Saturday, July 10, 2021

Biden fires Trump-appointed U.S. Social Security chief after he refuses to resign

By Darlene Superville

The Associated Press

Posted July 9, 2021

In this Tuesday, Oct. 2, 2018, file photo, the Senate Finance Committee holds a hearing on the nomination of Andrew Saul to be commissioner of the Social Security Administration, on Capitol Hill in Washington. On Friday, July 9, 2021, President Joe Biden fired Social Security Administration Commissioner Saul after Saul refused to resign, and accepted the deputy commissioner's resignation, the White House said. (AP Photo/J. Scott Applewhite, File).

U.S. President Joe Biden on Friday fired the commissioner of Social Security after the official refused to resign, and Biden accepted the deputy commissioner’s resignation, the White House said.

Biden asked commissioner Andrew Saul to resign, and his employment was terminated after he refused the Democratic president’s request, a White House official said.

Deputy Commissioner David Black agreed to resign, said the official, who spoke on condition of anonymity to discuss personnel matters.

Both officials had been put in place under President Donald Trump, a Republican.

Biden named Kilolo Kijakazi as acting commissioner while the administration conducts a search for a permanent commissioner and deputy commissioner.

Kijakazi currently is the deputy commissioner for retirement and disability policy at the Social Security Administration.

Saul’s removal followed a Justice Department legal opinion that found he could be removed, despite a statute that says he could only be fired for neglecting his duties or malfeasance.

The opinion — researched at the request of the White House — concluded that a reevaluation because of a recent Supreme Court ruling meant that Saul could be fired by the president at will.

Biden’s move got immediate support from the Democratic senator who would be in charge of confirming a successor to Saul. Republican lawmakers accused Biden of politicizing the agency and pointed to Saul’s confirmation by a bipartisan Senate vote in 2019.

Senate Finance Committee Chairman Ron Wyden, D-Ore., said in a statement that “every president should chose the personnel that will best carry out their vision for the country.

“To fulfill President Biden’s bold vision for improving and expanding Social Security, he needs his people in charge,” Wyden added, pledging to work to confirm a new commissioner “as swiftly as possible.”

Rep. Bill Pascrell, D-N.J., who several months ago began demanding the ouster of Saul and Black, celebrated their Friday firings.

“Social Security is in deep trouble,” Pascrell said.

Sen. Mike Crapo of Idaho, the top Republican on the finance committee, and Rep. Kevin Brady of Texas, the top Republican on the House Ways and Means Committee, issued a joint statement calling Biden’s decision “disappointing.” The pair claimed “Social Security beneficiaries stand the most to lose from President Biden’s partisan decision to remove Commissioner Andrew Saul.”

Senate Minority Leader Mitch McConnell, R-Ky., called the personnel move an “unprecedented and dangerous politicization of the Social Security Administration.”

The agency, headquartered in Baltimore, pays benefits, funded by a tax on wages paid by employers and employees, to about 64 million people, including retirees, children, widows and widowers, according to its website. The agency has a staff of about 60,000 employees.

Saul was confirmed by a Senate vote of 77-16 in 2019 to a six-year term that would have expired in January 2025, tweeted Sen. Chuck Grassley, R-Iowa.

The labor union that represents Social Security employees also welcomed the firings.

Ralph de Juliis, spokesperson for the American Federation of Government Employees SSA General Committee and Council 220 President, said employee morale and agency operations had suffered under Saul and Black’s leadership.

“President Biden made the right call to send these Trump appointees packing,” de Juliis said.

Associated Press writer Mike Balsamo contributed to this report.

More competition: Biden signs order targeting big business

“Let me be clear: Capitalism without competition isn’t capitalism.
It’s exploitation," he said.

President Joe Biden signed an executive order on Friday targeting what he labeled anticompetitive practices in tech, health care and other parts of the economy, declaring it would fortify an American ideal “that true capitalism depends on fair and open competition."

The sweeping order includes 72 actions and recommendations that Biden said would lower prices for families, increase wages for workers and promote innovation and faster economic growth. However, new regulations that agencies may write to translate his policy into rules could trigger major legal battles.

The order includes calls for banning or limiting noncompete agreements to help boost wages, allowing rule changes that would pave the way for hearing aids to be sold over the counter at drugstores and banning excessive early termination fees by internet companies. It also calls on the Transportation Department to consider issuing rules requiring airlines to refund fees when baggage is delayed or in-flight services are not provided as advertised.

At a White House signing ceremony, Biden said of some in big business: “Rather than competing for consumers they are consuming their competitors; rather than competing for workers they are finding ways to gain the upper hand on labor."

“Let me be clear: Capitalism without competition isn’t capitalism.

It’s exploitation," he said.

The White House said Biden’s order follows in the tradition of past presidents who took action to slow corporate power. Theodore Roosevelt’s administration broke up powerful trusts that had a grip on huge swaths of the economy, including Standard Oil and J.P. Morgan’s railroads. Franklin D. Roosevelt’s administration stepped up antitrust enforcement in the 1930s.

But experts noted that Biden's sprawling presidential initiative is hardly a mandate on competition.

“This is really more of a blueprint or agenda than a traditional executive order,” said Daniel Crane, a law professor at the University of Michigan who focuses on antitrust. “This is a very broad and ambitious policy agenda for the Biden administration that offers lots of insights on the administration’s direction and priorities, but there could be many a slip between the cup and the lip.”

Biden's order includes a flurry of consumer-pointed initiatives that could potentially lead to new federal regulations, but it also includes plenty of aspirational language that simply encourages agencies to take action meant to bolster worker and consumer protections.

Business and trade groups quickly expressed opposition, arguing that the order would stifle economic growth just as the U.S. economy is recovering from the coronavirus pandemic.

“Some of the actions announced today are solutions in search of a problem,” said Jay Timmons, president and CEO of the National Association of Manufacturers. “They threaten to undo our progress by undermining free markets and are premised on the false notion that our workers are not positioned for success.”

The order seeks to address noncompete clauses — an issue affecting some 36 million to 60 million Americans, according to the White House — by encouraging the Federal Trade Commission to ban or limit such agreements, ban unnecessary occupational licensing restrictions and strengthen antitrust guidance to prevent employers from collaborating to suppress wages or reduce benefits by sharing wage and benefit information with one another.

Noncompete agreements often stop workers in a variety of industries from going to other employers for higher pay. Biden noted that in some states even fast food franchises include such clauses for low-wage workers.

“Come on, are there trade secrets about what’s inside the patty?” Biden said.

The order also takes aim at tech giants Facebook, Google, Apple and Amazon by calling for greater scrutiny of mergers, “especially by dominant internet platforms, with particular attention to the acquisition of nascent competitors, serial mergers, the accumulation of data, competition by ‘free’ products, and the effect on user privacy.”

In his executive order, Biden also calls on the Federal Maritime Commission to take action against shippers that it says are “charging American exporters exorbitant charges” and the Surface Transportation Board to require railroad track owners to “strengthen their obligations to treat other freight companies fairly.”

The White House argues that rapid consolidation and sharp hikes in pricing in the shipping industry have made it increasingly expensive for U.S. companies to get goods to market. In 2000, the largest 10 shipping companies controlled 12% of the market. They now control about 82%, according to the Journal of Commerce.

The World Shipping Council, an industry trade group, pushed back in a statement that “normalized demand, not regulation," is the way to answer rising costs.

“There is no market concentration ‘problem’ to ‘fix,’ and punitive measures levied against carriers based on incorrect economic assumptions will not fix the congestion problems," said John Butler, president and CEO of the council.

The order also notes that over the past two decades the U.S. has lost 70% of the banks it once had, with around 10,000 bank closures. Communities of color and rural areas have been disproportionately affected.

To begin addressing the trend, the order encourages the Justice Department as well as the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency to update guidelines to provide greater scrutiny of mergers. It also encourages the Consumer Financial Protection Bureau to issue rules allowing customers to download their banking data and take it with them when they switch.

The order includes several provisions that could affect the agricultural industry. It calls on the U.S. Department of Agriculture to consider issuing new rules defining when meat can use “Product of USA” labels. It also encourages the FTC to limit farm equipment manufacturers' ability to restrict the use of independent repair shops or do-it-yourself repairs — such as when tractor companies block farmers from repairing their own tractors.

Democratic lawmakers and union leaders cheered the order.

Sen. Amy Klobuchar, a Minnesota Democrat who chairs the Senate Judiciary Subcommittee on Competition Policy, said that Biden's executive order needs to be buttressed by congressional action.

“Competition policy needs new energy and approaches so that we can address America’s monopoly problem," Klobuchar said. “That means legislation to update our antitrust laws, but it also means reimagining what the federal government can do to promote competition under our current laws.”

Biden targets airlines, internet, hearing aids, phone repairs and more in new order

Here are some of the products and services the Biden administration is targeting

By Audrey Conklin FOXBusiness

video

Biden delivers remarks, signs executive order on promoting competition in American economy

Pres Biden delivers remarks and signs an executive order on promoting competition in the American economy.

President Joe Biden on Friday issued a new executive order aimed at boosting competition in various industries, targeting products and services like airline refunds, internet bills, hearing aids and more.

The executive order contains 72 actions and recommendations meant to promote innovation across various sectors of the economy from tech to health care to agriculture, and thereby improve workforce conditions and drive costs down, according to a White House fact sheet.

BIDEN SIGNS SWEEPING EXECUTIVE ORDER TAKING AIM AT BIG TECH, ANTI-COMPETITIVE PRACTICES

"The heart of American capitalism is a simple idea: Open and fair competition," Biden said in remarks at the White House, shortly before signing the order. "That means if your companies want to win your business, they have to go out and they have got to up their game. Better prices and services, better ideas and products. The competition keeps the economy moving and it keeps it growing. A competitive economy must mean that companies do everything they can to compete for workers."

Here are some of the products and services the Biden administration is targeting in an effort to boost competition and consumer choices:

Airlines

The White House noted in its fact sheet that reduced competition among airlines has resulted in higher baggage and cancelation fees despite millions of instances of delayed baggage each year.

The administration is directing the DOT to consider issuing rules requiring airlines to refund fees when baggage is delayed or when a service like in-flight WiFi does not work. It is also recommending the DOT implement rules requiring baggage, flight change and cancellation fees to be "clearly disclosed to the customer."

Internet/broadband

The Biden administration believes that cracking down on broadband services will boost competition, especially for Americans living in rural areas, giving consumers more options and driving down internet costs.

BIG TECH FACES NEW ONSLAUGHT ON CAPITOL HILL

It is calling on the FCC to ensure internet service providers are offering fair prices by requiring them to report prices and subscription rates to the commission, and to limit high early cancellation fees.

President Joe Biden signs an executive order aimed at promoting competition in the economy, in the State Dining Room of the White House, Friday, July 9, 2021, in Washington. (AP Photo/Evan Vucci)

The administration also plans to reimplement Obama-era "Net Neutrality" rules, which essentially treated internet service providers and cable companies like public utilities, and subjected them to various rules preventing the prioritization of certain types of content.

Hearing aids

Biden wants hearing aids to be sold over-the-counter to reduce costs for Americans who are hard of hearing.

The administration is asking the Department of Health and Human Services to consider issuing a proposal within 120 days to allow hearing aids to be sold over the counter. It is also calling on HHS to come up with a plan in 45 days to "combat high prescription drug prices and price gouging."

Phone and computer repairs

The president is also taking on Big Tech by establishing "an administration policy" to survey mergers between small tech companies and tech giants that can stamp out competition and consumer options. He is also encouraging the Federal Trade Commission (FTC) to monitor the collection of user data and surveillance of consumers by large tech companies.

Finally, the administration is also calling on the FTC to implement "rules against anti-competitive restrictions on using independent repair shops or doing DIY repairs" of technology devices and equipment, such as smartphones. Independent phone and computer repair shops have called on tech giants like Apple to change their repair provider rules.

Agriculture equipment repairs

Biden is urging the U.S. Department of Agriculture to consider implementing new rules under the Packer and Stockyard Act; clarify rules as to which products can be labeled as "Product of USA"; and limit agriculture equipment manufacturers from restricting farmers' ability to conduct their own repairs, among other initiatives aimed at boosting agricultural competition and small farms' success.

President Joe Biden speaks before signing an executive order aimed at promoting competition in the economy, in the State Dining Room of the White House, Friday, July 9, 2021, in Washington. (AP Photo/Evan Vucci)

The White House mentioned "tractor companies" that "block farmers from repairing their own tractors," which may be a reference to John Deere, which does not allow "unauthorized" independent repairs and which uses unique software locks that make tractors unusable if they are fixed by anyone other than John Deere technicians, according to Vice.

"Let me be very clear: Capitalism without competition isn't capitalism. It's exploitation," Biden said Friday. "Without healthy competition, big players can change and charge whatever they want and treat you however they want. And for too many Americans that means accepting a bad deal for things you can't go without. So, we know we've got a problem, a major problem. But we also have an incredible opportunity."

Progressive lawmakers celebrated the jam-packed executive order, while business groups and Republicans slammed it as harmful to the free market.

Sen. Elizabeth Warren, a fierce consumer advocate, lauded the executive order as a "critical" step to protect working-class Americans and urged Congress to pass legislation codifying the measure into law.

But the U.S. Chamber of Commerce said in a blistering statement that the directive "smacks of a 'government knows best' approach to managing the economy" and vowed to "vigorously oppose calls for government-set prices, onerous and legally questionable rulemakings, efforts to treat innovative industries as public utilities, and the politicization of antitrust enforcement."

Fox Business' Megan Henney, Charlie Gasparino and Lydia Moynihan contributed to this report.

Hackers disrupt Iran’s rail service with fake delay messages

TEHRAN, Iran (AP) — Iran’s railroad system came under cyberattack on Friday, a semi-official news agency reported, with hackers posting fake messages about train delays or cancellations on display boards at stations across the country.

The hackers posted messages such as “long delayed because of cyberattack” or “canceled” on the boards. They also urged passengers to call for information, listing the phone number of the office of the country’s supreme leader, Ayatollah Ali Khamenei.

The semiofficial Fars news agency reported that the hack led to “unprecedented chaos” at rail stations.

No group took responsibility. Earlier in the day, Fars said trains across Iran had lost their electronic tracking system. It wasn’t immediately clear if that was also part of the cyberattack.

Fars later removed its report and instead quoted the spokesman of the state railway company, Sadegh Sekri, as saying “the disruption” did not cause any problem for train services

In 2019, an error in the railway company’s computer servers caused multiple delays in train services.

In December that year, Iran’s telecommunications ministry said the country had defused a massive cyberattack on unspecified “electronic infrastructure” but provided no specifics on the purported attack.

It was not clear if the reported attack caused any damage or disruptions in Iran’s computer and internet systems, and whether it was the latest chapter in the U.S. and Iran’s cyber operations targeting the other.

Iran disconnected much of its infrastructure from the internet after the Stuxnet computer virus — widely believed to be a joint U.S.-Israeli creation — disrupted thousands of Iranian centrifuges in the country’s nuclear sites in the late 2000s.

Kaseya ransomware attack updates: Your questions answered

Here is everything we know so far. ZDNet will update this primer as we learn more.

By Charlie Osborne | July 9, 2021

| Topic: Security
ZDNET

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend.

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya's VSA software against multiple managed service providers (MSP) -- and their customers.

Also: Should Kaseya pay the ransom? Experts are divided

According to Kaseya CEO Fred Voccola, less than 0.1% of the company's customers were embroiled in the breach -- but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.

Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.

The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor's software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya's ransomware incident will prove to be.

Here is everything we know so far. ZDNet will update this primer as we learn more.

What is Kaseya?

Kaseya's international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries.

Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform.

The firm's software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain.

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced "a potential attack against the VSA that has been limited to a small number of on-premise customers."

At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers.

"It's critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA," the executive said.

Customers were notified of the breach via email, phone, and online notices.

As Kaseya's Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline.

By July 4, the company had revised its thoughts on the severity of the incident, calling itself the "victim of a sophisticated cyberattack."

Cyber forensics experts from FireEye's Mandiant team, alongside other security companies, have been pulled in to assist.

"Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service," Kaseya said, adding that more time is needed before its data centers are brought back online.

Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients.

In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete.

"We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration," the company said. "We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers."

The ransomware attack, explained

The FBI described the incident succinctly: a "supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers."

Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with "high confidence" that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.

According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process.

Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were "crazy efficient."

"There is no proof that the threat actors had any idea of how many businesses they targeted through VSA," Hanslovan commented, adding that the incident seemed to be shaped more due to a "race against time."

"Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks," Sophos noted. "As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted."

The vendor has also provided an in-depth technical analysis of the attack.

Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed "Kaseya VSA Agent Hot-fix".

"This fake update is then deployed across the estate -- including on MSP client customers' systems -- as it [is] a fake management agent update," Beaumont commented. "This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya's customers were still encrypted."

With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack.

On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints.

"In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure," the company says.

According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being "maliciously modified".

Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.

"Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions," DIVD says. "Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. "

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were "never at risk" and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected.

However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn.

According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.

Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest "thousands of small businesses" may have been impacted.

"This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen," commented Ross McKerchar, Sophos VP. "At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what's being reported by any individual security company."

On July 5, Kaseya revised previous estimates to "fewer than 60" customers, adding that "we understand the total impact thus far has been to fewer than 1,500 downstream businesses."

Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain.

When it comes to SaaS environments, Kaseya says, "We have not found evidence that any of our SaaS customers were compromised."

In a press release dated July 6, Kaseya has insisted that "while impacting approximately 50 of Kaseya's customers, this attack was never a threat nor had any impact to critical infrastructure."

The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

Juniper Networks driven by Mist AI delivers the secure AI-Driven Enterprise, focused on optimizing user experiences from client-to-cloud and simplifying IT operations across the WLAN, LAN, WAN, and cloud.

Mist AI revolutionizes traditional networks that are riddled with complexity and technical debt with AI-driven insights and automation for unprecedented scalability, reliability, and agility.

Kaseya CEO Fred Voccola said that the attack, "for the very small number of people who have been breached, it totally sucks."

"We are two days after this event," Voccola commented. "We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that'll continue until everything is as perfect as can be."

Less than 0.1% of the company's customers experienced a breach.

"Unfortunately, this happened, and it happens," the executive added. "Doesn't make it okay. It just means it's the way the world we live in is today."

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives.

In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations.

Once a victim's system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work).

Today's ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they 'subscribe' to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid.

If they refuse to pay up, they may then face the prospect of their data being sold or published online.

Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside.

Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the web

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, "Happy Blog."

In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than "a million" systems have been infected.

REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the 'bargain' price of $70 million in the bitcoin (BTC) cryptocurrency.

REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer.

What are the ransomware payment terms?

The ransomware note claims that files are "encrypted, and currently unavailable." A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one 'freebie' file decryption is also on the table to prove the decryption key works.

The operators add (spelling unchanged):

"Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service --for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money."

Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999.

John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million.

Kevin Beaumont says that, unfortunately, he has observed victims "sadly negotiating" with the ransomware's operators.

Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims.

"REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key," the security expert noted.

CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group's leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).

The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.

Kaseya has been holding meetings with the FBI and CISA "to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers."

The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.

On Saturday, US President Biden said he has directed federal intelligence agencies to investigate.

"Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned," Amit Bareket, CEO of Perimeter 81, told ZDNet. "What's unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors."

The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, "we will take action or reserve the right to take action on our own."

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:

Communication of our phased recovery plan with SaaS first followed by on-premises customers.
Kaseya will be publishing a summary of the attack and what we have done to mitigate it.
Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.
There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities.
We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.

Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.

By late evening on July 5, Kaseya said a patch has been developed and it is the firm's intention to bring back VSA with "staged functionality" to hasten the process. The company explained:
The first release will prevent access to functionality used by a very small fraction of our user base, including:
Classic Ticketing
Classic Remote Control (not LiveConnect).
User Portal

Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online.

"We are focused on shrinking this time frame to the minimal possible -- but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up," the firm says.

Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA.

Update July 7: The timeline has not been met. Kaseya said that "an issue was discovered that has blocked the release" of the VSA SaaS rollout.

"We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service," Kaseya commented.

In a service update, the vendor said it has been unable to resolve the problem.

"The R&D and operations teams worked through the night and will continue to work until we have unblocked the release," Kaseya added.

July 7, 12 pm EDT:

Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, "VSA SaaS Startup Guide," and "On Premises VSA Startup Readiness Guide," to assist clients in preparing for a return to service and patch deployment.

Recovery, however, is taking longer than initially expected.

"We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment," the company says. "We apologize for the delay and changes to the plans as we work through this fluid situation."

In a second video message recorded by the firm's CEO, Voccola said:

"The fact we had to take down VSA is very disappointing to me, it's very disappointing to me personally. I feel like I've let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality."

The new release time for VSA is Sunday, in the afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment.

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning.

The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil's ransom note.

However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait until Sunday.

Kaseya intends to bring customers back online on July 11, at 4 PM EDT.

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations," the firm said. "A patch will be required to be installed prior to restarting the VSA."

Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules.

Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems.

Kaseya has also warned that scammers are trying to take advantage of the situation.

"Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.

Do not click on any links or download any attachments claiming to be a Kaseya advisory."

More sharing, less shame: CompTIA ISAO wants to change the standard response to ransomware attacks

by Veronica Combs in Security on July 9, 2021

The information sharing organization helps companies deal with security threats and supports more collaboration overall.

Ransomware attacks are not going to stop any time soon and bad actors refine their attack techniques with every new breach. In addition to following best practices for securing networks and data, industry leaders and businesses of all sizes should prioritize information sharing.

MJ Shoer, senior vice president and executive director of the CompTIA ISAO, said the Kaseya attack was inevitable but it could have been considerably worse. A 2021 CompTIA survey found that 62% of MSPs were very concerned and 30% somewhat concerned about being targeted with cyberattacks.

"This attack underscores the point that we need to come together if we're going to gain the upper hand," he said.

Shoer said the tech industry needs to follow the information sharing example set by bad actors.

"Hackers do a phenomenal job sharing information— they tell each other what works, what doesn't," he said. "They're great at it, we need to be better than great."

Shoer said he wants the industry to erase the stigma associated with cyberattacks.

"That natural reaction to shame companies who get breached isn't helping," he said. "If we get enough organizations sharing what they're seeing, it gives all of us a chance to get the bad guys to back off."

John Collins, a senior analyst at Gartner for SecOps, SIEM, security services, threat intel and incident response, said that he has not seen empirical evidence suggesting increased threat intelligence sharing between security vendors, end user organizations and government. He has noticed more interest in threat intelligence sources and platforms.

"I have observed an increase from historically less security mature organizations who are looking for purpose-built tools for aggregating, curating, managing and operationalizing threat intelligence," he said. "Even TIP vendors are marketing their integration with MISP to allow for a wider range of sharing capability."

The CompTIA ISAO works with public and private cybersecurity agencies and organizations to help its members raise the cybersecurity awareness of the global tech industry. The community of nearly 1,176 member companies shares best practices, cyber threat intelligence and educational content. In addition to cybersecurity intelligence data, CompTIA ISAO members receive full access to all other CompTIA corporate member benefits.

"We all hope that it will prevent an attack but more often than not it helps address an attack or vulnerability or recover and remediate at issue," Shoer said.

Collins said that issues related to the consumption and management of TI are more important than general information sharing.

"I believe the industry needs to have some introspection on the quality of intelligence vs sharing data for the sake having a feed and claiming #tisharing," he said. "I have regular conversations with security leaders asking for better ways to consume and manage the intel they are getting because they are overwhelmed with data, have lots of false positives and are managing the indicators in a spreadsheet."

Collins said that companies and governments should look for ways to declassify or anonymize information to share important threats without putting national security at risk or revealing sensitive data.

"For example, no one outside of your organization needs or cares about an internal user name or machine name that is part of a file path, and you don't want to violate any privacy laws by exposing it," he said. "The vast majority of attacks are commodity in nature and a very small percentage are associated with sophisticated attacks carried out by a group targeting an organization."

Shoer said that he knows of only one CompTIA ISAO member that was hit by the attack, although a few members shut down their systems, as Kaseya recommended.

In addition to monitoring the threat landscape to warn members of potential problems, the ISAO also documents attacks so that members can learn from them.

As helpful as information sharing can be, exposing indicators or TTPs of an active attack can create more problems for other organizations dealing with the same adversary. Collins said it's a classic catch-22 situation.

"I know SecOps operators who were burned by security companies releasing indicators to the public and the adversary in their environment turned into a ghost," he said. "To get more out of the adversary you sometimes need to let them 'live' in an environment for a bit longer, yet they may be exfiltrating data from another company and their defenders or provider needs the intel to identify it and stop it."

This is where tools like MISP and threat intelligence platforms can present a method for sharing intel and often use a system similar to traffic light protocol, Collins said. This approach allows companies to choose what to share and who to share it with.
Plan, practice and prepare

Shoer said he sees a need for more table-top exercises so that companies can spot potential weak spots and formulate a response plan.

"Part of the challenge is taking the time to have these plans in place and then testing them regularly," he said.

This planning should include a priority list for restoring services after an attack has been resolved.

"Companies should think about how to prioritize restoration, by company size, industry, or public impact?" he said. "Companies should be playing these scenarios out and validating plans and looking for the gaps."

Shoer also said he sees more interest in keeping certain types of data in an air-gapped storage format to avoid the risk of a ransomware attack taking down backups along with live systems.

"Having those backups away from targeted networks is really important, including things that people may not be thinking of, such as bank statements and cyber liability insurance policies," he said. "Bad actors get into a network, sniff out this stuff and then set the ransomware amount based on your bank balance."

CompTIA's Cybersecurity Advisory Council provides educational materials and tools to help small business owners understand the risk of ransomware.

CompTIA launched the ISAO in August 2020 to "serve as the focal point for dealing with cyber-threats to technology vendors, MSPs, solution providers, integrators, distributors and business technology consultants." The organization's origins are in an ISAO started by tech entrepreneur Arnie Bellini in August 2019 as part of ConnectWise, the business automation software company he co-founded. Bellini transferred management and operations of the organization to CompTIA in early 2020.

Ransomware has surged —

Why the attacks are ‘going crazy

right now’

Daniel Howley

·Technology Editor

Fri, July 9, 2021,

Ransomware cyberattacks have skyrocketed, and no part of the economy is safe. From infrastructure companies like Colonial Pipeline to meat producers like JBS to a huge attack linked to Russia just over the Fourth of July weekend, the attacks have escalated.

According to George Kurtz, CEO of cybersecurity firm CrowdStrike (CRWD), the company is seeing a “massive” increase in ransomware attacks. And they’re targeting everything from private businesses to government entities.

“Ransomware is going crazy right now. What we’ve seen at CrowdStrike, is...almost 50 attacks per week, targeted attacks,” Kurtz told Yahoo Finance. “And it’s only getting worse.”

The most recent high-profile attack saw IT remote management software maker Kaseya hit by a supply chain-style ransomware attack, which impacted as many as 1,500 businesses. The suspected group behind the attack, REvil, is seeking a $70 million ransom to call it off.

What’s turned ransomware from a nuisance crime that impacted everyday people via email scams to a national security-level threat? A new business model for cybercriminals, a lack of accountability on the parts of foreign governments, and plenty of money to go around.

Cybercriminals have created a dangerous business model

Cybercriminal gangs like REvil (which stands for Ransomware Evil) have a business model that allows them to contract out their ransomware to smaller gangs that launch attacks.

“They have an affiliate model where anybody who contributes to the successful ransomware payment gets a profit share in the ransom,” explained Liam O’ Murchu, director of Symantec’s (AVGO) Security Response Group.

“They've got a lot of people in the cybercriminal underground, who want to help and want to participate in these attacks, and basically sucked the air out of all of the other economic models that were in the underground,” O’ Murchu said. “This is the biggest game in town right now.”

Cybercriminals have also taken their attacks to a new level that forces companies to respond as quickly as possible. In a normal ransomware attack, criminals target victims’ computer systems by encrypting them and keeping them locked down until the victims pay a ransom for the digital keys to regain access to their files.

FILE - In this Oct. 12, 2020 file photo, a worker heads into the JBS meatpacking plant in Greeley, Colo. A weekend ransomware attack on the world’s largest meat company is disrupting production around the world just weeks after a similar incident shut down a U.S. oil pipeline. The White House confirms that Brazil-based meat processor JBS SA notified the U.S. government Sunday, May 30, 2021, of a ransom demand from a criminal organization likely based in Russia. (AP Photo/David Zalubowski, File) — JBS was hit with a massive cyberattack that took its systems offline. (AP Photo/David Zalubowski, File)

More recently, however, cybercriminals have added a new threat. Now in addition to locking down victims’ systems, they’ll exfiltrate sensitive data and threaten to release it online if the victims don’t pay up quickly.

It’s not just sensitive corporate information either, O’ Murchu explained.

“Recently...a CEO of one of the companies that [cybercriminals] got into was having an affair with someone...and they leaked photographs of the person he was having the affair with,” he said. “They also get the phone numbers of the executives and they call them on the phone to put pressure on them.”

The ransoms are huge

Beyond a new business model and pressure tactics, cybercriminals are benefiting from huge wins in the amount they charge in ransom. In the instance of the Colonial Pipeline hack, the attackers got away with a $4.6 million ransom, though the U.S. recovered $2.3 million. JBS, meanwhile, paid $11 million. CNA Financial paid $40 million, and in the Kaseya attack, the hackers are seeking $70 million.

Those are massive numbers when you consider hackers were previously targeting individual consumers for hundreds or thousands of dollars. And as more companies pay exorbitant ransoms, more attacks will be launched.

“Attacks have been profitable, because people have been paying ransom,” NYU Tandon School of Engineering professor Justin Cappos explained. “So, effectively, if no one had ever paid ransom for ransomware, there would have been an initial sort of speculative thing where people were trying to do it and then it would have faded away.”

The government says companies should avoid paying ransoms, since it only invites more attacks. But there’s nothing to stop private businesses from paying up.

Legislation that forbids such transactions, however, could help put a stop to the ransomware outbreak.

“Let's say that [legislation] became nationwide and actually was enforced,” Cappos said. “Then that removes a lot of the economic incentive, because the attackers know there's a small, small chance they'll be paid, because an organization will have to find the money to do it, do it off the books, and face legal consequences if they did it.”

Cryptocurrencies have also facilitated anonymous payments, with hackers demanding ransoms in the form of bitcoin or ethereum. The rise in cryptocurrency prices, despite some pullbacks as of late, has made such currencies appealing for cybercriminals who want a big payday without being tracked.

Nations are turning a blindeye to criminal gangs

But cybercriminals can be tracked, and in the instance of gangs like REvil, they turn up in countries that either can’t or refuse to deal with them, such as Russia, China, or North Korea.

Oh Friday, President Joe Biden spoke with Russian President Vladmir Putin about the country’s inaction on ransomware gangs, and said the U.S. would respond if nothing is done.

“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said.

“And secondly, we’ve set up a means of communication now on a regular basis to be able to communicate with one another when each of us thinks something is happening in another country that affects the home country,” he said.

Asked if there would be consequences to further inaction, Biden said yes.

But until countries act to slow the spread of ransomware, the attacks will continue to haunt private companies and governments around the world.

LA REVUE GAUCHE - Left Comment