Connect with us


Biden: US damage appears minimal in big ransomware attack



Biden US damage appears minimal in big ransomware attack

President Joe Biden said Tuesday that damage to U.S. businesses in the biggest ransomware attack on record appears minimal, though information remained incomplete. The company whose software was exploited said fewer than 1,500 businesses worldwide appeared compromised but cybersecurity experts caution that the incident isn’t over.

Also Tuesday, a security researcher who chatted online with representatives of the Russia-linked REvil gang behind the attack said they claimed to have stolen data from hundreds of companies, but offered no evidence.

Answering a reporter’s question at a vaccine-related White House event, Biden said his national security team had updated him Tuesday morning on the attack, which exploited a powerful remote-management tool run by Miami-based software company Kaseya in what is known as a supply-chain attack.

“It appears to have caused minimal damage to U.S. businesses but we’re still gathering information,” Biden said. “And I’m going to have more to say about this in the next several days.” An official at the Cybersecurity and Infrastructure Security Agency, speaking on condition they not be further identified, said no federal agencies or critical infrastructure appear to have been impacted.

On Wednesday, Biden and Vice President Kamala Harris will lead an interagency meeting to discuss the administration’s efforts to counter ransomware.

White House spokeswoman Jen Psaki held out the prospect of retaliatory action. What Biden told President Vladimir Putin in Geneva last month still holds, she said: “If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”

What sort of action that would be is unclear.

Biden has said repeatedly that the Kremlin bears responsibility for giving ransomware criminals safe harbor, even if it is not directly involved. There is no indication that Putin has moved against the gangs. Psaki said Russian and U.S. representatives were meeting next week and would discuss the matter.

Further underscoring the geopolitical stakes in cyberspace, the Republican National Committee said Tuesday that it had been informed over the weekend that one of its contractors had been breached, though it was not immediately clear by whom. The RNC said no data was accessed.

The contractor, Synnex, initially said that the action “could potentially be in connection with the recent cybersecurity attacks of Managed Service Providers,” a likely reference to the breaches last week. But it backed away from that claim in a second statement late Tuesday.

Friday’s attack hobbled businesses in at least 17 countries. It shuttered most of the 800 supermarkets in the Swedish Coop chain over the weekend because cash registers stopped working, and reportedly knocked more than 100 New Zealand kindergartens offline.

Kaseya said it believes only about 800 to 1,500 of the estimated 800,000 to 1,000,000 mostly small business end-users of its software were affected. They are customers of companies that use Kaseya’s virtual system administrator, or VSA, product to fully manage their IT infrastructure.

Cybersecurity experts said, however, it is too early for Kaseya to know the true impact given its launch on the eve of the Fourth of July holiday weekend in the U.S. They said many targets might only discover it upon returning to work Tuesday.

Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms. In the U.S, disclosure of a breach is required by state laws when personal data that can be used in identity theft is stolen. Federal law mandates it when healthcare records are exposed.

Security researchers said that in this attack, the criminals did not appear to have had time to steal data before locking up networks. That raised the question whether the motivation behind the attack was profit alone, because extortion through threatening to expose sensitive pilfered data betters the odds of big payoffs.

But Ryan Sherstobitoff, threat intelligence chief of the cybersecurity firm Security Scorecard, said REvil representatives claimed Saturday to have stolen data from hundreds of companies and were threatening to sell it if ransom demands of up to $5 million for bigger victims — they were seeking $45,000 per infected computer — were not met.

“The operators are claiming that, though there is not necessarily direct evidence,” added Sherstobitoff, who said he masqueraded as a victim to engage the criminals. He said the criminals claimed banks were among victims.

REvil offered a universal software decoder to free all victims in exchange for a lump sum payment of $50 million, he added. On Sunday, that sum rose to $70 million in a post on the criminals’ dark web site.

Analysts say the chaos ransomware criminals have wrought in the past year — hitting hospitals, schools, local governments and other targets at the rate of about one every eight minutes — serves Putin’s strategic agenda of destabilizing the West.

Most of the more than 60 Kaseya customers that company spokeswoman Dana Liedholm said were affected are managed service providers (MSPs), with multiple customers downstream.

“Given the relationship between Kaseya and MSPs, it’s not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming though,” said Jake Williams, chief technical officer of the cybersecurity firm BreachQuest. Others researchers also questioned Kaseya’s visibility into crippled managed service providers.

The hacked VSA tool remotely maintains customer networks, automating security and other software updates. Essentially, a product designed to protect networks from malware was cleverly used to distribute it.

In an interview on Sunday, Kaseya CEO Fred Voccola estimated the number of victims in “the low thousands.” The German news agency dpa had reported that an unnamed German IT services company told authorities that several thousand of its customers were compromised. Also among reported victims were two Dutch IT services companies.

A broad array of businesses and public agencies were hit, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos said.

Liedholm, the Kaseya spokeswoman, said the vast majority of the company’s 37,000 customers were unaffected and said the company expected to release a patch Wednesday.

REvil, previously best known for extorting $11 million from the meat-processing giant JBS after hobbling it on Memorial Day, broke into at least one Kaseya server after identifying a “zero day” vulnerability, cybersecurity researchers said.

Dutch researchers said they alerted Kaseya to the zero day and a number of “severe vulnerabilities” ahead of the attack. Neither they nor Kaseya would say how far in advance.



Panasonic confirms cyber breach to its access data



Japanese manufacturing titan, Panasonic, confirmed Friday its network has been infiltrated by a cyberattack directed at its access data, on November 11, by gaining entry via third party.

In its statement, the company revealed that “some data on a file server had been accessed during the intrusion.”

This marks the only information publicized by the tech manufacturing giant. However, homegrown publications Mainichi and NHK alleged the breach was initiated June 22 and terminated November 23.

“After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network,” Panasonic said in its statement.

“In addition to conducting its own investigation, Panasonic is currently working with a specialist third-party organization to investigate the leak and determine if the breach involved customers’ personal information and/ or sensitive information related to social infrastructure,” it added.

In parallel, NHK disclosed that the breached servers contained data about Panasonic business partners and the manufacturer’s own technology, adding that a previous cyberattack directed at a subsidiary also obtained personal business data.

Panasonic also stated that aside from directing its own probe into the matter, the company is also seeking experts’ assistance by working with a third-party establishment to examine all aspects of the cyberattack. This will help the entity identify whether the infiltration was directed towards clients’ personal data.

“We cannot predict whether it will affect our business or business performance, but we cannot deny the possibility of a serious incident,” the Japanese titan said told one of the publications on Friday.

Earlier in March, Panasonic joined forces with cyber security company McAfee to institute a cybersecurity operations center (SOS) to address the rising risks of these attacks on its infrastructure. The pact will prioritize and strictly focus on detection and response.

Continue Reading


Apple suing Israeli hacker-for-hire company NSO Group



Tech giant Apple announced Tuesday it is suing Israel’s NSO Group, seeking to block the world’s most infamous hacker-for-hire company from breaking into Apple’s products, like the iPhone.

Apple said in a complaint filed in federal court in California that NSO Group employees are “amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.” Apple said NSO Group’s spyware, called Pegasus, had been used to attack a small number of Apple customers worldwide.

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of software engineering.

NSO Group has broadly denied wrongdoing and said its products have been used by governments to save lives.

“Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO group will continue to advocate for the truth,” the company said in a statement.

It’s the latest blow to the hacking firm, which was recently blacklisted by the U.S. Commerce Department and is currently being sued by social media giant Facebook.

Security researchers have found Pegasus being used around the world to break into the phones of human rights activists, journalists and even members of the Catholic clergy.

Pegasus infiltrates phones to vacuum up personal and location data and surreptitiously controls the smartphone’s microphones and cameras. Researchers have found several examples of NSO Group tools using so-called “zero click” exploits that infect targeted mobile phones without any user interaction.

The Biden administration announced this month that NSO Group and another Israeli cybersecurity firm called Candiru were being added to the “entity list,” which limits their access to U.S. components and technology by requiring government permission for exports.

Also this month, security researchers disclosed that Pegasus spyware was detected on the cellphones of six Palestinian human rights activists. And Mexican prosecutors recently announced they have arrested a businessman on charges he used the Pegasus spyware to spy on a journalist.

Facebook has sued NSO Group over the use of a somewhat similar exploit that allegedly intruded via its globally popular encrypted WhatsApp messaging app. A U.S. federal appeals court issued a ruling this month rejecting an effort by NSO Group to have the lawsuit thrown out.

Apple also announced Tuesday that it was donating $10 million, as well as any damages won in the NSO Group lawsuit, to cybersurveillance researchers and advocates.


Continue Reading


Thousands of Phone Numbers Compromised During Robinhood Hack



Popular investment and trading platform Robinhood stated that “limited information” had been stolen during a cyber-attack targeting the company last week but highlighted that among them were thousands of personal phone numbers.

Robinhood said on Tuesday, that the list obtained by the hackers, which contained email addresses for about five million people and full names for a different group of roughly two million people, included “several thousand entries” with phone numbers.

While the company failed to reveal how many phone numbers were on the list, Motherboard reported that it’s about 4,400.

Motherboard got a copy of the stolen phone numbers “from a source who presented themselves as a proxy for the hackers.” In a statement, Robinhood did not confirm whether the phone numbers Motherboard had obtained, were authentic but did acknowledge that the stolen information included thousands of phone numbers.

However, the blog added: “We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. We’ll continue making appropriate disclosures to affected people.”

The company added: “After we contained the intrusion, the unauthorized party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.”

On his side, Robinhood Chief Security Officer Caleb Sima said, “As a Safety-First company, we owe it to our customers to be transparent and act with integrity.”

“Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,” he noted.

Continue Reading