News: Security & Privacy News

Facebook advertisers are panicking after iOS cuts off key tracking data

Thu, 15 Jul 2021 21:47:35 +0000

Facebook advertisers are panicking after iOS cuts off key tracking data

Facebook’s ads aren’t as effective after iOS privacy changes, advertisers say.

Facebook’s ability to track users and show them certain ads appears to be tanking thanks to Apple’s “ask not to track” feature, according to some advertisers.

Apple rolled out the privacy prompt in late April with iOS 14.5. Since then, nearly half of all iOS devices worldwide have at least version 14.5 installed, according to Statcounter, and a vast majority of these devices' users have chosen to deny Facebook and other apps the ability to track them. Nearly three months after the feature's launch, just 17 percent of users worldwide have opted in, according to analytics company Flurry.

The changes could have a significant effect on Facebook’s bottom line. Eric Seufert, an analyst who writes Mobile Dev Memo, forecasts that if only 20 percent of users consent to tracking, Facebook’s revenue could drop 7 percent in the first full quarter that the opt-in prompt is active (the forthcoming third quarter). The company warned back in February that the iOS changes would curtail its ability to track users across the Internet.

“It’s been pretty devastating for, I would say, the majority of advertisers,” Seufert told Bloomberg. “The big question is: Are we seeing just short-term volatility where we can expect a move back to the mean, or is this a new normal?”

Enlarge / The Settings menu for managing tracking on a per-app basis in iOS.

Samuel Axon

It may be some time before advertisers have an answer to that question. Facebook initially appeared to be taking the low opt-in rate in stride, with media buyers not noticing significant changes. But that has apparently changed in recent weeks, with some buyers reporting that ad effectiveness began dropping this month.

Some advertisers, like e-commerce sites, appear to be hit particularly hard. Many retailers run software like Shopify, which shares customer data, including details about purchases that customers make on the site, with Facebook. That allows Facebook to refine its “lookalike” audiences, which advertisers buy access to so they can target other people who may be interested in buying the same thing.

One way Facebook could deepen its data pipeline would be to deepen its integration in retailer's online stores, which it appears to be doing with the rollout of Facebook Pay for e-commerce platforms like Shopify.

Before the new iOS feature was rolled out, media buyers reported that Facebook could capture as much as 95 percent of sales made on their clients’ sites. Now, many media buyers are reporting that Facebook is capturing only 50 percent of sales. One buyer reports that, with one client, just 3 percent of sales are showing up in Facebook’s ad manager.

Other people visit e-commerce sites without purchasing anything, and to close the deal, retailers will “retarget” those users, showing them ads on Facebook for an item they viewed but didn’t buy. Those ads aren’t possible when “ask not to track” is enabled.

"We believe that personalized ads and user privacy can coexist, without the collateral damage caused by App Tracking Transparency," a Facebook spokesperson told Ars. "We're also working on our own solutions to help businesses and investing in privacy-enhancing technologies designed to minimize the data we process, while still allowing us to show relevant ads and measure ad effectiveness."

As users have asked Facebook not to track them, the company’s feedback loop has broken for a portion of its audience, costing it a key source of data. Though iOS doesn’t run on a majority of mobile devices, it does have a significant footprint in some of the world’s largest advertising markets, including the US. The US market is so important to advertisers that Flurry breaks out the country’s iOS tracking opt-in rate separately. Just 10 percent of US users opt in to tracking, compared with 17 percent worldwide.

By opting out at such high rates, US iOS users could have a particularly significant impact on Facebook’s revenue. In the US and Canada last year, the company made five times more advertising revenue per user than its worldwide average. What happens to that number in the third quarter will reveal the extent to which tracking opt-out threatens the company’s earnings.

Facebook advertisers are panicking after iOS cuts off key tracking data

uMatrix has an unfixed vulnerability: here is a workaround

Thu, 15 Jul 2021 21:44:53 +0000

uMatrix has an unfixed vulnerability: here is a workaround

Raymond Hill's uBlock Origin and uMatrix browser extensions are popular content blockers. While uBlock Origin is maintained actively by Hill, uMatrix development ended in 2020. A fork, nMatrix, designed for the Pale Moon browser, is still maintained.

The uMatrix browser extension is still in use. Google's Chrome Web Store, on which it is still listed, reveals that it has more than 100,000 users, a figure that can be higher as Google does not echo total number of users to the public. The Firefox extension, for which I wrote a guide in 2017, has more than 29,000 users at the time of writing.

A security researcher discovered a vulnerability in all three extensions. The vulnerability exploits code used by the extensions strict blocking feature. Strict blocking prevents all connections to resources that match the filter. Default installations of the extensions use filter lists that include strict blocking filters.

An attacker may exploit the vulnerability to get the extension to crash or cause memory exhaustion according to the researcher. When the extension crashes, users are left without protection until it is reloaded.

It requires that users become active, e.g. by clicking on a link.

The strict-blocking warning page is only displayed when direct navigations are blocked. This means that malicious hosts would need to induce users to trigger a navigation somehow, such as by clicking a link. iframes are classified as sub-documents and do not trigger the warning page, which should make it harder for malicious hosts to exploit this vulnerability in the background.

The researcher tested a proof of concept vulnerability against Chrome, Firefox and Pale Moon. Only the Chrome extension crashed during tests.

Raymond Hill was notified before the security issue was disclosed publicly, and a fix was created for uBlock Origin within one day and published the next. The maintainer of nMatrix published an update to the Pale Moon add-ons site that fixed the issue in the extension as well.

The uMatrix extension is not maintained anymore, which means that it is still vulnerable and will remain so.

How to mitigate the vulnerability

The researcher notes that users need to disable all filter lists on the "assets" tab of the uMatrix dashboard. Subscribing to malware or multi-purpose filter lists may reduce the impact the change has on the blocking of the extension.

To mitigate the vulnerability for now, users can disable uMatrix’s strict-blocking support by unselecting all of the filter lists on the "Assets" tab in the uMatrix dashboard. They can also enable all of the "Malware domains" and "Multipurpose" filter lists in uBlock Origin to help offset the lost filtering coverage.

Closing Words

With development having ended some time ago, it may be time to move to a different extension for content blocking, especially since it has an unpatched vulnerability now. While it seems unlikely that it is going to be exploited in large scale attacks, it is still something that users need to be aware of.

uMatrix has an unfixed vulnerability: here is a workaround

Facebook Catches Iranian Spies Catfishing US Military Targets

Thu, 15 Jul 2021 21:41:39 +0000

Facebook Catches Iranian Spies Catfishing US Military Targets

The hackers posed as recruiters, journalists, and hospitality workers to lure their victims.

If you're a member of the US military who's gotten friendly Facebook messages from private-sector recruiters for months on end, suggesting a lucrative future in the aerospace or defense contractor industry, Facebook may have some bad news.

On Thursday, the social media giant revealed that it has tracked and at least partially disrupted a long-running Iranian hacking campaign that used Facebook accounts to pose as recruiters, reeling in US targets with convincing social engineering schemes before sending them malware-infected files or tricking them into submitting sensitive credentials to phishing sites. Facebook says that the hackers also pretended to work in the hospitality or medical industries, in journalism, or at NGOs or airlines, sometimes engaging their targets for months with profiles across several different social media platforms. And unlike some previous cases of Iranian state-sponsored social media catfishing that have focused on Iran's neighbors, this latest campaign appears to have largely targeted Americans, and to a lesser extent UK and European victims.

Facebook says it has removed "fewer than 200" fake profiles from its platforms as a result of the investigation and notified roughly the same number of Facebook users that hackers had targeted them. "Our investigation found that Facebook was a portion of a much broader espionage operation that targeted people with phishing, social engineering, spoofed websites, and malicious domains across multiple social media platforms, email, and collaboration sites," David Agranovich, Facebook's director for threat disruption, said Thursday in a call with press.

Facebook has identified the hackers behind the social engineering campaign as the group known as Tortoiseshell, believed to work on behalf of the Iranian government. The group, which has some loose ties and similarities to other better-known Iranian groups known by the names APT34 or Helix Kitten and APT35 or Charming Kitten, first came to light in 2019. At that time, security firm Symantec spotted the hackers breaching Saudi Arabian IT providers in an apparent supply chain attack designed to infect the company's customers with a piece of malware known as Syskit. Facebook has spotted that same malware used in this latest hacking campaign, but with a far broader set of infection techniques and with targets in the US and other Western countries instead of the Middle East.

Tortoiseshell also seems to have opted from the start for social engineering over a supply-chain attack, starting its social media catfishing as early as 2018, according to security firm Mandiant. That includes far more than just Facebook, says Mandiant vice president of threat intelligence John Hultquist. "From some of the very earliest operations, they compensate for really simplistic technical approaches with really complex social media schemes, which is an area where Iran is really adept," Hultquist says.

In 2019, Cisco's Talos security division spotted Tortoiseshell running a fake veterans' site called Hire Military Heroes, designed to trick victims into installing a desktop app on their PC that contained malware. Craig Williams, a director of Talos’ intelligence group, says that fake site and the larger campaign Facebook has identified both show how military personnel trying to find private-sector jobs pose a ripe target for spies. “The problem we have is that veterans transitioning over to the commercial world is a huge industry,” says Williams. “Bad guys can find people who will make mistakes, who will click on things they shouldn’t, who are attracted to certain propositions.”

Facebook warns that the group also spoofed a US Department of Labor site; the company provided a list of the group's fake domains that impersonated news media sites, versions of YouTube and LiveLeak, and many different variations on Trump family and Trump organization–related URLs.

Facebook says that it has tied the group's malware samples to a specific Tehran-based IT contractor called Mahak Rayan Afraz, which has previously provided malware to the Iranian Revolutionary Guard Corps, or IRGC—the first tenuous link between the Tortoiseshell group and a government. Symantec noted back in 2019 that the group had also used some software tools also spotted in use by Iran's APT34 hacking group, which has used social media lures across sites like Facebook and LinkedIn for years. Mandiant's Hultquist says it roughly shares some characteristics with the Iranian group known as APT35, too, which is believed to work in the service of the IRGC. APT35's history includes using an American defector, military intelligence defense contractor Monica Witt, to gain information about her former colleagues that could be used to target them with social engineering and phishing campaigns.

The threat of Iran-based hacking operations—and particularly, the threat of disruptive cyberattacks from the country—may have appeared to subside as the Biden Administration has reversed course from the Trump administration's confrontational approach. The 2020 assassination of Iranian military leader Qassem Soleimani in particular led to an uptick in Iranian intrusions that many feared were a precursor to retaliatory cyberattacks that never materialized. President Biden has, by contrast, signaled that he hopes to revive the Obama-era deal that suspended Iran's nuclear ambitions and eased tensions with the country—a rapprochement that has been rattled by news that Iranian intelligence agents plotted to kidnap an Iranian-American journalist.

But the Facebook campaign shows that Iranian espionage will continue to target the US and its allies, even as the broader political relations improve. "The IRGC are clearly conducting their espionage in the United States," says Mandiant's Hultquist. "They're still up to no good, and they need to be carefully watched."

Facebook Catches Iranian Spies Catfishing US Military Targets

iOS zero-day let SolarWinds hackers compromise fully updated iPhones

Wed, 14 Jul 2021 21:19:07 +0000

iOS zero-day let SolarWinds hackers compromise fully updated iPhones

Flaw was exploited when government officials clicked on links in LinkedIn messages.

The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments, according to Google and Microsoft.

In a post Google published on Wednesday, researchers Maddie Stone and Clement Lecigne said a “likely Russian government-backed actor” exploited the then-unknown vulnerability by sending messages to government officials over LinkedIn.

Moscow, Western Europe, and USAID

Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.

The campaign closely tracks to one Microsoft disclosed in May. In that instance, Microsoft said that Nobelium—the name the company uses to identify the hackers behind the SolarWinds supply chain attack—first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency’s account for online marketing company Constant Contact, the hackers could send emails that appeared to use addresses known to belong to the US agency.

The federal government has attributed last year’s supply chain attack to hackers working for Russia’s Foreign Intelligence Service (abbreviated as SVR). For more than a decade, the SVR has conducted malware campaigns targeting governments, political think tanks, and other organizations in countries like Germany, Uzbekistan, South Korea, and the US. Targets have included the US State Department and the White House in 2014. Other names used to identify the group include APT29, the Dukes, and Cozy Bear.

In an email, Shane Huntley, the head of Google's Threat Analysis Group, confirmed the connection between the attacks involving USAID and the iOS zero-day, which resided in the WebKit browser engine.

“These are two different campaigns, but based on our visibility, we consider the actors behind the WebKit 0-day and the USAID campaign to be the same group of actors,” Huntley wrote. “It is important to note that everyone draws actor boundaries differently. In this particular case, we are aligned with the US and UK governments' assessment of APT 29.”

Forget the sandbox

Throughout the campaign, Microsoft said, Nobelium experimented with multiple attack variations. In one wave, a Nobelium-controlled web server profiled devices that visited it to determine what OS and hardware the devices ran on. If the targeted device was an iPhone or iPad, a server used an exploit for CVE-2021-1879, which allowed hackers to deliver a universal cross-site scripting attack. Apple patched the zero-day in late March.

In Wednesday’s post, Stone and Lecigne wrote:

After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, is mitigated in browsers with Site Isolation enabled, such as Chrome or Firefox.

It’s raining zero-days

The iOS attacks are part of a recent explosion in the use of zero-days. In the first half of this year, Google’s Project Zero vulnerability research group has recorded 33 zero-day exploits used in attacks—11 more than the total number from 2020. The growth has several causes, including better detection by defenders and better software defenses that require multiple exploits to break through.

The other big driver is the increased supply of zero-days from private companies selling exploits.

“0-day capabilities used to be only the tools of select nation-states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” the Google researchers wrote. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise; now they just need resources.”

The iOS vulnerability was one of four in-the-wild zero-days Google detailed on Wednesday. The other three were:

CVE-2021-21166 and CVE-2021-30551 in Chrome
CVE-2021-33742 in Internet Explorer

The four exploits were used in three different campaigns. Based on their analysis, the researchers assess that three of the exploits were developed by the same commercial surveillance company, which sold them to two different government-backed actors. The researchers didn’t identify the surveillance company, the governments, or the specific three zero-days they were referring to.

Representatives from Apple didn’t immediately respond to a request for comment.

iOS zero-day let SolarWinds hackers compromise fully updated iPhones

Google Chrome will add HTTPS-First Mode to keep your data safe

Wed, 14 Jul 2021 20:48:27 +0000

Google Chrome will add HTTPS-First Mode to keep your data safe

Google will add an HTTPS-First Mode to the Chrome web browser to block attackers from intercepting or eavesdropping users' web traffic.

"Beginning in M94, Chrome will offer HTTPS-First Mode, which will attempt to upgrade all page loads to HTTPS and display a full-page warning before loading sites that don't support it." Google said.

"Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible, and that they will see a warning before connecting to sites over HTTP."

By upgrading all connections to websites to HTTPS, Google Chrome 94 will protect users from man-in-the-middle (MITM) attacks trying to snoop on or alter data exchanged with Internet servers over the unencrypted HTTP protocol.

HTTPS-First Mode already available for Chrome Canary users

BleepingComputer has reported earlier this month that Google's web browser will get an HTTPS-Only Mode for secure browsing.

The new feature is currently being tested in the Chrome 93 Canary preview releases for Mac, Windows, Linux, Chrome OS, and Android.

If you want to test the experimental feature right now, you will have to enable the "HTTPS-Only Mode Setting" flag by going to chrome://flags/#https-only-mode-setting.

This will add an "Always use secure connections" option to Chrome's security settings which, once enabled, will set up the web browser to upgrade all navigation to HTTPS and show alerts before loading websites that don't support it.

HTTPS all the way

Google is not the first web browser vendor to consider, including automatically upgrading all navigation to HTTPS.

For instance, Mozilla added an HTTPS-Only Mode starting with Firefox 83 to secure web browsing by rewriting URLs to use the HTTPS protocol (even though disabled by default, this feature can be enabled from the browser's settings).

Microsoft Edge now can also be set up to switch users to secure HTTPS connections when connecting to websites over HTTP after enabling a new experimental Automatic HTTPS option available in the Canary and Developer preview channels, with an estimated release later this month.

Google has also previously updated Chrome to default to HTTPS for all URLs typed in the address bar if the user doesn't specify a protocol.

"While we are excited to see users adopt HTTPS-First Mode in future versions of Chrome, HTTP connections will still continue to be supported and Chrome will take additional steps to protect and inform users whenever they are using insecure connections," Google added.

"Continuing from our past efforts to restrict new features to secure origins and deprecate powerful features on insecure origins, we'll evaluate a broad set of web platform features to determine if they should be limited or restricted on HTTP webpages."

Google Chrome will add HTTPS-First Mode to keep your data safe

Tails 4.20 arrives with Tor Connection assistant but you still have to build bridges

Wed, 14 Jul 2021 06:53:27 +0000

Tails 4.20 arrives with Tor Connection assistant but you still have to build bridges

Tails 4.20 has been released with several big changes, namely the Tor Connection assistant that makes it easier to get set up using a Tor bridge. If you’re not familiar with bridges, they’re designed for people in authoritarian countries where Tor usage is dangerous, by connecting to a bridge as your first node in the Tor network, anyone monitoring your activities won’t know you’re on Tor.

The Tor Browser made it really easy to connect to bridges a while back because it removed the need to enter bridge details manually. Tails still hadn’t built in this functionality and even with the new Tor Connection assistant, it still doesn’t offer the feature. What this update does, however, it makes it easier to set up a bridge connection by giving users the option as soon as they get connected to Wi-Fi. In older releases, you had to go into the advanced settings before starting the Tails session.

In future, the Tor Connection assistant will let you save Tor bridges to persistent storage, help detect when Wi-Fi isn’t working, detect if you have to sign in to a local network via a captive portal, improve clock synchronization to make bridges work better in Asia, and it’ll make bridge discovery easier.

Another welcome change in this update is the inclusion of OnionShare 2.2. This major update allows people to host a website from a Tor onion service. Once your site is up, other people can access it from the unique onion URL which is only accessible via the Tor Browser. You can still use OnionShare to send ordinary files to other people via Tor too.

If you ever tried Tails before and suffered from hardware incompatibility issues, this update includes the Linux 5.10.46 kernel which comes with support for newer graphics cards, Wi-Fi cards, and other hardware.

To get started with Tails head over to the project's website. If you already have a Tails USB device, plug it in and connect to Wi-Fi, you will then be shown a prompt to perform the upgrade.

Tails 4.20 arrives with Tor Connection assistant but you still have to build bridges

Gmail update will go some way to eliminating phishing once and for all

Wed, 14 Jul 2021 03:56:12 +0000

Gmail update will go some way to eliminating phishing once and for all

Verified logos in Gmail will make it harder for scammers to impersonate brands

The days of cybercriminals using spoofed logos and lookalike email addresses to trick unsuspecting users into falling for phishing scams could soon be over as Google is adding a new security feature to Gmail to make it harder to impersonate brands over email.

While the search giant announced last year that it would begin its Brand Indicators for Message Identification (BIMI) pilot, in a new blog post the company has said that it will begin rolling out BIMI support in Gmail over the coming weeks.

For those unfamiliar, BIMI is an industry standard that aims to drive adoption of strong sender authentication for the entire email ecosystem. It does this by providing email recipients as well as email security systems with increased confidence in the source of emails to prevent impersonation attempts.

(Image credit: Google)

BIMI support

As part of Google's rollout of BIMI in Gmail, organizations that authenticate their emails using DMARC will be able to validate ownership of their corporate logos and securely transmit them to Google. Once these authenticated emails pass Google's anti-abuse checks, Gmail will begin displaying an organization's logo in the service's avatar slot so that users know these emails come directly from a company and not from someone impersonating them.

According to Google, BIMI is designed to be easy for organizations with DMARC already in place and once configured, validated logos will be displayed on emails from both their domains and subdomains.

Chair of the AuthIndicators Working Group, Seth Blank praised Google's support of BIMI in Gmail, saying:

“Gmail's support of BIMI is a win for email authentication, brand trust, and consumers alike. BIMI gives organizations the opportunity to provide their customers with a more immersive email experience, strengthening email sender authentication across the entire email ecosystem.”

In order to take advantage of BIMI, Organizations will first need to adopt DMARC before having their logo validated with Verified Mark Certificate (VMC). Gmail users on the other hand won't have to do a thing and they'll soon see company logos alongside their emails once BIMI support rolls out in the coming weeks.

Gmail update will go some way to eliminating phishing once and for all

Adobe updates fix 28 vulnerabilities in 6 programs

Tue, 13 Jul 2021 22:55:01 +0000

Adobe updates fix 28 vulnerabilities in 6 programs

Adobe has released a giant Patch Tuesday security update release that fixes vulnerabilities in Adobe Dimension, Illustrator, Framemaker, Acrobat, Reader, and Bridge.

The complete list of Adobe Products receiving security updates today and the number of fixed vulnerabilities are below:

APSB21-40 | Adobe Dimension: 1 Critical vulnerability was fixed.
APSB21-42 | Adobe Illustrator: 2 Critical and 1 Important vulnerability was fixed.
APSB21-45 | Adobe Framemaker: 1 Critical vulnerability was fixed.
APSB21-51 | Adobe Acrobat and Reader: 14 Critical and 5 Important vulnerabilities were fixed.
APSB21-53 | Adobe Bridge: 4 Critical and one Moderate vulnerabilities were fixed.

In total, Adobe fixed 28 vulnerabilities with today's updates.

Almost all Critical vulnerabilities could lead to arbitrary code execution, allowing threat actors to execute commands on vulnerable computers.

Out of the Adobe security updates released today, Adobe Acrobat and Reader had the most fixes, with 19 vulnerabilities.

Install updates immediately

While there were no known actively exploited zero-day vulnerabilities, Adobe advises customers to update to the latest versions as soon as possible.

This urgency is because threat actors can compare older versions of the software with the patched versions to determine what code is vulnerable and create exploits to target these vulnerabilities.

In most cases, users can update their software by using the auto-update feature of the product using the following steps:

By going to Help > Check for Updates.
The full update installers can be downloaded from Adobe's Download Center.
Let the products update automatically, without requiring user intervention, when updates are detected.

If the new update is not available via autoupdate, you can check the security bulletins linked above for the latest download links.

Adobe updates fix 28 vulnerabilities in 6 programs

REvil ransomware gang's web sites mysteriously shut down

Tue, 13 Jul 2021 22:38:12 +0000

REvil ransomware gang's web sites mysteriously shut down

The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night.

The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure.

Starting last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down.

REvil Tor site no longer accessible

"In simple terms, this error generally means that the onion site is offline or disabled. To know for sure, you'd need to contact the onion site administrator," the Tor Project's Al Smith told BleepingComputer.

While it is not unheard of for REvil sites to lose connectivity for some time, all sites to shut down simultaneously is unusual.

Furthermore, the decoder[.]re clear website is no longer resolvable by DNS queries, possibly indicating the DNS records for the domain have been pulled or that backend DNS infrastructure has been shut down.

REvil domain no longer resolves to DNS queries

Recorded Future's Alan Liska said that the REvil web sites went offline at approximately 1 AM EST this morning.

If you have first-hand information about the shut down, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.

Feeling the heat

On July 2nd, the REvil ransomware gang encrypted approximately 60 managed service providers (MSPs) and over 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software.

As part of these attacks, REvil initially demanded $70 million for a universal decryptor for all victims but quickly dropped the price to $50 million.

Since then, the ransomware group has been under increased scrutiny by law enforcement, which did not seem to faze 'Unknown,' the public-facing representative of the ransomware gang.

As these ransomware gangs commonly operate out of Russia, President Biden has been in talks with President Putin about the attacks and warned that if Russia did not act upon threat actors in their borders, the USA would take action themselves.

"I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden said after signing an executive order at the White House.

At this point, it is not clear if the shut down of these servers is simply a technical issue, if the gang shut down their operation, or if a law enforcement operation took place.

Other ransomware groups, such as DarkSide and Babuk, shut down voluntarily due to the increased pressure by law enforcement.

However, when ransomware groups shut down, the operators and affiliates commonly rebrand as a new operation to continue performing ransomware attacks. This was seen in the past when GandCrab shut down and many of its members relaunching as REvil.

Babuk also relaunched as Babuk v2.0 after the original group splintered due to differences in how attacks were conducted.

BleepingComputer has contacted the FBI with questions about possible law enforcement action but has not heard back at this time.

This is a developing story.

REvil ransomware gang's web sites mysteriously shut down

A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack

Tue, 13 Jul 2021 13:05:20 +0000

A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack

SolarWinds, the Texas-based company that became the epicenter of a massive supply chain attack late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.

The fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the flaw was being exploited in the wild. The threat actor behind the exploitation remains unknown as yet, and it isn't clear exactly how the attack was carried out.

"Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability," SolarWinds said in an advisory published Friday, adding it's "unaware of the identity of the potentially affected customers."

Affecting Serv-U version 15.2.3 HF1 and before, a successful exploitation of the shortcoming (CVE-2021-35211) could enable an adversary to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.

As indicators of compromise, the company is urging administrators to watch out for potentially suspicious connections via SSH from the IP addresses 98[.]176.196.89 and 68[.]235.178.32, or via TCP 443 from the IP address 208[.]113.35.58. Disabling SSH access on the Serv-U installation also prevents compromise.

The issue has been addressed in Serv-U version 15.2.3 hotfix (HF) 2.

SolarWinds also stressed in its advisory that the vulnerability is "completely unrelated to the SUNBURST supply chain attack" and that it does not affect other products, notably the Orion Platform, which was exploited to drop malware and dig deeper into the targeted networks by suspected Russian hackers to spy on multiple federal agencies and businesses in one of the most serious security breaches in U.S. history.

A string of software supply chain attacks since then has highlighted the fragility of modern networks and the sophistication of threat actors to identify hard-to-find vulnerabilities in widely-used software to conduct espionage and drop ransomware, in which hackers shut down the systems of business and demand payment to allow them to regain control.

Source

Trickbot Malware Returns with a new VNC Module to Spy on its Victims

Tue, 13 Jul 2021 13:00:43 +0000

Trickbot Malware Returns with a new VNC Module to Spy on its Victims

Cybersecurity researchers have opened the lid on the continued resurgence of the insidious TrickBot malware, making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement.

"The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between [command-and-control] servers and victims — making attacks difficult to spot," Bitdefender said in a technical write-up published Monday, suggesting an increase in sophistication of the group's tactics.

"Trickbot shows no sign of slowing down," the researchers noted.

Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel businesses and critical infrastructure with bogus traffic with the aim of knocking them offline. But with control of these devices, malicious actors can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware on the infected computers.

TrickBot is no different. The notorious cybercrime gang behind the operation — dubbed Wizard Spider — has a track record of exploiting the infected machines to steal sensitive information, pivot laterally across a network, and even become a loader for other malware, such as ransomware, while constantly improving their infection chains by adding modules with new functionality to increase its effectiveness.

"TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware," Lumen's Black Lotus Labs disclosed last October. "It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible."

The botnet has since survived two takedown attempts by Microsoft and the U.S. Cyber Command, with the operators developing firmware meddling components that could allow the hackers to plant a backdoor in the Unified Extensible Firmware Interface (UEFI), enabling it to evade antivirus detection, software updates, or even a total wipe and reinstallation of the computer's operating system.

Now according to Bitdefender, the threat actor has been found actively developing an updated version of a module called "vncDll" that it employs against select high-profile targets for monitoring and intelligence gathering. The new version has been named "tvncDll."

The new module is designed to communicate with one of the nine command-and-control (C2) servers defined in its configuration file, using it to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server. Additionally, the researchers said they identified a "viewer tool," which the attackers use to interact with the victims through the C2 servers.

While efforts to squash the gang's operations may not have been entirely successful, Microsoft told The Daily Beast that it worked with internet service providers (ISPs) to go door-to-door replacing routers compromised with the Trickbot malware in Brazil and Latin America, and that it effectively pulled the plug on Trickbot infrastructure in Afghanistan.

Source

Iranian Hackers Posing as Scholars Target Professors and Writers in Middle-East

Tue, 13 Jul 2021 12:57:28 +0000

Iranian Hackers Posing as Scholars Target Professors and Writers in Middle-East

A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS).

Enterprise security firm Proofpoint attributed the campaign — called "Operation SpoofedScholars" — to the advanced persistent threat tracked as TA453, which is also known by the aliases APT35 (FireEye), Charming Kitten (ClearSky), and Phosphorous (Microsoft). The government cyber warfare group is suspected to carry out intelligence efforts on behalf of the Islamic Revolutionary Guard Corps (IRGC).

"Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage," the researchers said in a technical write-up shared with The Hacker News. "The campaign shows a new escalation and sophistication in TA453's methods."

On a high level, the attack chain involved the threat actor posing as British scholars to a group of highly selective victims in an attempt to entice the target into clicking on a registration link to an online conference that's engineered to capture a variety of credentials from Google, Microsoft, Facebook, and Yahoo.

To lend it an air of legitimacy, the credential phishing infrastructure was hosted on a genuine but compromised website belonging to the University of London's SOAS Radio, using which personalized credential harvesting pages disguised as registration links were then delivered to unsuspecting recipients.

At least in one instance, TA453 is said to have sent a credential harvesting email to a target to their personal email account. "TA453 strengthened the credibility of the attempted credential harvest by utilizing personas masquerading as legitimate affiliates of SOAS to deliver the malicious links," the researchers said.

Some of the SOAS scholars who were impersonated included Dr. Hanns Bjoern Kendel, an associate professor of diplomatic studies and international relations, and Dr. Tolga Sinmazdemir, a senior lecturer in political methodology.

Interestingly, TA453 also insisted that the targets sign in to register for the webinar when the group was online, raising the possibility that the attackers were "planning on immediately validating the captured credentials manually." The attacks are believed to have commenced as far back as January January 2021, before the group subtly shifting their tactics in subsequent email phishing lures.

This is not the first time the threat actor has launched credential phishing attacks. Earlier this March, Proofpoint detailed a "BadBlood" campaign targeting senior medical professionals who specialized in genetic, neurology, and oncology research in Israel and the U.S.

"TA453 illegally obtained access to a website belonging to a world class academic institution to leverage the compromised infrastructure to harvest the credentials of their intended targets," the researchers said. "The use of legitimate, but compromised, infrastructure represents an increase in TA453's sophistication and will almost certainly be reflected in future campaigns. TA453 continues to iterate, innovate, and collect in support of IRGC collection priorities."

Source

Microsoft is reportedly acquiring cybersecurity firm RiskIQ for over $500 million

Mon, 12 Jul 2021 22:34:46 +0000

Microsoft is reportedly acquiring cybersecurity firm RiskIQ for over $500 million

Microsoft announced last month the acquisition of ReFirm Labs, which provides tools to help secure Internet of Things and connected devices. The acquisition bolstered the company's Azure Defender for IoT platform to help customers fend off sophisticated attacks.

Now, the software giant appears to be expanding its portfolio of security services with another acquisition. Microsoft is reportedly snapping up RiskIQ, a cybersecurity firm that provides protection against various forms of online threats through its software-as-a-service platform. A report from Bloomberg claims the company is paying more than $500 million in cash for the acquisition.

As per RiskIQ's website, its security service is powered by a global internet intelligence graph that "has mapped the billions of relationships between the internet components belonging to every organization, business, and threat actor on Earth." RiskIQ counts some of the biggest companies in the world such as Facebook, BMW, and American Express among its customers.

Microsoft also recently beefed up its cybersecurity offering for high-risk entities such as political organizations, journalists, and human rights workers with the expansion of AccountGuard to 31 countries in March. Two months later, it unveiled Counterfit, an automation tool designed to automate the security testing of an organization's AI systems.

Neither Microsoft nor RiskIQ confirmed the latest report. That said, the rumored acquisition is expected to be officially announced in the next few days.

Source: Bloomberg (paywall)

Microsoft is reportedly acquiring cybersecurity firm RiskIQ for over $500 million

A new feature selection technique for intrusion detection systems

Mon, 12 Jul 2021 20:59:02 +0000

A new feature selection technique for intrusion detection systems

Network-based technologies have become increasingly widespread, and they are now being used by countless individuals, professionals, and businesses worldwide. Despite their advantages, most network-based systems are highly vulnerable to malicious attacks.

The consequences of a malicious attack on network-based systems can be extremely severe and devastating. For instance, an attack on a power utility network could leave millions of individuals and offices without electricity, while attacks on social media networks can lead to breeches of confidential user information.

To overcome the vulnerabilities of network-based systems, computer scientists worldwide have been trying to develop advanced intrusion detection systems (IDSs) that could help to identify and counteract malicious attacks, increasing a network's safety. In recent years, machine learning (ML) algorithms have been found to be particularly promising for automatically detecting attacks and intrusions on a network's functioning.

A key step in the development and training of ML-based IDSs is the selection of data features that a model can rely or focus on when making predictions. Ideally, by analyzing large datasets, researchers should be able to identify the most suitable features for solving a given task using ML tools, and this is also applicable to intrusion detection.

Researchers at Canadian University Dubai in the UAE have recently developed a new feature selection method that could enable the development of more effective ML-based IDSs. This method, presented in a paper pre-published on arXiv, was found to perform remarkably well when compared with other commonly employed feature selection techniques.

"Our goal is to study feature selection in network traffic data with the aim of detecting potential attacks," Firuz Kamalov, Sherif Moussa, Rita Zgheib and Omar Mashaal, the researchers who carried out the study, wrote in their paper. "We consider various existing feature selection methods as well as propose a new feature selection algorithm to identify the most potent features in network traffic data."

Firstly, Kamalov and his colleagues analyzed a series of feature selection methods that could be used to detect features or characteristics of network traffic data that are relevant to intrusion detection. They specifically focused on three standard selection methods, known as correlation-based univariate, MI-based univariate, and correlation-based forward search algorithms.

Subsequently, the researchers developed a new feature selection method, dubbed MICorr, which addresses some of the limitations of existing feature selection techniques. They evaluated this method on the CSE-CIC-IDS2018 dataset, which contains 10,000 benign and malicious network intrusion instances.

"We propose a new feature selection method that addresses the challenge of considering continuous input features and discrete target values," the researchers explained in their paper. "We show that the proposed method performs well against the benchmark selection methods."

Using the features they identified as salient for intrusion detection, Kamalov and his colleagues created a highly efficient ML-based detection system. This system was found to be capable of discerning between DDoS (Distributed Denial of Service) attacks and harmless network signals with 99% accuracy.

In the future, the feature selection method developed by this team of researchers and the findings presented in their paper could inform the development of new, highly effective IDSs. In addition, the system they created using the features they identified could be implemented in real-world settings to detect malicious attacks on real networks.

Source

Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites

Mon, 12 Jul 2021 18:11:38 +0000

Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites

Cybersecurity researchers are warning about a new malware that's striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio's live-streaming app to capture the screen of its victims to attackers.

The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads.

Specifically, the websites' online support chat pages are booby-trapped with malicious JavaScript code, which is used to deliver the malware to the victims.

"BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution," Trend Micro researchers noted in an analysis published Friday. "It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data."

OBS Studio is an open-source software for video recording and live streaming, enabling users to stream to Twitch, YouTube, and other platforms.

Besides featuring an array of capabilities that run the typical spyware gamut, BIOPASS is equipped to establish live streaming to a cloud service under the attacker's control via Real-Time Messaging Protocol (RTMP), in addition to communicating with the command-and-control (C2) server using the Socket.IO protocol.

The malware, which is said to be under active development, is also notable for its focus on stealing private data from web browsers and instant messaging apps chiefly popular in Mainland China, including QQ Browser, 2345 Explorer, Sogou Explorer, and 360 Safe Browser, WeChat, QQ, and Aliwangwang.

It isn't clear exactly as to who is behind this malware strain, but Trend Micro researchers said they found overlaps between BIOPASS and that of TTPs often associated with the Winnti Group (aka APT41), a sophisticated Chinese hacking group specialized in cyber espionage attacks, based on the use of stolen certificates and a Cobalt Strike binary that was previously attributed to the threat actor.

What's more, the same Cobalt Strike binary has also been connected to a cyber attack targeting MonPass, a major certification authority (CA) in Mongolia, earlier this year wherein its installer software was tampered with to install Cobalt Strike beacon payloads on infected systems.

"BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts," the researchers said. "Given that the malware loader was delivered as an executable disguised as a legitimate update installer on a compromised website, [...] it is recommended to download apps only from trusted sources and official websites to avoid being compromised."

Source

The Pentagon Tried to Take Down These Hackers. They’re Back.

Mon, 12 Jul 2021 15:41:54 +0000

The Pentagon Tried to Take Down These Hackers. They’re Back

U.S. Cyber Command and Microsoft, among others, launched operations on the eve of the election meant to hobble a Russian-speaking hacking group. But it’s rising again.

Last fall, on the eve of the elections, the U.S. Department of Defense tried to throttle a transnational cybercrime group. But the hackers have rebuilt much of their operations. It’s become clear in recent months that the gang is very much alive and well.

The Russian-speaking hacking group, sometimes referred to by the name of the malware it uses, Trickbot, has gone after millions of victims around the globe, stealing victims’ banking credentials and facilitating ransomware attacks that have left businesses scrambling to pay hefty extortion demands for years.

And now, even though the Pentagon’s U.S. Cyber Command tried to put a dent in the gang’s operations last year, there are signs the hacking gang is working behind the scenes, quietly updating its malware to monitor victims and gather intelligence. That’s according to the latest intelligence from Romania-based cybersecurity firm Bitdefender, which shared its findings exclusively with The Daily Beast.

Cyber Command went after Trickbot in advance of Election Day last year to prevent any disruptions to the 2020 presidential elections.

But in recent weeks the hackers have been updating a specific part of their operations, namely a tool that helps them remotely control victims’ computers called a VNC module, Bitdefender found. And the hackers already appear to be leveraging their new tool to plot their next attack, says Bogdan Botezatu, Bitdefender’s director of threat research and reporting.

”We’re talking about a massive operation,” Botezatu said, noting that his team set up a system mimicking a victim, known as a honeypot, and that Trickbot has already gone after it. “The administrators were doing reconnaissance… They will decide later what they can capitalize on depending on how much information is on the device or whether it’s part of a business environment or not.”

The hackers also appear to be working on infrastructure that could allow them to sell access to other attackers, according to Vikram Thakur, a technical director at the security firm Symantec, which has previously run efforts to disrupt Trickbot.

“If someone unsuspecting opens up a bad file from Trickbot… without the end user knowing it the bad guys could be watching and even controlling the victim’s computer,” Thakur, whose team reviewed Bitdefender’s findings, told The Daily Beast. “And here the bad guys are creating a robust way to do it where they could gain control [of] your computer and even resell it to others who’d like to steal from it.”

Cyber Command isn’t the only group of hackers that tried to tackle Trickbot last year. Microsoft and a series of other security firms also seized Trickbot’s U.S. servers to try to stand in the way of the organization’s hacking campaigns.

But the continued resurgence of the hacking gang since then isn’t a sign of a failed operation, says Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit. Microsoft’s goal at the time was to prevent any Trickbot-linked hacking from affecting the 2020 presidential election. And the efforts to blunt Trickbot appeared to garner some results right away: Microsoft was able to disable 94 percent of the gang’s infrastructure.

“We were very clear back in October of 2020 that our primary goal was to make sure that enough of their infrastructure was down so that we didn’t have to worry about them disrupting the election,” Hogan-Burney told The Daily Beast. “The operation that we did last October was absolutely a success.”

Botezatu noted that the hackers have been showing signs they expect to get interrupted, and have been building in backup mechanisms into their infrastructure so they can withstand many blows.

“Trickbot is still one of the largest botnets to date,” Botezatu said. “I wouldn’t have expected them to quit so fast.”

As Trickbot has resurged, Hogan-Burney’s team has started to think of taking down the gang as an ongoing task that doesn’t appear to have an end in sight, as opposed to a “one and done” elimination campaign.

“We knew it wasn’t going to be easy…[we] just see it as a continuing challenge,” Hogan-Burney told The Daily Beast.

In recent months Hogan-Burney and her team have been trying to shift the offensive into a ground game—in one case, Microsoft worked with internet service providers (ISPs) to go door to door in Brazil and Latin America to replace customers’ routers that were compromised, one by one.

Although the hacking gang primarily operates out of Russia, Belarus, Ukraine, and Suriname, according to the U.S. Department of Justice, Hogan-Burney said since October Microsoft has been sending cease and desist notices all around the globe. In one case Microsoft has successfully taken down Trickbot infrastructure in Afghanistan, Hogan-Burney said.

Some efforts to track down and chip away at Trickbot are not going well, Hogan-Burney admitted.

“There’s that geopolitical aspect to this too, that makes it seem a little bit more difficult. It’s far more daunting where you have jurisdictions that seem to be harboring cybercriminals,” Hogan-Burney told The Daily Beast. “You want to be able to arrest people and bring them to justice and that part is proving to be more difficult.”

The news that the transnational cybercrime group is still bolstering its attack techniques and plotting its next moves behind the scenes comes as the federal government is trying to deliver blows to the hacking group from all sides—a woman was recently arraigned in federal court in Ohio for her alleged role in helping Trickbot run ransomware attacks.

The Biden administration has been working to hold Russia accountable for giving safe harbor to ransomware criminals within its borders in recent days, after a series of Russian-speaking ransomware hackers left a major meat supplier, pipeline company, and thousands of other firms scrambling in recent attacks. President Joe Biden has said he wouldn’t rule out a retaliatory cyberattack against some of the hackers.

But for Trickbot, last year’s offensive effort isn’t sticking, according to ESET, one of the companies that participated in the takedown effort.

“There was a slowdown in their activities around the disruption operations… as they lost control of most of their network infrastructure and were scrambling to rebuild it, but the fact that they are actively developing modules is another illustration that the cyber criminals operating Trickbot are now back in full swing,” Jean-Ian Boutin, the head of threat research at ESET, told The Daily Beast.

The gang has been recasting itself and recruiting, says Alex Holden, the founder and chief information security officer of Hold Security.

“We know that Trickbot is going through a transformation. The gang is recruiting, expanding, and changing its techniques and approaches,” Holden told The Daily Beast.

Holden said he hopes that research like Bitdefender’s pushes Trickbot off-balance and provides law enforcement leads to pursue that blunt the gang’s attacks.

Bitdefender told The Daily Beast they had informed law enforcement of their research. Cyber Command declined to comment on the future of plans to disrupt the Trickbot gang. The FBI did not return a request for comment on the resurgence and about whether the U.S. government is planning any disruptive operations.

But with every attempt to take them down, Trickbot just seems to get stronger, says Jason Meurer, a senior research engineer at cybersecurity firm Cofense.

“Trickbot will always be hard to take down without access to the authors,” Meurer told The Daily Beast. “Every attempt to take them down will cause them to shift tactics and update their defensive measures.”

The future of governments’ and cybersecurity companies’ efforts to cripple Trickbot is not entirely clear, Meurer admitted.

“The hope is that in the long run, they make mistakes while doing this and open up clues to hunt down who is actually behind Trickbot,” Meurer said.

In the meantime, the cybercrime organization’s efforts are likely to keep emerging and re-emerging despite takedowns, as researchers and law enforcement lie in wait for their next misstep, Botezatu said.

”Trickbot: it’s like a phoenix,” Botezatu told The Daily Beast. “It went down and came back to life from its ashes.”

Source

Kaseya patches VSA vulnerabilities used in REvil ransomware attack

Sun, 11 Jul 2021 22:30:40 +0000

Kaseya patches VSA vulnerabilities used in REvil ransomware attack

Kaseya has released a security update for the VSA zero-day vulnerabilities used by the REvil ransomware gang to attack MSPs and their customers.

Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premise using their servers or utilize Kaseya's cloud-based SaaS solution.

In April, the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed seven vulnerabilities to Kaseya:

CVE-2021-30116 - A credentials leak and business logic flaw, to be included in 9.5.7
CVE-2021-30117 - An SQL injection vulnerability, resolved in May 8th patch.
CVE-2021-30118 - A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
CVE-2021-30119 - A Cross Site Scripting vulnerability, to be included in 9.5.7
CVE-2021-30120 - 2FA bypass, to be resolved in v9.5.7
CVE-2021-30121 - A Local File Inclusion vulnerability, resolved in May 8th patch.
CVE-2021-30201 - A XML External Entity vulnerability, resolved in May 8th patch.

Kaseya had implemented patches for most of the vulnerabilities on their VSA SaaS service but had not completed the patches for the on-premise version of VSA.

Unfortunately, the REvil ransomware gang beat Kaseya to the finish line and utilized these vulnerabilities to launch a massive attack on July 2nd against approximately 60 MSPs using on-premise VSA servers and 1,500 business customers.

It is unclear which vulnerabilities were used in the attack, but it is believed to be one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120.

Kaseya releases security updates

Since the attack, Kaseya has urged on-premise VSA customers to shut down their servers until a patch is ready.

Almost ten days after the attacks, Kaseya has released the VSA 9.5.7a (9.5.7.2994) update to fix the vulnerabilities used in the REvil ransomware attack.

With this release, Kaseya has fixed the following vulnerabilities:

Credentials leak and business logic flaw: CVE-2021-30116
Cross Site Scripting vulnerability: CVE-2021-30119
2FA bypass: CVE-2021-30120
Fixed an issue where secure flag was not being used for User Portal session cookies.
Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely.
Fixed a vulnerability that could allow unauthorized upload of files to the VSA server.

However, Kaseya is urging customers to follow the 'On Premises VSA Startup Readiness Guide' steps before installing the update to prevent further breaches and make sure devices are not already compromised.

Below are the basic steps that admins should perform before starting up VSA servers again and connecting them to the Internet:

Ensure your VSA server is isolated
Check System for Indicators of Compromise (IOC)
Patch the Operating Systems of the VSA Servers
Using URL Rewrite to control access to VSA through IIS
Install FireEye Agent
Remove Pending Scripts/Jobs

Of these steps, it is critical that on-premise VSA servers not be publicly accessible from the Internet to prevent compromise while installing the patch.

Kaseya also urges customers to utilize their "Compromise Detection Tool," a collection of PowerShell scripts to detect whether a VSA server or endpoints have been compromised.

The scripts will check VSA servers for the presence of 'Kaseya\webpages\managedfiles\vsaticketfiles\agent.crt' and 'Kaseya\webpages\managedfiles\vsaticketfiles\agent.exe,' and 'agent.crt' and 'agent.exe' on endpoints.

The REvil affiliate used the agent.crt and agent.exe files to deploy the REvil ransomware executable.

For additional security, Kaseya is also suggesting on-premise VSA admin restrict access to the web GUI to local IP addresses and those known to be used by security products.

"For VSA On-Premises installations, we have recommended limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on your internet firewall. Some integrations may require inbound access to your VSA server on port 443. Below are a list of IP addresses you can whitelist in your firewall (allow 443 inbound to FROM ), if you are using these integrations with your VSA On-Premises product." explains Kaseya.

After installing the patch, all users will be required to change their password to one using new password requirements.

Kaseya patches VSA vulnerabilities used in REvil ransomware attack

Hackers disrupt Iran's rail service with fake delay messages

Sat, 10 Jul 2021 15:06:48 +0000

Hackers disrupt Iran's rail service with fake delay messages

Iran's railroad system came under cyberattack on Friday, a semi-official news agency reported, with hackers posting fake messages about train delays or cancellations on display boards at stations across the country.

The hackers posted messages such as "long delayed because of cyberattack" or "canceled" on the boards. They also urged passengers to call for information, listing the phone number of the office of the country's supreme leader, Ayatollah Ali Khamenei.

The semiofficial Fars news agency reported that the hack led to "unprecedented chaos" at rail stations.

No group took responsibility. Earlier in the day, Fars said trains across Iran had lost their electronic tracking system. It wasn't immediately clear if that was also part of the cyberattack.

Fars later removed its report and instead quoted the spokesman of the state railway company, Sadegh Sekri, as saying "the disruption" did not cause any problem for train services.

In 2019, an error in the railway company's computer servers caused multiple delays in train services.

In December that year, Iran's telecommunications ministry said the country had defused a massive cyberattack on unspecified "electronic infrastructure" but provided no specifics on the purported attack.

It was not clear if the reported attack caused any damage or disruptions in Iran's computer and internet systems, and whether it was the latest chapter in the U.S. and Iran's cyber operations targeting the other.

Iran disconnected much of its infrastructure from the internet after the Stuxnet computer virus—widely believed to be a joint U.S.-Israeli creation—disrupted thousands of Iranian centrifuges in the country's nuclear sites in the late 2000s.

Source

Spike in “Chain Gang” Destructive Attacks on ATMs

Fri, 09 Jul 2021 22:21:25 +0000

Spike in “Chain Gang” Destructive Attacks on ATMs

Last summer, financial institutions throughout Texas started reporting a sudden increase in attacks involving well-orchestrated teams that would show up at night, use stolen trucks and heavy chains to rip Automated Teller Machines (ATMs) out of their foundations, and make off with the cash boxes inside. Now it appears the crime — known variously as “ATM smash-and-grab” or “chain gang” attacks — is rapidly increasing in other states.

Four different ATM “chain gang” attacks in Texas recently. Image: Texas Bankers Association.

The Texas Bankers Association documented at least 139 chain gang attacks against Texas financial institutions in the year ending November 2020. The association says organized crime is the main source of the destructive activity, and that Houston-based FBI officials have made more than 50 arrests and are actively tracking about 250 individuals suspected of being part of these criminal rings.

From surveillance camera footage examined by fraud investigators, the perpetrators have followed the same playbook in each incident. The bad guys show up in the early morning hours with a truck or tractor that’s been stolen from a local construction site.

Then two or three masked men will pry the front covering from the ATM using crowbars, and attach heavy chains to the cash machine. The canisters of cash inside are exposed once the crooks pull the ATM’s safe door off using the stolen vehicle.

In nearly all cases, the perpetrators are done in less than five minutes.

Tracey Santor is the bond product manager for Travelers, which insures a large number of financial institutions against this type of crime. Santor said investigators questioning some of the suspects learned that the smash-and-grabs are used as a kind of initiation for would-be gang members.

“One of the things they found out during the arrest was the people wanting to be in the gang were told they had to bring them $250,000 within a week,” Santor said. “And they were given instructions on how to do it. I’ve also heard of cases where the perpetrators put construction cones around the ATM so it looks to anyone passing by that they’re legitimately doing construction at the site.”

Santor said the chain gang attacks have spread to other states, and that in the year ending June 2021 Travelers saw a 257 percent increase in the number of insurance claims related to ATM smash-and-grabs.

That 257 percent increase also includes claims involving incidents where attackers will crash a stolen car into a convenience store, and then in the ensuing commotion load the store’s ATM into the back of the vehicle and drive away.

In addition to any cash losses — which can often exceed $200,000 — replacing destroyed ATMs and any associated housing can take weeks, and newer model ATMs can cost $80,000 or more.

“It’s not stopping,” Santor said of the chain gang attacks. “In the last year we counted 32 separate states we’ve seen this type of attack in. Normally we are seeing single digits across the country. 2021 is going to be the same or worse for us than last year.”

Increased law enforcement scrutiny of the crime in Texas might explain why a number of neighboring states are seeing a recent uptick in the number of chain gang attacks, said Elaine Dodd, executive vice president of the fraud division for the Oklahoma Bankers Association.

“We have a lot of it going on here now and they’re getting good at it,” Dodd said. “The numbers are surging. I think since Texas has focused law enforcement attention on this it’s spreading like fingers out from there.”

Chain gang members at work on a Texas bank ATM. Image: Texas Bankers Association.

It’s not hard to see why physical attacks against ATMs are on the rise. In 2019, the average amount stolen in a traditional bank robbery was just $1,797, according to the FBI.

In contrast, robbing ATMs is way less risky and potentially far more rewarding for the perpetrators. That’s because bank ATMs can typically hold hundreds of thousands of dollars in cash.

Dodd said she hopes to see more involvement from federal investigators in fighting chain gang attacks, and that it would help if more of these attacks were prosecuted as bank robberies, which can carry stiff federal penalties. As it is, she said, most incidents are treated as property crimes and left to local investigators.

“We had a rash of three attacks recently and contacted the FBI, and were told, ‘We don’t work these,'” Dodd said. “The FBI looks at these attacks not as bank robbery, but just the theft of cash.”

In January, Texas lawmakers are introduced legislation that would make destroying an ATM a third degree felony offense. Such a change would mean chain gang members could be prosecuted with the same zeal Texas applies to people who steal someone’s livestock, a crime which is punishable by 2-10 years in prison and a fine of up to $10,000 (or both).

“The bottom line is, right now bank robbery is a felony and robbing an unattended ATM is not,” Santor said.

KrebsOnSecurity checked in with the European ATM Security Team (EAST), which maintains statistics about fraud of all kinds targeting ATM operators in Europe. EAST Executive Director Lachlan Gunn said overall physical attacks on ATMs in Europe have been a lot quieter since the pandemic started.

“Attacks fell right away during the lockdowns and have started to pick up a little as the restrictions are eased,” Gunn said. “So no major spike here, although [the United States is] further ahead when it comes to the easing of restrictions.”

Gunn said the most common physical attacks on European ATMs continue to involve explosives — such as gas tanks and solid explosives that are typically stolen from mining and construction sites.

“The biggest physical attack issue in Europe remains solid explosive attacks, due to the extensive collateral damage and the risk to life,” Gunn said.

The Texas Bankers Association report, available here (PDF), includes a number of recommended steps financial institutions can take to reduce the likelihood of being targeted by chain gangs.

Spike in “Chain Gang” Destructive Attacks on ATMs

Insurance giant CNA reports data breach after ransomware attack

Fri, 09 Jul 2021 22:19:07 +0000

Insurance giant CNA reports data breach after ransomware attack

CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March.

CNA is considered the seventh-largest commercial insurance firm in the US based on stats from the Insurance Information Institute.

The company provides an extensive array of insurance products, including cyber insurance policies, to individuals and businesses across the US, Canada, Europe, and Asia.

Over 75,000 individuals affected

"The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021," CNA said in breach notification letters mailed to affected customers today.

"During this time period, the threat actor copied a limited amount information before deploying the ransomware."

The data breach reported by CNA affected 75,349 individuals, according to breach information filed with the office of Maine's Attorney General.

After reviewing the files stolen during the attack, CNA discovered that they contained customers' personal information such as names and Social Security numbers.

"Having recovered the information, we have now completed our review of that information and have determined it contained some personal information including name, Social Security number and in some instances, information related to health benefits for certain individuals," CNA explained in a separate incident update.

"The majority of individuals being notified are current and former employees, contract workers and their dependents."

The company added that it found no evidence that the stolen information was "viewed, retained or shared."

Additionally, CNA claims there is no reason to suspect that the stolen information was or will be misused in any way.

CNA will be offering 24 months of complimentary credit monitoring and fraud protection services through Experian. CNA is also providing a toll-free hotline for the individuals to call with any questions regarding the Incident. — CNA

Systems fully restored after ransomware attack

Sources familiar with the attack told BleepingComputer that the Phoenix CryptoLocker operators encrypted over 15,000 devices after deploying ransomware payloads on CNA's network on March 21.

BleepingComputer also learned that the attackers encrypted the computers of remote workers who were logged into the company's VPN during the incident.

Based on similarities in the code, Phoenix Locker is believed to be a new ransomware family developed by the Evil Corp hacking group to avoid sanctions after WastedLocker ransomware victims would no longer pay ransoms to avoid legal action or fines.

When asked by BleepingComputer about a connection between the sanctioned Evil Corp and the Phoenix group, CNA replied that there was no confirmed nexus.

"The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity," the company said.

"We have notified the FBI of this incident and are actively cooperating with them as they conduct their investigation of the incident."

Two months ago, CNA reported that it has restored the systems impacted in the ransomware attack and is operating "in a fully restored state."

The insurance provider added that it did not find any evidence while investigating the incident of stolen policyholder info surfacing, being exchanged or being put up for sale on the dark web or hacking forums.

Update: Added info provided by CNA spokesperson on additional data exposed in the incident.

Insurance giant CNA reports data breach after ransomware attack

Critical Flaws Reported in Philips Vue PACS Medical Imaging Systems

Fri, 09 Jul 2021 15:33:34 +0000

Critical Flaws Reported in Philips Vue PACS Medical Imaging Systems

Multiple security vulnerabilities have been disclosed in Philips Clinical Collaboration Platform Portal (aka Vue PACS), some of which could be exploited by an adversary to take control of an affected system.

"Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted in an advisory.

The 15 flaws impact:

VUE Picture Archiving and Communication Systems (versions 12.2.x.x and prior),
Vue MyVue (versions 12.2.x.x and prior),
Vue Speech (versions 12.2.x.x and prior), and
Vue Motion (versions 12.2.1.5 and prior)

Four of the issues (CVE-2020-1938, CVE-2018-12326, CVE-2018-11218, CVE-2020-4670, and CVE-2018-8014) have been given a Common Vulnerability Scoring System (CVSS) base score of 9.8, and concern improper validation of input data as well as vulnerabilities introduced by flaws previously patched in Redis.

Another serious flaw (CVE-2021-33020, CVSS score: 8.2) is caused by the Vue platform's use of cryptographic keys beyond their established expiration date, "which diminishes its safety significantly by increasing the timing window for cracking attacks against that key."

Other weaknesses involve the use of a broken or risky cryptographic algorithm (CVE-2021-33018), a cross-site scripting attack when handling user-controllable input (CVE-2015-9251), insecure methods to protect authentication credentials (CVE-2021-33024), improper or incorrect initialization of resources (CVE-2018-8014), and a failure to follow coding standards (CVE-2021-27501) that could increase the severity of the other vulnerabilities.

While Philips has addressed some of the shortcomings as part of its updates shipped in June 2020 and May 2021, the Dutch healthcare company is expected to patch the rest of the security issues in version 15 of Speech, MyVue, and PACS that's currently in development and set for release in Q1 2022.

In the interim, CISA is urging entities to minimize network exposure for all control system devices and ensure that they are not accessible from the Internet, segment control system networks and remote devices behind firewalls, and use virtual private networks (VPNs) for secure remote access.

Source

Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration

Fri, 09 Jul 2021 15:29:11 +0000

Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration

Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are continuously improving their infection chains to escape detection.

"One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion," Sucuri Security Analyst, Ben Martin, said in a write-up. "These can later be downloaded using a simple GET request at a later date."

MageCart is the umbrella term given to multiple groups of cybercriminals targeting e-commerce websites with the goal of plundering credit card numbers by injecting malicious JavaScript skimmers and selling them on the black market.

Sucuri attributed the attack to Magecart Group 7 based on overlaps in the tactics, techniques, and procedures (TTPs) adopted by the threat actor.

In one instance of a Magento e-commerce website infection investigated by the GoDaddy-owned security company, it was found that the skimmer was inserted in one of the PHP files involved in the checkout process in the form of a Base64-encoded compressed string.

What's more, to further mask the presence of malicious code in the PHP file, the adversaries are said to have used a technique called concatenation wherein the code was combined with additional comment chunks that "does not functionally do anything but it adds a layer of obfuscation making it somewhat more difficult to detect."

Ultimately, the goal of the attacks is to capture customers' payment card details in real-time on the compromised website, which are then saved to a bogus style sheet file (.CSS) on the server and downloaded subsequently at the threat actor's end by making a GET request.

"MageCart is an ever growing threat to e-commerce websites," Martin said. "From the perspective of the attackers: the rewards are too large and consequences non-existent, why wouldn't they? Literal fortunes are made [by] stealing and selling stolen credit cards on the black market."

Source

PrintNightmare: In statement Microsoft denies patch bypass is a real threat

Thu, 08 Jul 2021 21:17:09 +0000

PrintNightmare: In statement Microsoft denies patch bypass is a real threat

Two days ago Microsoft released an out-of-band patch for the PrintNightmare Zero-day exploit that grants attackers full Remote Code Execution capabilities on fully patched Windows Print Spooler devices, and a day later several hackers showed that the patch could be easily bypassed.

Microsoft has now issued a statement to BleepingComputer denying that the bypass presented a realistic threat, saying:

“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses,” continuing “We have seen claims of bypass where an administrator has changed default registry settings to an unsecure configuration. See CVE-2021-34527 guidance for more information on settings required to secure your system. ”

Microsoft presumably means enabling the installation of drivers without a warning, with the company insisting the default configuration is secure.

What is clear is that you need more than the patch to be truly safe. Read Microsoft’s full configuration guidance here.

PrintNightmare: In statement Microsoft denies patch bypass is a real threat

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software

Thu, 08 Jul 2021 21:11:29 +0000

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software

Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.

On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).

According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild.

Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.

As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.

The Kaseya customer support and billing portal. Image: Archive.org.

Mandiant notified Kaseya after hearing about it from Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing him to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.

“It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!”

The official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant.

“This is worse because the CVE calls for an authenticated user,” Holden said. “This was not.”

Michael Sanders, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online.

“It was deprecated but left up,” Sanders said.

In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product.

“We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down – and will no longer be enabled or used by Kaseya.”

“At this time, there is no evidence this portal was involved in the VSA product security incident,” the statement continued. “We are continuing to do forensic analysis on the system and investigating what data is actually there.”

The REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack.

But Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims.

“The problem is that they don’t have our data, they have our customers’ data,” Sanders said. “We’ve been counseled not to do that by every ransomware negotiating company we’ve dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once.”

In a video posted to Youtube on July 6, Kaseya CEO Fred Voccola said the ransomware attack had “limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.”

“While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated,” Voccola said.

The zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by Wietse Boonstra, a researcher with the Dutch Institute for Vulnerability Disclosure (DIVD).

In a July 4 blog post, DIVD’s Victor Gevers wrote that Kaseya was “very cooperative,” and “asked the right questions.”

“Also, partial patches were shared with us to validate their effectiveness,” Gevers wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Still, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya told customers on July 7 that it was working “through the night” to push out an update.

Gevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools.

“We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote.

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software

REvil victims are refusing to pay after flawed Kaseya ransomware attack

Thu, 08 Jul 2021 21:08:45 +0000

REvil victims are refusing to pay after flawed Kaseya ransomware attack

The REvil ransomware gang's attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments.

When ransomware gangs conduct an attack, they usually breach a network and take time stealing data and deleting backups before ultimately encrypting the victim's devices.

When a victim is shown proof of stolen data, backups are deleted, and their devices are encrypted, it creates a much stronger incentive for them to pay the ransom to restore their data and prevent the leak of data.

However, the REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya's VSA servers to perform a massive and widespread attack without actually ccessing a victim's network.

This tactic led to the most significant ransomware attack in history, with over 1,500 individual businesses encrypted in a single attack.

Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected.

The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims.

A victim paid a $220,000 ransom in Kaseya attack

Cybersecurity researchers familiar with the attacks and the targeted MSPs have told BleepingComputer that victims are lucky they were attacked this way as the threat actors did not have regular unfettered access to networks and were forced to use automated methods of deleting backups.

For example, Emsisoft CTO Fabian Wosar extracted the configuration for a REvil ransomware sample used in the attack, and it shows that the REvil affiliate made a rudimentary attempt of deleting files in folders containing the string 'backup.'

Snippet of REvil ransomware configuration

However, this method does not appear to have been successful as an MSP and multiple victims encrypted during the attack told BleepingComputer that none of their backups were affected, and they chose to restore rather than paying a ransom.

Bill Siegel, CEO of ransomware negotiation firm Coveware, told BleepingComputer that this is a similar decision for many other victims of the attack as not one of their clients has had to pay a ransom.

"In the Kaseya attack, they opted to try and impact EVERY Kaseya client by targeting the software vs direct ingress to an MSP's network. By going for such a broad impact they appear to have sacrificed the step of encrypting / wiping backups at the MSP control level," Siegel told BleepingComputer.

"This may end up being a bit of a saving grace, even for MSPs that had poorly segmented backups for their clients."

"While it is certainly impressive that Sodin was able to pull off this exploit, we have not seen the level of disruption that typically follows a single MSP attack where the backups are intentionally wiped or encrypted, and there is no other way to recover data without paying a ransom."

"The disruption is still bad, but encrypted data that is unrecoverable from backups may end up being minimal. This will translate to minimal need to pay ransoms. "

"Impacted MSPs are going to be stretched for a while as they restore their clients, but so far none of the clients we have triaged have needed to pay a ransom. I'm sure there are some victims out there that will need to, but this could have been a lot worse."

Those victims who do ultimately pay a ransom will likely only do so because they had poor backups to restore from.

We rarely get to write a positive story about ransomware, and while many companies have had a stressful and disruptive week, it does appear that the majority of victims should be able to get back up and running fairly quickly.

REvil victims are refusing to pay after flawed Kaseya ransomware attack