Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency.
Earlier, the FBI said in a statement that while it was investigating the attack its scale “may make it so that we are unable to respond to each victim individually.” Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had “directed the full resources of the government to investigate this incident” and urged all who believed they were compromised to alert the FBI.
Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved.
Less than a month ago, Biden pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.
A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported. Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up.
The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.
In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported. Also among reported victims were two big Dutch IT services companies — VelzArt and Hoppenbrouwer Techniek. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms.
CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”
Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. But 70% were managed service providers who use the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks.
Experts say it was no coincidence that REvil launched the attack at the start of the Fourth of July holiday weekend, knowing U.S. offices would be lightly staffed. Many victims may not learn of it until they are back at work on Monday. Most end users of managed service providers “have no idea” whose software keep their networks humming, said Voccola,
Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.
The REvil offer to offer blanket decryption for all victims of the Kaseya attack in exchange for $70 million suggested its inability to cope with the sheer quantity of infected networks, said Allan Liska, an analyst with the cybersecurity firm Recorded Future. Although analysts reported seeing demands of $5 million and $500,000 for bigger targets, it was apparently demanding $45,000 for most.
“This attack is a lot bigger than they expected and it is getting a lot of attention. It is in REvil’s interest to end it quickly,” said Liska. “This is a nightmare to manage.”
Analyst Brett Callow of Emsisoft said he suspects REvil is hoping insurers might crunch the numbers and determine the $70 million will be cheaper for them than extended downtime.
Sophisticated ransomware gangs on REvil’s level usually examine a victim’s financial records — and insurance policies if they can find them — from files they steal before activating the ransomware. The criminals then threaten to dump the stolen data online unless paid. In this attack, that appears not to have happened.
Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing.
“The level of sophistication here was extraordinary,” he said.
When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn’t just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software.
It was not the first ransomware attack to leverage managed services providers. In 2019, criminals hobbled the networks of 22 Texas municipalities through one. That same year, 400 U.S. dental practices were crippled in a separate attack.
One of the Dutch vulnerability researchers, Victor Gevers, said his team is worried about products like Kaseya’s VSA because of the total control of vast computing resources they can offer. “More and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote in a blog Sunday.
The cybersecurity firm ESET identified victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
Kaseya says the attack only affected “on-premise” customers, organizations running their own data centers, as opposed to its cloud-based services that run software for customers. It also shut down those servers as a precaution, however.
Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.
Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms. U.S. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.
Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said that while he does not believe the Kaseya attack is Kremlin-directed, it shows that Putin “has not yet moved” on shutting down cybercriminals.
States at disadvantage in race to recruit cybersecurity pros
Austin Moody wanted to apply his cybersecurity skills in his home state of Michigan, teaming up with investigators for the State Police to analyze evidence and track down criminals.
But the recent graduate set the idea aside after learning an unpaid internship was his only way into the Michigan agency.
“I don’t know many people that can afford to take an unpaid internship, especially when it’s in such high demand in the private sector,” Moody said of fellow cybersecurity job seekers. “Unpaid internships in cyber aren’t really a thing beyond the public sector.”
Hiring and keeping staff capable of helping fend off a constant stream of cyberattacks and less severe online threats tops the list of concerns for state technology leaders. There’s a severe shortage of those professionals and not enough financial firepower to compete with federal counterparts, global brands and specialized cybersecurity firms.
“People who are still in school are being told, ‘There’s a really good opportunity in cybersecurity, really good opportunities for high pay,'” said Drew Schmitt, a principal threat intelligence analyst with the cybersecurity firm GuidePoint Security. “And ultimately these state and local governments just can’t keep up from a salary perspective with a lot of private organizations.”
State governments are regular targets for cybercriminals, drawn by the troves of personal data within agencies and computer networks that are essential to patrolling highways, maintaining election systems and other key state services. Notable hits since 2019 include the Washington state auditor, Illinois’ attorney general, Georgia’s Department of Public Safety and computer servers supporting much of Louisiana’s state agencies.
Cities, too, come under attack, and they have even fewer resources than states to stand up cyber defenses.
Aided by industry groups, the federal government and individual states have created training programs, competitions and scholarships in hopes of producing more cybersecurity pros nationwide. Those strategies could take years to pay off, however. States have turned to outside contractors, civilian volunteers and National Guard units for help when their systems are taken down by ransomware and other hacks.
States needed to fill nearly 9,000 cybersecurity jobs as of this summer, according to CyberSeek a joint project of the Computing Technology Industry Association and the National Institute of Standards and Technology. The total is probably higher because the project doesn’t count job listings that states posted only to their own employment portal.
State leaders are reluctant to detail the number of vacancies, worrying that could further entice potential attackers. States’ top security officials have ranked inadequate cybersecurity staffing among their top concerns every year since the National Association of State Chief Information Officers and Deloitte began surveying the group in 2014.
The problem isn’t limited to state governments.
U.S. officials make no secret of their own struggles to hire cybersecurity pros or retain them. The Department of Homeland Security alone has 2,000 cybersecurity job vacancies, and the Biden administration promoted 300 new hires this summer.
The $95,412 average salary of a local or state government cyber employee lagged by $25,000 or more in 2020 compared with the pay in the federal government, the financial services industry and IT services, according to a survey conducted by the International Information System Security Certification Consortium, a trade association.
Information security analysts earned a median salary of $103,590 in May 2020, according to the Bureau of Labor Statistics. Cyberseek puts starting salaries close to $90,000 across all employers.
Homeland Security officials in 2014 recognized that lower pay was keeping their agency at a disadvantage, but it took until this year to publish a rule allowing higher salaries for cybersecurity roles — capped at $255,800, the maximum salary allowed for the vice president.
“The Department desperately needs a more flexible hiring process with incentives to secure talent in today’s highly competitive cyber skills market,” a portion of the rule due to take effect later this fall reads.
Leaders in the field often bemoan the expensive and time-consuming certification requirements and background checks that employers insist on for cybersecurity roles, saying that keeps jobs vacant and discourages women and people of color from working in cybersecurity.
Nicole Beebe, chair of the department of information security and cyber security at the University of Texas at San Antonio, said states’ struggles are more fundamental. Private companies and the federal government aggressively recruit students during college, sending representatives to classes and career fairs.
State agencies are rarely there, said Beebe, who counsels students weighing multiple job offers long before graduation.
“When it’s a hypercompetitive field, you can’t just submit a job posting and think it will get the same traction,” Beebe said.
Lower pay at government jobs can be a turnoff, but many students prefer a position that lets them leave work at home, which is not always the case with private companies.
A state or local government role doesn’t compare to the “meat grinder” of constantly responding to new attacks or vulnerabilities on a cybersecurity team for Microsoft or Amazon, said Michael Hamilton, founder of the PISCES Project. The organization connects cybersecurity students to local governments that don’t have employees focused on that work.
“State agencies can be taking on interns, grooming them, showing them that state government is a promising place to work,” he said. “But what I see them doing is just getting into the fistfight with all the others that want to hire these people and losing.”
Sienna Jackson, a 2020 graduate from the University of Texas at San Antonio, accepted a job as an engineer at the defense company Northrop Grumman after interviewing with the company at a conference. She began college as an accounting major but discovered cybersecurity through a classmate.
After an internship with Dell during college, she hoped to find a similarly sized company with a strong training program and other benefits.
Salary and help with moving or housing also mattered for Jackson, who worked several jobs while earning her degree and has to pay back her student loans. She didn’t rule out state government jobs but didn’t see agencies at career fairs on campus or at conferences.
“Once I graduated and was interviewing, I realized I have a lot of options,” she said. “I get to choose where I go and my standards and not just accept whatever job comes my way.”
Moody, the Michigan native, got a scholarship from the Department of Defense that required working for the agency at least a year after graduating. Moody said he understands that state governments don’t have the kind of money that federal agencies or private companies spend on recruiting and generous salaries.
But sending cybersecurity staff to talk to students about their work and its importance to thousands of state residents can make a big impact without costing much, he said.
“A lot of people want to be in a public service role and are open to starting there,” Moody said.
White House blacklists Russian ransomware payment ‘enabler’
The Biden administration sought Tuesday to choke the finances of criminal ransomware gangs, announcing sanctions against a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency.
The Treasury Department sanctions are aimed at kneecapping the economic infrastructure of a ransomware threat that has surged over the last year, crippling corporations, schools, hospitals and critical infrastructure, including a major fuel pipeline. Ransomware payments reached more than $400 million in 2020, the costliest year on record.
The goal is to go after the “financial enablers” of ransomware gangs, Deputy Treasury Secretary Wally Adeyemo told reporters. “Today’s action is a signal of our intention to expose and disrupt the illicit infrastructure using these attacks.”
The blacklisted brokerage is SUEX OTC, a so-called “nested exchange” that conducted transactions from accounts on major, legal global cryptocurrency exchanges. Such operations process a disproportionate amount of illicit transactions, Adeyemo said. In the case of SUEX, officials said, more than 40% of its known transactions have been associated with illicit actors. That’s more than $370 million, according to the cryptocurrency-tracking firm Elliptic.
Through its Office of Foreign Assets Control, the Treasury Department has previously sanctioned ransomware developers and distributors — though periodic retirements and rebrandings of ransomware strains have complicated those efforts. Officials say more such designations are possible.
SUEX is among the biggest and most active of a small group of illicit services that handle most money laundering for cybercriminals including scammers and darknet market operators, another crypto transaction-tracking firm, Chainalysis, said in a blog post. Such firms work closely with law enforcement to track criminal money laundering online.
Although legally registered in the Czech Republic, SUEX has no known physical presence there and operates out of branches in Moscow and St. Petersburg, Russia, where users can cash out their virtual currency, said Chainalysis, adding that it also has operations in the Middle East.
Chainalysis said SUEX claims it can convert cryptocurrency holdings into cash and even real estate, cars and yachts.
Most ransomware gangs operate out of reach of Western law enforcement in Russia and allied states. President Joe Biden has repeatedly told Vladimir Putin that he expects the Russian president to crack down on the gangs, but administration officials say they have seen no signs that Moscow is cooperating.
Chainalysis said SUEX was laundering money from the illicit cryptocurrency exchange BTC-e, which U.S. authorities shut down, perhaps on behalf of administrators, associates or former users. BTC-e’s operator, arrested on holiday in Greece, was sentenced to five years in prison by a French court in December.
“SUEX largely communicated with its clients on the Telegram app and accepted new customers on a system of referrals from trusted intermediaries. This was not the kind of business where a random person on the internet could open an account,” another crypto-tracking firm, TRM Labs, said in a blog post. “Transactions were only completed in-person at SUEX’s offices.”
TRM Labs CEO Esteban Castaño said SUEX is what is known as a “parasite exchange.” They are difficult to detect by the legitimate exchanges whose infrastructure they exploit because they open accounts using fraudulent or stolen credentials to meet know-thy-customer requirements and then fly under the radar.
Chainalysis said SUEX deposit addresses hosted at large exchanges have received over $160 million in Bitcoin alone from cybercriminals since the brokerage opened in early 2018, including nearly $13 million from ransomware operators including Ryuk, Conti and Maze. Ethereum and Tether are among other cryptoassets SUEX handled.
The Treasury Department said it is also updating guidance for ransomware victims that it first issued last year. The advisory strongly discourages victims from paying ransomware, reminding them that some transactions are against the law, and urges victims to report attacks to law enforcement.
“The reality is that the thing we know about this ecosystem is the way that we prevent ransomware attacks is by making sure that we get law enforcement engaged as soon as possible,” Adeyemo said.
Indonesia says no evidence of alleged Chinese intel hack
Indonesian authorities have found no evidence that the country’s main intelligence service’s computers were compromised, after a U.S.-based private cybersecurity company alerted them of a suspected breach of its internal networks by a Chinese hacking group, an official said.
The Insikt Group, the threat research division of Massachusetts-based Recorded Future, said it discovered the hack in April when it detected malware servers operated by the “Mustang Panda” group communicating with hosts inside Indonesian government networks.
The activity targeted the Badan Intelijen Negara, or BIN, intelligence agency as well as nine other Indonesian government agencies, Recorded Future said.
“We assess that this activity is very likely linked to the Chinese state-sponsored threat activity group Mustang Panda based on our continued tracking of Chinese state-sponsored cyberespionage activity,” the company said in an e-mail to The Associated Press.
Chinese government offices were closed Monday for the Mid-Autumn Festival and could not be reached, but authorities have consistently denied any form of state-sponsored hacking and said China itself is a major target of cyberattacks.
Recorded Future said its experts traced the hack back to as early as March, and the last observed date of the intrusion was Aug. 20.
“We have not seen additional activity targeting BIN since that date,” the company said.
After being notified by Recorded Future, BIN investigated the suspected breach together with other agencies and related stakeholders, but found “our server is safe and under control, there is no indication that it was hacked by suspected Chinese hackers,” said Wawan Hari Purwanto, a deputy chief and spokesman for the agency.
BIN coordinates information sharing and operations for Indonesia’s other intelligence agencies, as well as conducting its own operations. Because of its work, Purwanto said BIN’s computers are an attractive target for hackers, and the agency conducts regular checks and maintenance on its systems as a precaution.
He said BIN cooperated with Indonesia’s National Cyber and Encryption Agency, the Ministry of Communication and Information Technology and other government agencies to ensure “our network is safe and free from hacking.”
The Cyber and Encryption Agency referred all questions to BIN.
Purwanto dismissed the Insikt Group’s findings and urged people not to worry that the agency’s data had been compromised.
“BIN calls on people to not believe the rumors of hacking of BIN and other government institutions, and to keep checking, rechecking and crosschecking information circulating on internet and social media,” he said.
JAKARTA, Indonesia (AP)
Google illustrations has just upped the tech giant’s game
Ford to add 10,800 jobs making electric vehicles, batteries
Far-right cryptocurrency follows ideology across borders
Mastercard, DTA partner up to release digital ID service In Australia
NEOM: A $500 Billion smart-city to be built in Saudi Arabia
5 Reasons Why… Telecoms is Important in Society
Advantages and drawbacks of Voice Recognition Technology
Telecom Sales Strategies that will Bring You Success in 2020
- Cryptocurrency4 weeks ago
Billionaire John Paulson bets against cryptocurrency’s climb
- Technology4 weeks ago
Microsoft’s Windows 11 launches on October 5 with explicit hardware list
- News3 weeks ago
Australian court rules media liable for Facebook comments
- Cybersecurity4 weeks ago
Biden’s Zero Trust order unites Big Tech under national security
- Ethical Tech4 weeks ago
Texas is one step closer from passing a law against tech giants
- MedTech3 weeks ago
TestCard launches at-home ‘Test and Treat’ UTI service
- Telecoms4 weeks ago
Deutsche Telekom and Vodafone’s zero tariff defies net neutrality
- Cybersecurity2 weeks ago
3 former US officials charged in UAE hacking scheme