Biden targets airlines, internet, hearing aids, phone repairs and more in new order

Here are some of the products and services the Biden administration is targeting


By Audrey Conklin FOXBusiness

video

Biden delivers remarks, signs executive order on promoting competition in American economy

Pres Biden delivers remarks and signs an executive order on promoting competition in the American economy.

President Joe Biden on Friday issued a new executive order aimed at boosting competition in various industries, targeting products and services like airline refunds, internet bills, hearing aids and more.

The executive order contains 72 actions and recommendations meant to promote innovation across various sectors of the economy from tech to health care to agriculture, and thereby improve workforce conditions and drive costs down, according to a White House fact sheet.

BIDEN SIGNS SWEEPING EXECUTIVE ORDER TAKING AIM AT BIG TECH, ANTI-COMPETITIVE PRACTICES

"The heart of American capitalism is a simple idea: Open and fair competition," Biden said in remarks at the White House, shortly before signing the order. "That means if your companies want to win your business, they have to go out and they have got to up their game. Better prices and services, better ideas and products. The competition keeps the economy moving and it keeps it growing. A competitive economy must mean that companies do everything they can to compete for workers."

Here are some of the products and services the Biden administration is targeting in an effort to boost competition and consumer choices:

Airlines

The White House noted in its fact sheet that reduced competition among airlines has resulted in higher baggage and cancelation fees despite millions of instances of delayed baggage each year.

The administration is directing the DOT to consider issuing rules requiring airlines to refund fees when baggage is delayed or when a service like in-flight WiFi does not work. It is also recommending the DOT implement rules requiring baggage, flight change and cancellation fees to be "clearly disclosed to the customer."

Internet/broadband

The Biden administration believes that cracking down on broadband services will boost competition, especially for Americans living in rural areas, giving consumers more options and driving down internet costs.

BIG TECH FACES NEW ONSLAUGHT ON CAPITOL HILL

It is calling on the FCC to ensure internet service providers are offering fair prices by requiring them to report prices and subscription rates to the commission, and to limit high early cancellation fees.

President Joe Biden signs an executive order aimed at promoting competition in the economy, in the State Dining Room of the White House, Friday, July 9, 2021, in Washington. (AP Photo/Evan Vucci)

The administration also plans to reimplement Obama-era "Net Neutrality" rules, which essentially treated internet service providers and cable companies like public utilities, and subjected them to various rules preventing the prioritization of certain types of content.

Hearing aids

Biden wants hearing aids to be sold over-the-counter to reduce costs for Americans who are hard of hearing.


The administration is asking the Department of Health and Human Services to consider issuing a proposal within 120 days to allow hearing aids to be sold over the counter. It is also calling on HHS to come up with a plan in 45 days to "combat high prescription drug prices and price gouging."

Phone and computer repairs

The president is also taking on Big Tech by establishing "an administration policy" to survey mergers between small tech companies and tech giants that can stamp out competition and consumer options. He is also encouraging the Federal Trade Commission (FTC) to monitor the collection of user data and surveillance of consumers by large tech companies.

Finally, the administration is also calling on the FTC to implement "rules against anti-competitive restrictions on using independent repair shops or doing DIY repairs" of technology devices and equipment, such as smartphones. Independent phone and computer repair shops have called on tech giants like Apple to change their repair provider rules.

Agriculture equipment repairs

Biden is urging the U.S. Department of Agriculture to consider implementing new rules under the Packer and Stockyard Act; clarify rules as to which products can be labeled as "Product of USA"; and limit agriculture equipment manufacturers from restricting farmers' ability to conduct their own repairs, among other initiatives aimed at boosting agricultural competition and small farms' success.

President Joe Biden speaks before signing an executive order aimed at promoting competition in the economy, in the State Dining Room of the White House, Friday, July 9, 2021, in Washington. (AP Photo/Evan Vucci)

The White House mentioned "tractor companies" that "block farmers from repairing their own tractors," which may be a reference to John Deere, which does not allow "unauthorized" independent repairs and which uses unique software locks that make tractors unusable if they are fixed by anyone other than John Deere technicians, according to Vice.

"Let me be very clear: Capitalism without competition isn't capitalism. It's exploitation," Biden said Friday. "Without healthy competition, big players can change and charge whatever they want and treat you however they want. And for too many Americans that means accepting a bad deal for things you can't go without. So, we know we've got a problem, a major problem. But we also have an incredible opportunity."

Progressive lawmakers celebrated the jam-packed executive order, while business groups and Republicans slammed it as harmful to the free market.

Sen. Elizabeth Warren, a fierce consumer advocate, lauded the executive order as a "critical" step to protect working-class Americans and urged Congress to pass legislation codifying the measure into law.

But the U.S. Chamber of Commerce said in a blistering statement that the directive "smacks of a 'government knows best' approach to managing the economy" and vowed to "vigorously oppose calls for government-set prices, onerous and legally questionable rulemakings, efforts to treat innovative industries as public utilities, and the politicization of antitrust enforcement."

Fox Business' Megan Henney, Charlie Gasparino and Lydia Moynihan contributed to this report.

Hackers disrupt Iran’s rail service with fake delay messages

TEHRAN, Iran (AP) — Iran’s railroad system came under cyberattack on Friday, a semi-official news agency reported, with hackers posting fake messages about train delays or cancellations on display boards at stations across the country.

The hackers posted messages such as “long delayed because of cyberattack” or “canceled” on the boards. They also urged passengers to call for information, listing the phone number of the office of the country’s supreme leader, Ayatollah Ali Khamenei.

The semiofficial Fars news agency reported that the hack led to “unprecedented chaos” at rail stations.

No group took responsibility. Earlier in the day, Fars said trains across Iran had lost their electronic tracking system. It wasn’t immediately clear if that was also part of the cyberattack.

Fars later removed its report and instead quoted the spokesman of the state railway company, Sadegh Sekri, as saying “the disruption” did not cause any problem for train services

In 2019, an error in the railway company’s computer servers caused multiple delays in train services.

In December that year, Iran’s telecommunications ministry said the country had defused a massive cyberattack on unspecified “electronic infrastructure” but provided no specifics on the purported attack.

It was not clear if the reported attack caused any damage or disruptions in Iran’s computer and internet systems, and whether it was the latest chapter in the U.S. and Iran’s cyber operations targeting the other.

Iran disconnected much of its infrastructure from the internet after the Stuxnet computer virus — widely believed to be a joint U.S.-Israeli creation — disrupted thousands of Iranian centrifuges in the country’s nuclear sites in the late 2000s.

Kaseya ransomware attack updates: Your questions answered

Here is everything we know so far. ZDNet will update this primer as we learn more.


By Charlie Osborne | July 9, 2021

| Topic: Security
ZDNET 

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend.




It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya's VSA software against multiple managed service providers (MSP) -- and their customers.

Also: Should Kaseya pay the ransom? Experts are divided

According to Kaseya CEO Fred Voccola, less than 0.1% of the company's customers were embroiled in the breach -- but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.

Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.

The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor's software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya's ransomware incident will prove to be.

Here is everything we know so far. ZDNet will update this primer as we learn more.

What is Kaseya?

Kaseya's international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries.

Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform.

The firm's software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain.


What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced "a potential attack against the VSA that has been limited to a small number of on-premise customers."

At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers.

"It's critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA," the executive said.

Customers were notified of the breach via email, phone, and online notices.

As Kaseya's Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline.

By July 4, the company had revised its thoughts on the severity of the incident, calling itself the "victim of a sophisticated cyberattack."

Cyber forensics experts from FireEye's Mandiant team, alongside other security companies, have been pulled in to assist.

"Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service," Kaseya said, adding that more time is needed before its data centers are brought back online.

Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients.

In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete.

"We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration," the company said. "We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers."


The ransomware attack, explained

The FBI described the incident succinctly: a "supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers."

Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with "high confidence" that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.

According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process.

Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were "crazy efficient."

"There is no proof that the threat actors had any idea of how many businesses they targeted through VSA," Hanslovan commented, adding that the incident seemed to be shaped more due to a "race against time."

"Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks," Sophos noted. "As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted."

The vendor has also provided an in-depth technical analysis of the attack.

Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed "Kaseya VSA Agent Hot-fix".

"This fake update is then deployed across the estate -- including on MSP client customers' systems -- as it [is] a fake management agent update," Beaumont commented. "This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya's customers were still encrypted."

With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack.

On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints.

"In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure," the company says.

According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being "maliciously modified".

Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.

"Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions," DIVD says. "Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. "

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were "never at risk" and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected.

However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn.

According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.

Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest "thousands of small businesses" may have been impacted.

"This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen," commented Ross McKerchar, Sophos VP. "At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what's being reported by any individual security company."

On July 5, Kaseya revised previous estimates to "fewer than 60" customers, adding that "we understand the total impact thus far has been to fewer than 1,500 downstream businesses."

Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain.

When it comes to SaaS environments, Kaseya says, "We have not found evidence that any of our SaaS customers were compromised."

In a press release dated July 6, Kaseya has insisted that "while impacting approximately 50 of Kaseya's customers, this attack was never a threat nor had any impact to critical infrastructure."

The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

Juniper Networks driven by Mist AI delivers the secure AI-Driven Enterprise, focused on optimizing user experiences from client-to-cloud and simplifying IT operations across the WLAN, LAN, WAN, and cloud.

Mist AI revolutionizes traditional networks that are riddled with complexity and technical debt with AI-driven insights and automation for unprecedented scalability, reliability, and agility.

Kaseya CEO Fred Voccola said that the attack, "for the very small number of people who have been breached, it totally sucks."

"We are two days after this event," Voccola commented. "We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that'll continue until everything is as perfect as can be."

Less than 0.1% of the company's customers experienced a breach.

"Unfortunately, this happened, and it happens," the executive added. "Doesn't make it okay. It just means it's the way the world we live in is today."

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives.

In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations.

Once a victim's system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work).

Today's ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they 'subscribe' to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid.

If they refuse to pay up, they may then face the prospect of their data being sold or published online.

Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside.

Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the web

Who is responsible?Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, "Happy Blog."

In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than "a million" systems have been infected.

REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the 'bargain' price of $70 million in the bitcoin (BTC) cryptocurrency.

REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer.


What are the ransomware payment terms?

The ransomware note claims that files are "encrypted, and currently unavailable." A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one 'freebie' file decryption is also on the table to prove the decryption key works.

The operators add (spelling unchanged):


"Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service --for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money."

Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999.

John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million.

Kevin Beaumont says that, unfortunately, he has observed victims "sadly negotiating" with the ransomware's operators.

Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims.

"REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key," the security expert noted.

CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group's leak site remains unchanged.


What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).

The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.

Kaseya has been holding meetings with the FBI and CISA "to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers."

The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.

On Saturday, US President Biden said he has directed federal intelligence agencies to investigate.

"Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned," Amit Bareket, CEO of Perimeter 81, told ZDNet. "What's unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors."

The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, "we will take action or reserve the right to take action on our own."


Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:

Communication of our phased recovery plan with SaaS first followed by on-premises customers.
Kaseya will be publishing a summary of the attack and what we have done to mitigate it.
Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.
There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities.
We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.

Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.

By late evening on July 5, Kaseya said a patch has been developed and it is the firm's intention to bring back VSA with "staged functionality" to hasten the process. The company explained:
The first release will prevent access to functionality used by a very small fraction of our user base, including:
Classic Ticketing
Classic Remote Control (not LiveConnect).
User Portal

Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online.

"We are focused on shrinking this time frame to the minimal possible -- but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up," the firm says.

Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA.

Update July 7: The timeline has not been met. Kaseya said that "an issue was discovered that has blocked the release" of the VSA SaaS rollout.

"We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service," Kaseya commented.

In a service update, the vendor said it has been unable to resolve the problem.

"The R&D and operations teams worked through the night and will continue to work until we have unblocked the release," Kaseya added.

July 7, 12 pm EDT:

Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.


Current recovery status

As of July 8, Kaseya has published two run books, "VSA SaaS Startup Guide," and "On Premises VSA Startup Readiness Guide," to assist clients in preparing for a return to service and patch deployment.

Recovery, however, is taking longer than initially expected.

"We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment," the company says. "We apologize for the delay and changes to the plans as we work through this fluid situation."

In a second video message recorded by the firm's CEO, Voccola said:


"The fact we had to take down VSA is very disappointing to me, it's very disappointing to me personally. I feel like I've let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality."

The new release time for VSA is Sunday, in the afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment.


What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning.

The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil's ransom note.

However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait until Sunday.

Kaseya intends to bring customers back online on July 11, at 4 PM EDT.

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations," the firm said. "A patch will be required to be installed prior to restarting the VSA."

Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules.

Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems.

Kaseya has also warned that scammers are trying to take advantage of the situation.

"Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.

Do not click on any links or download any attachments claiming to be a Kaseya advisory."

See also:
Ransomware attacks driving cyber reinsurance rates up 40%
Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack
This major ransomware attack was foiled at the last minute. Here's how they spotted it

More sharing, less shame: CompTIA ISAO wants to change the standard response to ransomware attacks

by Veronica Combs in Security on July 9, 2021

The information sharing organization helps companies deal with security threats and supports more collaboration overall.

Ransomware attacks are not going to stop any time soon and bad actors refine their attack techniques with every new breach. In addition to following best practices for securing networks and data, industry leaders and businesses of all sizes should prioritize information sharing.

MJ Shoer, senior vice president and executive director of the CompTIA ISAO, said the Kaseya attack was inevitable but it could have been considerably worse. A 2021 CompTIA survey found that 62% of MSPs were very concerned and 30% somewhat concerned about being targeted with cyberattacks.

"This attack underscores the point that we need to come together if we're going to gain the upper hand," he said.

Shoer said the tech industry needs to follow the information sharing example set by bad actors.

"Hackers do a phenomenal job sharing information— they tell each other what works, what doesn't," he said. "They're great at it, we need to be better than great."

Shoer said he wants the industry to erase the stigma associated with cyberattacks.

"That natural reaction to shame companies who get breached isn't helping," he said. "If we get enough organizations sharing what they're seeing, it gives all of us a chance to get the bad guys to back off."

John Collins, a senior analyst at Gartner for SecOps, SIEM, security services, threat intel and incident response, said that he has not seen empirical evidence suggesting increased threat intelligence sharing between security vendors, end user organizations and government. He has noticed more interest in threat intelligence sources and platforms.

"I have observed an increase from historically less security mature organizations who are looking for purpose-built tools for aggregating, curating, managing and operationalizing threat intelligence," he said. "Even TIP vendors are marketing their integration with MISP to allow for a wider range of sharing capability."

The CompTIA ISAO works with public and private cybersecurity agencies and organizations to help its members raise the cybersecurity awareness of the global tech industry. The community of nearly 1,176 member companies shares best practices, cyber threat intelligence and educational content. In addition to cybersecurity intelligence data, CompTIA ISAO members receive full access to all other CompTIA corporate member benefits.

"We all hope that it will prevent an attack but more often than not it helps address an attack or vulnerability or recover and remediate at issue," Shoer said.

Collins said that issues related to the consumption and management of TI are more important than general information sharing.

"I believe the industry needs to have some introspection on the quality of intelligence vs sharing data for the sake having a feed and claiming #tisharing," he said. "I have regular conversations with security leaders asking for better ways to consume and manage the intel they are getting because they are overwhelmed with data, have lots of false positives and are managing the indicators in a spreadsheet."

Collins said that companies and governments should look for ways to declassify or anonymize information to share important threats without putting national security at risk or revealing sensitive data.

"For example, no one outside of your organization needs or cares about an internal user name or machine name that is part of a file path, and you don't want to violate any privacy laws by exposing it," he said. "The vast majority of attacks are commodity in nature and a very small percentage are associated with sophisticated attacks carried out by a group targeting an organization."

Shoer said that he knows of only one CompTIA ISAO member that was hit by the attack, although a few members shut down their systems, as Kaseya recommended.

In addition to monitoring the threat landscape to warn members of potential problems, the ISAO also documents attacks so that members can learn from them.

As helpful as information sharing can be, exposing indicators or TTPs of an active attack can create more problems for other organizations dealing with the same adversary. Collins said it's a classic catch-22 situation.

"I know SecOps operators who were burned by security companies releasing indicators to the public and the adversary in their environment turned into a ghost," he said. "To get more out of the adversary you sometimes need to let them 'live' in an environment for a bit longer, yet they may be exfiltrating data from another company and their defenders or provider needs the intel to identify it and stop it."

This is where tools like MISP and threat intelligence platforms can present a method for sharing intel and often use a system similar to traffic light protocol, Collins said. This approach allows companies to choose what to share and who to share it with.
Plan, practice and prepare

Shoer said he sees a need for more table-top exercises so that companies can spot potential weak spots and formulate a response plan.

"Part of the challenge is taking the time to have these plans in place and then testing them regularly," he said.

This planning should include a priority list for restoring services after an attack has been resolved.

"Companies should think about how to prioritize restoration, by company size, industry, or public impact?" he said. "Companies should be playing these scenarios out and validating plans and looking for the gaps."

Shoer also said he sees more interest in keeping certain types of data in an air-gapped storage format to avoid the risk of a ransomware attack taking down backups along with live systems.

"Having those backups away from targeted networks is really important, including things that people may not be thinking of, such as bank statements and cyber liability insurance policies," he said. "Bad actors get into a network, sniff out this stuff and then set the ransomware amount based on your bank balance."

CompTIA's Cybersecurity Advisory Council provides educational materials and tools to help small business owners understand the risk of ransomware.

CompTIA launched the ISAO in August 2020 to "serve as the focal point for dealing with cyber-threats to technology vendors, MSPs, solution providers, integrators, distributors and business technology consultants." The organization's origins are in an ISAO started by tech entrepreneur Arnie Bellini in August 2019 as part of ConnectWise, the business automation software company he co-founded. Bellini transferred management and operations of the organization to CompTIA in early 2020.

 

Ransomware has surged — 

Why the attacks are ‘going crazy 

right now’

Daniel Howley

·Technology Editor

Fri, July 9, 2021, 

Ransomware cyberattacks have skyrocketed, and no part of the economy is safe. From infrastructure companies like Colonial Pipeline to meat producers like JBS to a huge attack linked to Russia just over the Fourth of July weekend, the attacks have escalated.

According to George Kurtz, CEO of cybersecurity firm CrowdStrike (CRWD), the company is seeing a “massive” increase in ransomware attacks. And they’re targeting everything from private businesses to government entities.

“Ransomware is going crazy right now. What we’ve seen at CrowdStrike, is...almost 50 attacks per week, targeted attacks,” Kurtz told Yahoo Finance. “And it’s only getting worse.”

The most recent high-profile attack saw IT remote management software maker Kaseya hit by a supply chain-style ransomware attack, which impacted as many as 1,500 businesses. The suspected group behind the attack, REvil, is seeking a $70 million ransom to call it off.

What’s turned ransomware from a nuisance crime that impacted everyday people via email scams to a national security-level threat? A new business model for cybercriminals, a lack of accountability on the parts of foreign governments, and plenty of money to go around.

Cybercriminals have created a dangerous business model

Cybercriminal gangs like REvil (which stands for Ransomware Evil) have a business model that allows them to contract out their ransomware to smaller gangs that launch attacks.

“They have an affiliate model where anybody who contributes to the successful ransomware payment gets a profit share in the ransom,” explained Liam O’ Murchu, director of Symantec’s (AVGO) Security Response Group.

“They've got a lot of people in the cybercriminal underground, who want to help and want to participate in these attacks, and basically sucked the air out of all of the other economic models that were in the underground,” O’ Murchu said. “This is the biggest game in town right now.”

Cybercriminals have also taken their attacks to a new level that forces companies to respond as quickly as possible. In a normal ransomware attack, criminals target victims’ computer systems by encrypting them and keeping them locked down until the victims pay a ransom for the digital keys to regain access to their files.

JBS was hit with a massive cyberattack that took its systems offline. (AP Photo/David Zalubowski, File)

More recently, however, cybercriminals have added a new threat. Now in addition to locking down victims’ systems, they’ll exfiltrate sensitive data and threaten to release it online if the victims don’t pay up quickly.

It’s not just sensitive corporate information either, O’ Murchu explained.

“Recently...a CEO of one of the companies that [cybercriminals] got into was having an affair with someone...and they leaked photographs of the person he was having the affair with,” he said. “They also get the phone numbers of the executives and they call them on the phone to put pressure on them.”

The ransoms are huge

Beyond a new business model and pressure tactics, cybercriminals are benefiting from huge wins in the amount they charge in ransom. In the instance of the Colonial Pipeline hack, the attackers got away with a $4.6 million ransom, though the U.S. recovered $2.3 million. JBS, meanwhile, paid $11 million. CNA Financial paid $40 million, and in the Kaseya attack, the hackers are seeking $70 million.

Those are massive numbers when you consider hackers were previously targeting individual consumers for hundreds or thousands of dollars. And as more companies pay exorbitant ransoms, more attacks will be launched.

“Attacks have been profitable, because people have been paying ransom,” NYU Tandon School of Engineering professor Justin Cappos explained. “So, effectively, if no one had ever paid ransom for ransomware, there would have been an initial sort of speculative thing where people were trying to do it and then it would have faded away.”

The government says companies should avoid paying ransoms, since it only invites more attacks. But there’s nothing to stop private businesses from paying up.

Legislation that forbids such transactions, however, could help put a stop to the ransomware outbreak.

“Let's say that [legislation] became nationwide and actually was enforced,” Cappos said. “Then that removes a lot of the economic incentive, because the attackers know there's a small, small chance they'll be paid, because an organization will have to find the money to do it, do it off the books, and face legal consequences if they did it.”

Cryptocurrencies have also facilitated anonymous payments, with hackers demanding ransoms in the form of bitcoin or ethereum. The rise in cryptocurrency prices, despite some pullbacks as of late, has made such currencies appealing for cybercriminals who want a big payday without being tracked.

Nations are turning a blindeye to criminal gangs

But cybercriminals can be tracked, and in the instance of gangs like REvil, they turn up in countries that either can’t or refuse to deal with them, such as Russia, China, or North Korea.

Oh Friday, President Joe Biden spoke with Russian President Vladmir Putin about the country’s inaction on ransomware gangs, and said the U.S. would respond if nothing is done.

“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said.

“And secondly, we’ve set up a means of communication now on a regular basis to be able to communicate with one another when each of us thinks something is happening in another country that affects the home country,” he said.

Asked if there would be consequences to further inaction, Biden said yes.

But until countries act to slow the spread of ransomware, the attacks will continue to haunt private companies and governments around the world.

Biden's New Executive Order Looks to

Address Data Privacy

White House Asks FTC to Develop New Rules on Consumer Data CollectionScott Ferguson (Ferguson_Writes) • July 9, 2021    

Photo: Ahundt via Pixabay/CC

In his latest executive order, President Joe Biden is asking the U.S. Federal Trade Commission to establish new rules over how tech firms can collect and use data from their customers, as a way to offer more privacy protections for American consumers.

See Also: Live Panel | Zero Trusts Given- Harnessing the Value of the Strategy

The focus on how large tech firms such as Facebook, Google and Amazon collect and use consumer data is one part of an executive order that seeks to address a raft of what the White House calls anticompetitive behavior by corporations that have harmed customers and reduced competition, according to a fact sheet published by the administration on Friday.

Besides asking the FTC to expand protections for consumer data and privacy, the order instructs the U.S. Department of Justice, as well as other federal agencies, to step up their antitrust enforcement, especially when it comes to larger tech firms buying small companies in deals that could stifle competition.

"Over the past [10] years, the largest tech platforms have acquired hundreds of companies - including alleged 'killer acquisitions' meant to shut down a potential competitive threat. Too often, federal agencies have not blocked, conditioned, or, in some cases, meaningfully examined these acquisitions," according to the White House.

The executive order also seeks to address a host of other issues by asking agencies such as the FTC and the Federal Communications Commission to take actions such as increasing access to broadband internet services, restoring net neutrality rules that were eliminated in 2017, reducing anticompetitive clauses in employee contracts and allowing banking customers to more easily transfer their data.

"Fair competition is what made America the wealthiest, most innovative nation in history," Biden said during a signing ceremony at the White House on Friday.

The FTC and FCC are independent of the White House, which means the Biden administration can only ask these agencies to examine these issues and write new rules that they could enforce. The executive order does not offer specific rules or guidelines about protecting customers' data.

And while the new executive action does not address specific cybersecurity issues, Biden issued a separate order on May 12 that covers a range of security improvements, from ordering departments to adopt modern security practices to addressing how the federal government evaluates and purchases software (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).

Consumer Data

While the executive order issued Friday does not contain specifics for the FTC, the Biden administration stresses that the broad collection of personal information and other details has given tech firms too much access to sensitive data for business purposes.

"Big tech platforms gathering too much personal information: Many of the large platforms’ business models have depended on the accumulation of extraordinary amounts of sensitive personal information and related data," according to the White House.

What the FTC could do is create new rules for tech firms based on the Fair Trade Commission Act of 1914, which allows the agency to police unfair practices not covered by other laws, says Justin Antonipillai, who served as acting undersecretary for economic affairs at the U.S. Department of Commerce during the Obama administration.

"The FTC has the ability to go after companies that have unfair trade practices if they treat a consumer unfairly," Antonipillai, now the founder and CEO of security firm WireWheel, says. "I suspect there will be a series of processes and hearings around their unfairness authority to react to the request from the president."

Antonipillai also points out the current leadership at the FTC has expressed interest in issues of how larger tech firms operate and use their market positions. For instance, Lina Khan, the chair of the FTC, previously worked on a House antitrust investigation of Amazon, Apple, Facebook and Google.

Other Actions

Besides Biden's executive order from Friday, other federal and state lawmakers have been attempting to address how companies use and collect consumer data. In April, a group of bipartisan senators sent letters to Google, Twitter, Verizon, AT&T and online advertising firms and networks, raising national security concerns about the selling of citizens' data, which could end up in the hands of foreign governments (see: Senators Raise Security Concerns Over Selling Personal Data).

In March, U.S. Rep. Suzan DelBene, D-Wash., reintroduced a bill that would create a nationwide data privacy standard to be enforced by the FTC. While the Information Transparency and Personal Data Control Act has 19 co-sponsors in the House, the bill hasn't been scheduled for a hearing as of now.

Also, several states have passed or are planning to enact their own consumer data protection and privacy laws along the lines of the California's Consumer Privacy Act (see: Privacy Legislation Progresses in 5 More States).

Antonipillai says that any new FTC actions could overlap with state laws and create additional uncertainty for companies, which shows there is a need for an overarching federal law to protect data privacy.

"The time has long passed since we should have a national law in place that enables broad enforcement of privacy rights," Antonipillai says. "I don't think that this executive order is going to make it any more likely that this happens. The fact that the administration is approaching this through executive order shows that they don’t think legislation is likely this year."