kaseya - X-Industry - Red Sky Alliance2024-03-28T10:31:33Zhttps://redskyalliance.org/xindustry/feed/tag/kaseyaSupply Chain Security Issues for 2022https://redskyalliance.org/xindustry/supply-chain-security-issues-for-20222022-01-05T17:14:25.000Z2022-01-05T17:14:25.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9984343865,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9984343865,RESIZE_400x{{/staticFileLink}}" alt="9984343865?profile=RESIZE_400x" width="250" /></a>Cyber security investigators have reported that replicable attacks and a low barrier to entry will ensure the rate of supply chain attacks increases in 2022. The supply chain is a consistent attack vector for threat actors today. By compromising a centralized service, platform, or software, attackers can then either conduct widespread infiltration of the customers and clients of the original singular victim or may choose to cherry-pick from the most valuable potential targets. This can save cybercriminals time and money, as one successful attack can open the door to potentially thousands of victims at once.</p>
<p>A ransomware attack levied against Kaseya in 2021, <a href="https://www.kayseya.com">https://www.kayseya.com</a> an international company that produces remote management software for the information technology industry. It develops and sells commercial software to remotely manage and monitor computers running Windows, OS X, and Linux operating systems. This highlighted the disruption a supply chain-based attack can cause. Ransomware was deployed by exploiting a vulnerability in Kaseya's VSA software, leading to the compromise of multiple managed service providers (MSP) in Kaseya's customer base.</p>
<p>It was only a small number of businesses that were impacted in this case. One of the most powerful examples in recent years is the SolarWinds breach, in which a malicious software update was deployed to roughly 18,000 clients. The attackers behind the intrusion then selected a handful of high-profile customers to compromise further, including numerous US government agencies, Microsoft, and FireEye.</p>
<p>An analysis of 24 recent software supply chain attacks, including those experienced by Codecov, Kaseya, SolarWinds, and Mimecast, the European Union Agency for Cybersecurity (ENISA) said that the planning and execution stage of supply chain attacks are usually complex, but the attack methods often chosen are not. Supply chain attacks can be conducted through the exploitation of software vulnerabilities; malware, phishing, stolen certificates, compromised employee credentials & accounts, vulnerable open source components, and firmware tampering, among other vectors.</p>
<p>In a recent interview, Ilkka Turunen, Field CTO of Sonatype, said that malicious software supply chain activity is likely to increase in 2022 due to low barrier to entry attack methods, such as dependency confusion which is a "highly replicable" attack method. "It's a no-brainer to use if the actor's goal is to affect as many organizations as possible," Turunen commented. "Add a crypto miner to a dependency confusion attack, and not only does a company need to worry about the effects this has on their software ecosystem, but the actor has now monetized it."</p>
<p>Brian Fox, the CTO of the enterprise software company, added that the majority of threat actors are copycats today, and "fad" attacks or, the 'attack of the day' conducted by fast-acting threat actors are going to increase the number of supply chain intrusions next year. In a world of Internet of Things (IoT) devices, old security models, working from home stipulations, hybrid cloud/on-prem setups, and complicated digital supply chains are no longer suitable.</p>
<p>According to Sumo Logic's CSO George Gerchow, enterprise players are "still struggling" with the concept of not having a defined defense perimeter. While also pressing ahead with digital transformation projects, they are failing to account for the expanded attack surface new apps and services can create. Companies are now increasingly reliant on components, platforms, and services provided at different levels of a supply chain will also have to wake up to this reality, and as a result, security will need to be checked and reinforced including outside of a businesses' own networks.</p>
<p>Ransomware is now one of the most lucrative aspects of the cybercriminal world, with high illicit payments made and due to the extortion tactics used, including permanent encryption and the threat of sensitive information being released. With a record blackmail payment made in 2021 of $40 million, ransomware will likely begin to make more of an appearance in supply chain attacks. These attacks take planning, knowledge, and some skill and so Splunk security strategist Ryan Kovar believes that cyber criminals on the road to becoming "professional" will likely be the ones to combine ransomware and supply chain attack vectors.</p>
<p>"Through attacking the supply chain, attackers can hold an organization's data for ransom, and research indicates that two-thirds of ransomware attacks are enacted by low-level grifters who bought ransomware tools off the Dark Web," Kovar says. "With the ongoing supply chain crisis leaving supply lines more vulnerable than ever, organizations must prepare themselves for the inevitability of ransomware attacks to their supply chains."</p>
<p>As enterprise organizations begin to analyze the digital supply chain for weak spots, they will also have to deal with their levels of "technical debt" described by Stuart Taylor, Senior Director at Forcepoint X-Labs, as the difference between "the 'price' a technical project should cost in order to be future-proofed and secure, and the 'price' an organization is prepared to pay in reality." Forcepoint expects to see a "significant" rise in copycat attacks against the supply chain next year, and so organizations are urged to conduct frequent code reviews and to keep security in mind during every step in the development and deployment process. The lack of transparency surrounding the components, software, and security posture of players within a supply chain also continues to be a problem for today's vendors.</p>
<p>In light of recent, debilitating attacks such as Solarwinds, Gary Robinson, CSO at Uleska, believes that over the next 12 months, more companies will require a security-orientated Bill of Materials (SBOMs), potentially as part of due diligence in future supply chain business agreements. SBOMs are software and component inventories designed to enforce open transparency around software use in the enterprise. They may include supplier lists, licenses, and security auditing assurances. "Organizations will also move to Continual Security Assurance where suppliers will be required to provide up-to-date security reports," Robinson predicts. "No longer will a security report from six months ago satisfy security concerns of an update delivered yesterday. This gap in security directly relates to the company's own security assurance, and suppliers will need to catch up."<a href="#_ftn1">[1]</a></p>
<p>How can any company keep up with constant supply chain threats? Jim McKee, CEO of Red Sky Alliance, a 10-year-old cyber threat intelligence firm suggested, “Use a simple service like our RedXray cyber threat notification service <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a> and set-up a dashboard where you can be notified of cyber threats that have not yet breached your network. You can enroll your key suppliers too, so you can see cyber threats against them before they can infect your systems.”</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers proactive solutions to protect your networks. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.zdnet.com/article/copycat-and-fad-hackers-will-be-the-bane-of-supply-chain-security-in-2022/">https://www.zdnet.com/article/copycat-and-fad-hackers-will-be-the-bane-of-supply-chain-security-in-2022/</a></p></div>A Look Backhttps://redskyalliance.org/xindustry/a-look-back2022-01-03T19:40:41.000Z2022-01-03T19:40:41.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9978826696,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9978826696,RESIZE_400x{{/staticFileLink}}" width="250" alt="9978826696?profile=RESIZE_400x" /></a>The Year 2021 was on fraught with numerous cyber attacks and ransomware lead the list. Here is a look back at the biggest cyber incidents of 2021. Over the past couple of years, it has become hard to ignore that the digital life we all live in is completely exposed to cybercriminals. Hackers are happy to take almost any opportunity to make money or have fun, from creating free gym memberships for their entire family to hacking into the energy systems of different countries. Even though the year is just in full swing, the storm of cyber incidents never stops. Let’s take a look at the biggest cyberattacks of last year.<a href="#_ftn1">[1]</a></p>
<p>Kaseya - Perhaps this attack could be considered the “apocalypse among ransomware” or a big headache. Whatever we call it, the malicious cyberattack on global IT provider Kaseya affected some 1,500 businesses worldwide, disabled local governments, shut down a popular Swedish supermarket chain, and worsened already strained relations between the US and Russia. The cybercriminals spread the malware through a popular Kaseya software product called VSA. Many of the victims were service providers and firms helping small businesses and government agencies to outsource IT tasks. As a result, the malware infected hundreds of companies around the world. A Russian-speaking group called REvil was behind the cyberattack, asking for $70 million in exchange for a “universal decryptor” that would unlock all files frozen by a single attack around the world. By mid-July, however, the group had just disappeared from the radar. The attack is one of the largest of its kind the world has ever seen.</p>
<p>SolarWinds - The SolarWinds hack is likely to spark discussions about US cybersecurity for years to come. According to US authorities, the hack involved Russian and Chinese hackers who penetrated the networks of major federal agencies and US companies through hacked software. That helped the hackers gather a myriad of intelligence information about the US government and private sector. Although the incident first came to light in December, subsequent disclosures about the extent of the hack have continued over the past six months, leading to numerous congressional hearings, audits, and investigations. According to the Cybersecurity and Infrastructure Security Agency (CISA), even though the hack is commonly referred to as “SolarWinds,” at least three different software companies were hacked, including SolarWinds, Microsoft, and VMWare. Bad actors have been confirmed to have infiltrated 12 federal agencies, including the Department of Defense, the Department of Homeland Security, the Federal Aviation Administration, the Judiciary, NASA, and others. Hackers have also allegedly infiltrated the networks of major Fortune 500 companies.</p>
<p>Microsoft Exchange - As dramatic and sweeping as the SolarWinds bug was, what came after it was perhaps even more massive. In March 2021, a variety of security flaws in Microsoft Exchange were discovered. Bloomberg reported that vulnerabilities in Exchange led to at least 60,000 known victims around the globe, about 30,000 of whom were in the US. However, that’s not all. The bad guys took advantage of the window of opportunity and looted vulnerable servers as well as deployed many backdoors.</p>
<p>Colonial Pipeline - The attack on Colonial Pipeline, was also a big blow. In May, hackers affiliated with the DarkSide ransomware gang managed to penetrate the network of Colonial Pipeline, one of America’s largest oil and gas companies. The pipeline temporarily shut down, causing an energy crisis in the southeastern US that turned into a panic rampage at gas stations in several states. But there was some good news, too. The FBI was able to trace and confiscate a significant portion of the cryptocurrency ransom that Colonial paid to the hackers.</p>
<p>CNA – CAN is one of America’s largest insurance companies and focus on selling cyber insurance. Ironically, they were attacked in March by a group of cybercriminals calling themselves “Phoenix” who successfully stole a large amount of data. CNA paid the thieves $40 million, a number that is a record for publicly known payouts in such cases. Cyber experts say the data obtained would enable more targeted attacks. Although the ransom amount received will probably cause hackers to abandon future attacks and retire to hacker heaven.</p>
<p>JBS - In late May, JBS, America’s largest supplier of beef and pork, discovered that hackers from the REvil group had successfully hacked its networks. The company reportedly paid hackers $11 million to decrypt its data. What caused the attack remains unclear. Perhaps the hackers were animal rights activist.</p>
<p>US Metropolitan Police Department – You may wonder why a local cyber-attack made this list? It became one of the most dramatic in recent memory and demonstrated the willingness of cybercriminals to use increasingly dangerous tactics against law enforcement. The Babuk group took control of 250 gigabytes of sensitive internal data, including disciplinary files on past and current police officers, intelligence on a local protest activity, and, most disturbingly, information about informants embedded in criminal networks. The hackers demanded a ransom of $4 million. The police were so upset that they offered to pay $100,000 for the files, but the cyber criminals refused and subsequently posted everything online. Stealing money is one thing, but these type attacks put people’s lives at risk.</p>
<p>Accellion - The hack of a little-known cloud company, Accellion, was the biggest “sleeper” attack of the year. In December, a group of ClOP ransomware developers used security flaws in one of Accellion’s most common products to hack the files of dozens of well-known companies around the world. Victims included Shell Oil, about half a dozen American universities, a Canadian aerospace manufacturer, banks and transportation agencies, a telecommunications conglomerate in Singapore, and Kroger, one of the largest American supermarket chains.</p>
<p>2022 lays ahead of us and time will tell what cyber attacks are around the corner. Being proactive in your cyber security is a key to proper security. We can help. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers pro-active solutions to protect your networks. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://10guards.com/en/articles/the-biggest-hacks-of-2021/">https://10guards.com/en/articles/the-biggest-hacks-of-2021/</a></p></div>INTELLIGENCE REPORT: ALL SECTOR CYBER THREATS 07 09 2021https://redskyalliance.org/xindustry/intelligence-report-all-sector-cyber-threats-07-09-20212021-07-09T13:44:43.000Z2021-07-09T13:44:43.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}9225341064,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9225341064,RESIZE_400x{{/staticFileLink}}" width="250" alt="9225341064?profile=RESIZE_400x" /></a>Activity Summary - Week Ending 9 July 2021:</h2>
<ul>
<li>Red Sky Alliance identified 56,261 connections from new unique IP addresses</li>
<li>Analysts identified 2,346 new IP addresses participating in various Botnets</li>
<li>12 unique email accounts compromised were seen with Keyloggers</li>
<li>RevengeRAT & Aviation</li>
<li>Kaseya Attack</li>
<li>Babuk Locker</li>
<li>PayLoad Bin</li>
<li>Space ISAC & Microsoft</li>
<li>SideCopy</li>
<li>A change in social media collection?</li>
<li>DuckDuckGo, Good to Go</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}9225340294,original{{/staticFileLink}}">IR-21-190-001_weekly_190.pdf</a></p></div>REvil Again - Kaseyahttps://redskyalliance.org/xindustry/revil-again-kaseya2021-07-06T12:59:06.000Z2021-07-06T12:59:06.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9208836301,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9208836301,RESIZE_400x{{/staticFileLink}}" width="250" alt="9208836301?profile=RESIZE_400x" /></a>Last weekend did not start out so nice. The hacking group behind what media is calling ‘colossal ransomware attack’ has demanded $70m (£50.5m) paid in Bitcoin in return for a "universal decryptor" that it says will unlock the files of all victims. The Russian associated REvil group is saying its malware, which initially targeted US IT firm Kaseya, has hit one million "systems." </p>
<p>This number has not been totally verified and the exact total of victims is unknown. Yet, victims include 500 Swedish Coop supermarkets and 11 schools in New Zealand. Two Dutch IT firms have also been hit, according to local media reports. The day of the attack, 2 July, cyber-security firm Huntress Labs estimated about 200 firms had been affected. The "supply chain" attack initially targeted Kaseya, before spreading through corporate networks that use its software. Kaseya said that fewer than 40 of its own customers had been affected. Because Kaseya provides software to managed service providers, firms which themselves provide outsourced IT services to other companies, the number of victims is likely much greater. And the number of individual computer systems within those victim organizations could be greater still.<a href="#_ftn1">[1]</a></p>
<p>Kaseya chief executive told media that the number of victims would probably be in the low thousands, made up of small organizations such as dental practices and libraries. For hundreds, perhaps thousands, of IT teams around the world this ransomware attack is a horrendous headache that is still growing. But the way the cyber-security world has pulled together to reduce the impact of the attack has been very commendable. Cyber-defenders, both private and public sector, have been issuing alerts while experts work out how best to untangle the web of victims.</p>
<p>There could have been far more victims if it wasn't for a busy and stressful weekend of work. The confidential digital path in the Kaseya system that let in the REvil hackers was known about before the attack. Researchers from the Dutch Institute for Vulnerability Disclosure found the problem and were helping Kaseya plug the hole long before the hackers found it. These researchers were a case of the good hackers racing to stop the bad hackers from getting in and as a Dutch analyst from the institute puts it, "Unfortunately, we were beaten by REvil in the final sprint."</p>
<p>This current attack indicates just how skilled, persistent and determined these criminals are, and that in spite of all the efforts of the cyber-security world and some believe that we are losing the race against ransomware.<a href="#_ftn2">[2]</a> “The scale and sophistication of this global crime is rare, if not unprecedented," said the founder of the UK’s National Cyber Security Center. Most of REvil's members are believed to be based in Russia or countries that were formerly part of the Soviet Union. The cyber security source is criticizing Russia for providing a safe environment for ransomware hackers, but said that the West was making it too easy for these gangs to be paid and "unsurprisingly they are coming back for more." Experts have expressed surprise at the group's demand that the ransom should be paid in Bitcoin, as opposed to harder-to-trace cryptocurrencies such as Monero. Some researchers called REvil's decision to demand payment in Bitcoin, "weird." </p>
<p><a href="{{#staticFileLink}}9208842093,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9208842093,RESIZE_400x{{/staticFileLink}}" width="250" alt="9208842093?profile=RESIZE_400x" /></a>Earlier this month the US Justice Department announced it had traced and seized millions of dollars’ worth of Bitcoin paid to the DarkSide ransomware group, responsible for shutting down the Colonial Oil Pipeline. "Following the money remains one of the most basic, yet powerful tools we have", said a Deputy US Attorney General. </p>
<p>The founder and chief scientist of the firm Elliptic, which analyses Bitcoin payments, said he had observed REvil continuing to negotiate with individual customers for smaller ransoms of about $200,000, despite the $70m request to unlock everything. He said REvil preferred to use Monero, but it would be difficult to purchase $70m of the currency for practical and regulatory reasons. "More and more ransomware operators are asking for Monero," he said.</p>
<p>At Red Sky Alliance, we can help INFOSEC teams with services beginning with cyber threat notification, analysis and complete elimination of cyber threat from both the inside and outside of networks. Our analysts will be happy to hold a brief call with your team members to help them better prepare for cyberattacks, malware and ransomware. And what if this call led to savings in current duplicated services and forecasted need for additional personnel? </p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p>Interested in a RedXray subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/RedXray">https://www.wapacklabs.com/RedXray</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bbc.com/news/technology-57719820">https://www.bbc.com/news/technology-57719820</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://nypost.com/2021/07/05/russian-hackers-seemingly-behind-latest-ransomware-attack/">https://nypost.com/2021/07/05/russian-hackers-seemingly-behind-latest-ransomware-attack/</a></p></div>