The Biden administration has told the Russian government to disrupt ransomware groups operating within it’s borders, per a White House statement.
CISA has released analysis of its Risk and Vulnerablity Assessment programs for fiscal year 2020. It looks at the top findings in the assessments its done and maps them to MITRE’s ATT&CK framework.
Palo Alto’s Unit 42 has analyzed REvil’s tactics and found them to be actually basic. Phishing, credential-stuffing RDP servers, etc. They prove they don’t need advanced techniques – the easy ones still work.
Speaking of REvil, Kaseya has released the security update for their VSA and restored their SaaS solution. That said, a six-year old flaw has surfaced… that’s still around, per Krebs-on-Security. Also of note – Bloomberg is reporting that Kaseya executives were informed of critical issues between 2017 and 2020, and multiple staff either quit or were fired over inaction.
And speaking of ransoms, two new trends in the KELA threat intelligence study of Ransomware as a service. First, one-man-band operations have almost “completely dissolved” due to the lucrative nature of the business. And second, a growing area of recruitment is in negotiators – the person who extorts victims to pay a ransom.
And revisiting old topics… SolarWinds themselves has a new zero day. This time in their Serv-U Managed Files Transfer and Serv-U Secure FTP products… used by a single threat actor against “a limited, targeted set of customers”.
China’s cyberspace regulator has announced any company with more than 1 million users needs to go through a security review before offering shares overseas. The goal is to prevent the foreign listings from allowing an avenue for foreign government influence into the companies, and therefore into China.
Jack Cable of the Krebs Stamos Group has launched a new tool that tracks ransomware payments, called Ransomwhere.
Also newly launched – New York City has become the first major city to open a real-time operational center to protect against cybersecurity threats. It’s a combination of 292 members sharing intelligence, including NYPD, Amazon, IBM, the Federal Reserve Bank, and others. For the previous two years the effot was entirely virtual.
And on people… KnowBe4 says 1 in 3 employees are likely to fall for a phishing scam.
Why do we care?
A growing trend is the elimination of the one-man operation. So.. ransomware is ahead of IT services, a space seemingly a long way from eliminating one man operations.
I will comment directly on those employee reports – it’s my observation that there is almost always a story after about employees warning executives about what happened. That’s not the story. The story SHOULD be how executives are not incentivized to prioritize security. And providers are the ones who should be asking that of the vendor.
On China, this is important as while Russia is generally thought to contain the bulk of threat actors, China is of note too – and they are moving on their own data security regulations. On the surface it’s financially driven – but there would be real irony if they have data protection rules far sooner than the US does.