Hello and welcome to our weekly cybersecurity news wrap up!
I think the question on a lot of people's minds this week is where in the world is REvil? The website for the group responsible the recent Kaysea attack mysteriously disappeared from the dark web earlier this week. Some people are also wondering if it will be gone forever, while others are wondering who was responsible for its disappearance? Was it the U.S. government or was it the Russian government? Or did REvil itself take itself offline? And will they be back? Some answers may be found in this TechMonitor article. In the author’s opinion it's likely REvil won't be gone for very long.
Speaking of ransomware (and when was the last time we didn’t?), yesterday the White House announced a taskforce created to stop the wave of attacks. Hacking back is apparently one of the options, even though cybersecurity experts tend to be skeptical about that tactic.
In other news this week, Software developer Kaseya – the latest victim of REvil - released patches for its remote monitoring and management software. To date the company has released fixes for the on-premises version of its Virtual System Administrator - aka VSA - software. The company aims to begin bringing back online incrementally its software-as-a-service version of VSA, which it has also patched. While attackers did not exploit the SaaS version of VSA, it was considered vulnerable.
Then, SolarWinds disclosed a zero-day vulnerability after receiving notification from Microsoft it had discovered the vulnerability in the SolarWinds Serv-U product line. The following day, Microsoft said it was designating the hacking group for now as “DEV-0322.” The company believes the attackers are based in China and rely on botnets made up of routers or other types of IoT devices.
Also this week, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to disable the Microsoft Windows Print Spooler service in response to the so-called “PrintNightmare” bug. The bug has been described as an alarming flaw and could allow attacks to take over systems remotely. CISA gave the agencies a deadline of midnight Wednesday to disable the service.
Then it was announced that fashion brands Guess and Spread Group were breached earlier this year. In the two separate attacks, the criminals got away with Social Security Numbers, passwords, payment information, and even contract details for both customers and suppliers. The perpetrators remain unidentified.
That’s all for this week. Wishing everyone a great weekend!
Politico (July 15, 2021) White House announces ransomware task force — and hacking back is one option
The Biden administration is unleashing a range of options to stem the growing ransomware threat, a senior administration official said — including offering rewards as high as $10 million for help identifying the perpetrators.
Other options on the table include launching disruptive cyberattacks on hacker gangs, as well as developing partnerships with businesses to speed up the sharing of information about ransomware infections. The White House has formed a previously unannounced cross-government task force to coordinate a series of defensive and offensive measures against ransomware, as POLITICO first reported Wednesday. The actions follow a series of high-profile hacks that have underscored how cybersecurity weaknesses can wreak havoc on American society.
With the task force’s oversight, federal agencies are taking actions such as promoting digital resilience among critical infrastructure companies, working to halt ransom payments made through cryptocurrency platforms and coordinating activities with U.S. allies, according to a Senate aide who requested anonymity to speak candidly.
Ars Technica (July 14, 2021) SolarWinds 0-day gave Chinese hackers privileged access to customer servers
Microsoft said on Tuesday that China-based hackers with a history of attacking software companies and the US Defense industry exploited a zero-day vulnerability in a SolarWinds product.
SolarWinds disclosed the zero-day on Monday after receiving notification from Microsoft that it had discovered that a previously unknown vulnerability in the SolarWinds Serv-U product line was under active exploit. Austin, Texas-based SolarWinds provided no details about the threat actor behind the attacks or how their attack worked.
On Tuesday, Microsoft said it was designating the hacking group for now as “DEV-0322.” “DEV” refers to a “development group” under study prior to when Microsoft researchers have a high confidence about the origin or identity of the actor behind an operation. The company said that the attackers are physically located in China and often rely on botnets made up of routers or other types of IoT devices.
Cyberscoop (July 14, 2021) CISA orders agencies to disable Microsoft Print Spooler in response to 'PrintNightmare' flaw
The Cybersecurity and Infrastructure Security Agency late Tuesday ordered federal agencies to disable the Microsoft Windows Print Spooler service because of an alarming flaw that could allow attackers to take over systems remotely.
CISA, part of the Department of Homeland Security, gave agencies until midnight Wednesday to disable the service in response to the so-called “PrintNightmare” bug. Its “emergency directive” also ordered agencies to implement Microsoft security updates by July 20.
The PrintNightmare issue has given Microsoft fits for weeks. It issued a patch last week that some security pros said didn’t work properly. On Tuesday, Microsoft issued another Print Spooler fix as part of its “Patch Tuesday” update, the latest of which also included answers for 13 “critical vulnerabilities” and four under active attack.
CNBC (July 13, 2021) Multiple REvil ransomware sites are down on the dark web
Dark web sites linked to the REvil ransomware gang were not operating Tuesday morning, CNBC has confirmed.
It is not clear what led to the websites of the ransomware-as-service group going down Tuesday. Visitors to the sites, which had recently been active, were greeted with messages saying, “A server with the specified hostname could not be found.”
The disappearance of the public-facing sites affiliated with Russia-linked REvil, also known as Sodinokibi, comes on the heels of an international ransomware outbreak on July 2 that the group had taken credit for.
The Register (July 13, 2021) You'll never Guess whose data has been nicked as US fashion firm confirms systems breach
Fashion brands Guess and Spread Group have confirmed data breaches in which crooks walked off with US Social Security Numbers (SSNs), contracts, passwords, payment details, and more.
The two companies were breached in separate attacks earlier this year, statements released by both confirmed, with a range of personal data leaked as a result. Guess warned that SSNs, driving licence numbers, passport numbers, and financial account numbers of "certain individuals" had been obtained by the attackers; Spread Group, meanwhile, saw a somewhat wider breach leaking hashed passwords, payment details, and contract information for both customers and suppliers.
"Spread Group was the target of an organised cyber-attack which was carried out with considerably vicious criminal intent," the company said in a statement. "The unidentified perpetrators managed to break through the company's high security standards and access internal data, including the addresses and contractual data of customers, partners, employees, and external suppliers.
Data Breach Today (July 12, 2021) Kaseya Says Software Fully Patched After Ransomware Attack
Software developer Kaseya on Sunday released patches for its remote monitoring and management software, which had been exploited by ransomware attackers to infect up to 60 MSPs and 1,500 of their clients. The FBI is probing the attack, and Miami-based Kaseya says it's also been working closely with the U.S. Cybersecurity and Infrastructure Security Agency.
After repeatedly pushing back promised delivery dates for patches after the attack that came to light on July 2, Kaseya has now released fixes for the on-premises version of its Virtual System Administrator - aka VSA - software. Kaseya said in a Sunday security advisory that it expects to begin bringing back online incrementally its software-as-a-service version of VSA, which it has also patched.
Attackers did not exploit the SaaS version of VSA, but it had been vulnerable.
Other Industry News
Like what you’re reading? Fill out the form in the sidebar to get insightful GlobalSign content delivered directly to your inbox.