether to pay out on ransomware attacks, says Databarracks research (RealWire) Reliance on cyber insurance, or paying out if cost is lower than internal recovery, highlight short-term approach


ZeroFox Deepens Platform with Vigilante, Expanding Dark Web Threat Intelligence on Cybercriminal Underground (BusinessWire) ZeroFox announces that it has joined forces with Vigilante, a globally recognized expert in Dark Web Threat Intelligence.

Zimperium Acquires Mobile Application Security Pioneer whiteCryption (BusinessWire) Zimperium, the global leader in mobile security, has broadened its portfolio of mobile application protection solutions by acquiring whiteCryption.

Exclusive Networks acquires Ignition Technology in emerging tech push (CRN) Acquisition will nurture new disruptive vendors as they emerge from late-stage start up mode, Exclusive claims

CyberRisk directors invest in Melbourne reseller Techtify (CRN Australia) Leong Wang and Wayne Tufek bought 50% of Brent Valle&#8217;s newest company.

CISA Conducts Market Research for .gov Top-Level Domain Services (Executive Biz) The Cybersecurity and Infrastructure Security Agency has issued a request for information on potential contractors that could support the operation of the .gov top-level domain.

FireEye stock leads security names higher after latest ransomware attack (NASDAQ:FEYE) (SeekingAlpha) The ETFMG Prime Cyber Security ETF (HACK) is trading up 1% versus the 0.4% gain for the broader tech sector (XLK) following a ransomware attack at U.S.

Revenge of the SaaS: Mandiant uses services to escape FireEye (IT Pro Portal) Let’s unravel the saga of two companies that never should’ve been put together.

SAIC’s deal for Unisys pays dividends for growth (Washington Technology) Leaping to No. 5 on the 2021 Top 100, Science Applications International Corp. leaned on Unisys Federal to achieve growth growth and two other recent deals set the stage for more opportunities ahead.

Exabeam Named a Leader in the 2021 Gartner Magic Quadrant for SIEM for Third Consecutive Time (Exabeam) Exabeam is positioned highest on the Magic Quadrant for its ability to execute. FOSTER CITY, Calif, July 6, 2021 – Exabeam, the security analytics and automation company, today announced it has been named a Leader in the 2021 Gartner Magic Quadrant for Security Information and Event Management (SIEM). Exabeam is positioned highest for ability to…

Rapid7 Named a Leader for the Second Consecutive Time in 2021 Gartner Magic Quadrant for Security Information and Event Management (SIEM) (Yahoo Finance) Rapid7, Inc. (NASDAQ: RPD), a leading provider of security analytics and automation, today announced that it has been named a Leader in the Gartner 2021 Magic Quadrant for Security Information and Event Management (SIEM) for the second year in a row. Security teams face increasingly complex challenges as the attack surface continues to grow in size and scope, more infrastructure is shifted to the cloud and new applications, and threat actors develop new

Vietnamese star hacker tops cybersecurity platform leaderboard again – VnExpress International (VnExpress International) A 25-year-old Vietnamese cybersecurity expert is the top ranker of the June leaderboard compiled by security platform Bugcrowd.

Israeli spyware firm NSO hires Pillsbury amid fresh scrutiny (Reuters) Lawyers from Pillsbury Winthrop Shaw Pittman will advise the surveillance firm NSO Group on business development, U.S. government procurement rules and corporate compliance policies, according to a newly disclosed contract that comes as the Israeli company faces new criticism over alleged human rights abuses tied to its technology.

Privacy Pro Wynter Deagle Joins Sheppard Mullin in Del Mar (Valdosta Daily Times) Sheppard, Mullin, Richter & Hampton LLP is pleased to announce that Wynter L. Deagle has joined the firm as a partner in the Intellectual Property practice group and will be a member of its Privacy and Cybersecurity team. Deagle was most recently a partner at Troutman Pepper, where she was Office Managing Partner of the San Diego office. She is the 13th lateral partner to join Sheppard Mullin in 2021.

SAIC Appoints New Board Member Milford McGuirt (Yahoo Finance) New SAIC board member brings decades of public accounting and auditing experience and years of overseeing exceptional client service delivery

Acronis appoints Patrick Pulvermueller as Chief Executive Officer (Acronis) For information about Acronis and Acronis’ products or to schedule an interview, please send an email or get through to Acronis’ representative, using media contacts.

Products, Services, and Solutions

Hexagon Announces New Version of Cyber Integrity (PAS) OT cybersecurity solution brings holistic, enterprise-wide view of risk analytics to drive remediation efforts

GlobalPlatform certification body achieves ISO 17065 accreditation (GlobalPlatform) The standard for secure digital services and devices

Ermetic Achieves AWS Advanced Technology Partner and ISV Partner Path Confirmed Status (BusinessWire) Certification was based on customer deployments at WEX, Latch, IntelyCare and Riskified of the Ermetic cloud infrastructure security platform.

Technologies, Techniques, and Standards

CISA Introduced Ransomware Readiness Assessment (RRA) Tool (Latest Hacking News) CISA has launched RRA as a new module in its CSET security audit tool to let organizations assess their security against ransomware threats.

Reaction to Social Engineering Indicative of Cybersecurity Culture (Security Boulevard) During COVID-19, threat actors used fear of the virus and hope of a vaccine to trick unwitting victims into downloading malware or giving up their

U.S. Cyber Command leads military exercise in competition in effort to strengthen nation’s cyber security (Military Aerospace) The competition happened in the wake of months of escalating cyber attacks, including ransomware attacks on Colonial Pipeline and on JBS USA beef provider.

Air Force tests new approach for assigning cyber missions (C4ISRNet) A task force seeks to “operationalize” the 67th Cyberspace Operations Wing, giving commanders more authority and responsibility to assign units to missions.

Secret Service Hosts Cyber Incident Response Simulation (Homeland Security Today) The U.S. Secret Service hosted a virtual Cyber Incident Response Simulation with business leaders, law enforcement and other private sector partners focused on ransomware and cryptocurrency attacks and mitigation strategies.

Legislation, Policy, and Regulation

Japan Looks to Boost Military Cyber Experts Amid Security Threat (Infosecurity Magazine) The Japanese military is set to add hundreds of new cybersecurity specialists to its forces in the face of aggression from hostile nations, according to a new report.

The Cybersecurity 202: Now there’s even more pressure on Biden to punch back against Russian ransomware (Washington Post) Pressure is mounting on the Biden administration to respond forcefully to Russia-based ransomware attacks as U.S. businesses reel from the latest in a string of major hacks over the holiday weekend.

Attempted Hack of R.N.C. and Russian Ransomware Attack Test Biden (New York Times) The breach of a Republican National Committee contractor, also linked to Russia, and the global ransomware attack occurred weeks after a U.S.-Russian summit.

We just had another ransomware attack. It’s time Biden gave Putin an ultimatum. (Washington Post) If this becomes routine, businesses and the economy will suffer.

Combating China’s Insider Threat: Can New Laws Curb IP Theft by Foreign Spies? (SecurityWeek) There are three primary prongs to Chinese acquisition intellectual property: straightforward hacking and cyber theft; the implant of physical insiders; and hiring western experts to work in China

Investment Review Panel Gets Wider Role Under Biden in Rivalry With China (Wall Street Journal) The Committee on Foreign Investment in the U.S. is looking to share information with allies and is paying closer attention to the Biden administration’s priorities, including securing supply chains.

Readout of Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger’s Meeting with Bipartisan U.S. Conference of Mayors (The White House) Today, as part of ongoing engagement with stakeholders across the country, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger met virtually with the bipartisan U.S. Conference of Mayors to speak to the cybersecurity challenges facing cities and towns across the nation, including the threat from ransomware. Neuberger described the Administration’s ransomware strategy…

Litigation, Investigation, and Law Enforcement

Encrypted chat data leads to major drug raids in Germany (NBC News) German security officials said Tuesday they made more than 750 arrests and seized large amounts of drugs after gaining access to extensive chat data.

How Does The Secret Service Track Fugitives? One Romance Scammer Hunt Started With A Simple Text (Forbes) In one of the more surprising attempts to locate a suspected fraudster, the Secret Service texted a number they believed was being used by the defendant. They then deployed location surveillance tools to get their man.

Evidence found on a second Indian activist’s computer was planted, report says (Washington Post) The two activists were jailed in 2018 and accused of plotting an insurgency against the government. A new forensic report concludes they also shared something else: They were both victims of the same hacker who planted evidence on their computers.

The “New” EU Standard Contractual Clauses: FAQs For U.S. Organizations (JD Supra) Globalization, compliance, and the growth in outsourcing have created a myriad of cross-border data transfer scenarios. These scenarios include…

Chinas GDPR is coming: Are you ready? Exploring the upcoming China’s draft Personal Information Protection Law: Topic Eight – Appointing a DPO in China (JD Supra) On April 29, 2021, China released the second draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments,…

China Signals Broad Clampdown on Company Data, Offshore Listings (Bloomberg) Move comes after China started cybersecurity probe of Didi. Beijing has grown increasingly concerned over data security.

Why Is China Cracking Down on Ride-Hailing Giant Didi? (Washington Post) Just days after Didi Global Inc., China’s version of Uber, pulled off a $4.4 billion initial public offering in New York, the Chinese cyberspace regulator effectively ordered it removed from app stores in its home market, citing security risks. The ruling doesn’t stop the company from operating -– its half-billion or so existing users will still be able to order rides for now. But it adds to the uncertainty surrounding all Chinese internet companies as regulators increasingly assert control over Big Tech.

Pentagon Scraps JEDI in Win for Amazon at Microsoft’s Expense (Wall Street Journal) The Pentagon said it would move to a new multi-vendor approach after the massive contract was mired in litigation from Amazon and criticism from lawmakers.

Pentagon cancels JEDI Cloud contract after years of contentious litigation (Federal News Network) Defense officials said Tuesday they were cancelling the multibillion dollar sole-source contract.

The Rise and Rise of Ransomware (JD Supra) More organisations have shifted their operations online and have their staff work from home because of the COVID-19 pandemic….

Music Industry Continues Crackdown on ‘Fake Stream’ Operations In Brazil (Digital Music News) The long-running music industry crackdown on “fake stream” operations in Brazil is continuing, the IFPI confirmed in a recent release.

Whirlpool Beats Florida Wiretapping Suits, For Now (Law360) A Florida federal judge on Tuesday tossed a pair of putative class actions accusing Whirlpool Corp. of unlawfully intercepting website visitors’ information, finding that the state’s wiretapping law doesn’t apply to the company’s use of marketing analytics software to capture browsing histories, personal interests and similar data. 

Dollar Stores Hit With Privacy Suit Over Fingerprint Clock-Ins (Law360) Dollar Tree Inc. and its subsidiary Family Dollar Inc. violated their workers’ right to privacy under Illinois’ Biometric Information Privacy Act when they required them to scan their fingerprints to clock in and out of work every day, according to a proposed class action filed in a Chicago court.

Robinhood Crypto Unit Expects $10 Million Fine in Cyber, Anti-Money Laundering Inquiry (Wall Street Journal) Trading app says fine of its cryptocurrency brokerage could exceed $15 million following investigation of allegedly lax security practices.

Source link

Sign up for our daily OT Cyber Analysis and Threat Intelligence news.