Real-Time Prevention of the Kaseya VSA Supply Chain REvil Ransomware Attack

Attacks like this demonstrate the importance of real-time prevention that does not rely on signatures by leveraging zero-trust at the endpoint. As shown in the first screenshot, all components of this attack are signed. This attacker is adept at abusing the implicit trust given to signed processes so their attacks can progress in target environments. Furthermore, detection-centric technology, like EDR, cannot be relied on when malicious activity is present on servers. The attacker is simply too close to their final goal for it to make sense to rely on reactive remediation through human intervention.

Morphisec Keep is built to deal with evasive threats like this automatically, in real time, and without prior knowledge of the attack. Through Morphisec Keep, you can extend your zero-trust strategy beyond identity and the network so that attacks like this one, where the supply chain is compromised, can still be prevented when they can land on the endpoint and make their way into the process memory.

Written by Morphisec Labs | July 5, 2021

https://blog-morphisec-com.cdn.ampproject.org/c/s/blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack?hs_amp=true

Why Some Cyber Criminals Are Ditching Bitcoin for a Cryptocurrency Called Monero

While bitcoin still dominates ransomware demands, more threat actors are starting to ask for monero, according to Marc Grens, president of DigitalMint, a company that helps corporate victims pay ransoms.  Monero is considered more of a privacy token and allows cyber criminals greater freedom from some of the tracking tools and mechanisms that the bitcoin blockchain offers. When the FBI successfully breached a crypto wallet held by the Colonial Pipeline hackers by following the money trail on bitcoin’s blockchain, it was a wake-up call for any cyber criminals who thought transacting in cryptocurrency automatically protected them from scrutiny. One of the core tenets of bitcoin is that its public ledger, which stores all token transactions in its history, is visible to everyone. This is why more hackers are turning to coins like dash, zcash, and monero, which have additional anonymity built into them. Monero, in particular, is increasingly the cryptocurrency of choice for the world’s top ransomware criminals. “The more savvy criminals are using monero,” said Rick Holland, chief information security officer at Digital Shadows, a cyberthreat intelligence company. Created in 2014 Monero was released in 2014 by a consortium of developers, many of whom chose to remain anonymous. As spelled out in its white paper, “privacy and anonymity” are the most important aspects of this digital currency. The privacy token operates on its own blockchain, which hides virtually all transaction details. The identity of the sender and recipient, as well as the transaction amount itself, are disguised. Because of these anonymity features, monero allows cyber criminals greater freedom from some of the tracking tools and mechanisms that the bitcoin blockchain offers. “On the bitcoin blockchain, you can see what wallet address transacted, how many bitcoin, where it came from, where it’s going,” explained Fred Thiel, former chairman of Ultimaco, one of the largest cryptography companies in Europe, which has worked with Microsoft, Google and others on post-quantum encryption. “With monero, [the blockchain] obfuscates the wallet address, the amount of the transactions, who the counter-party was, which is pretty much exactly what the bad actors want,” he said. While bitcoin still dominates ransomware demands, more threat actors are starting to ask for monero, according to Marc Grens, president of DigitalMint, a company that helps corporate victims pay ransoms.  “We’ve seen REvil…give discounts or request payments in monero, just in the past couple months,” continued Holland. Monero was also a popular choice on AlphaBay, a massive underground marketplace popular up until it was shut down in 2017. “It’s almost like we’re seeing, at least from a cyber criminal perspective, a resurgence…in monero, because it has inherently more privacy than some of the other coins out there,” Holland said of monero’s recent rise in popularity among actors in the ransomware space. Monero’s limitations There are, however, a few major barriers when it comes to the mainstreaming of monero. For one, it’s not as liquid as other cryptocurrencies — many regulated exchanges have chosen not to list it due to regulatory concerns, explained Mati Greenspan, portfolio manager and Quantum Economics founder. “It certainly isn’t enjoying as much from the recent wave of institutional investments,” he said. In practice, that means that it’s harder for cyber criminals to get paid directly in the currency. “If you’re a corporation and you want to acquire a bunch of monero to pay somebody, it’s very hard to do,” Thiel told CNBC.  The digital currency could also be more vulnerable to regulation at its on-and-off-ramps, which is the bridge between fiat cash and crypto tokens.  “I would wager to say the U.S. and other regulators are going to shut them [monero] down pretty hard,” said Thiel. One way they could go about that: telling an exchange that if they list monero, they risk losing their license.   But while the U.S. government can indeed keep monero at bay by marginalizing liquidity points, Castle Island Ventures founding partner Nic Carter believes that markets which allow peer-to-peer transfers of monero to fiat will always be hard to regulate.  There’s also nothing to keep hackers within U.S. jurisdiction. Criminals could easily choose to carry out all of their transactions overseas, in places that aren’t subject to the kind of controls American regulators might put in place. Bitcoin still rules ransomware Cyber insurance is another reason why bitcoin is still the currency of choice for most ransomware attacks. “Insurance is so important in this space, and insurers often refuse to reimburse a ransom payment if it’s been in monero,” said former CIA case officer Peter Marta, who now advises companies about cyber risk management as a partner with law firm Hogan Lovells.  “One of the things that insurers will always ask for is what type of due diligence the victim company conducted, before making the payment…to try to minimize the chance that the payment goes to an entity on the sanctions list,” explained Marta.  Traceability is more easily accomplished with bitcoin, given that its blockchain lays bare transaction amounts and the addresses of both the sender and recipients taking part in the exchange. There is also an established infrastructure already in place for officials to monitor these transactions. Authorities keep lists of bitcoin wallets, which are tied to different sanctions regimes. While monero does offer a greater degree of privacy over bitcoin, Holland points out that threat actors have mastered certain techniques to anonymize transactions in bitcoin, in order to obscure the chain of custody.  He says that cyber criminals often turn to a mixing or tumbling service, where they can combine the illicit funds with clean crypto to essentially make a new type of bitcoin, at which point, they turn to currency swaps.  “Just like you would do dollars to pounds…they may go bitcoin, to monero, then back to bitcoin, and then get a bitcoin ATM card, where they can just cash out dollars with it,” explained Holland. So even though bitcoin’s blockchain is public, there are still ways to make it difficult for investigators to trace transactions to their ultimate destination. 

Why Some Cyber Criminals Are Ditching Bitcoin for a Cryptocurrency Called Monero

A ‘Colossal’ Ransomware Attack Hits Hundreds Of U.S. Companies, A Security Firm Says

REvil, a Russian-affiliated hacker group, has infected some 200 companies with ransomware. It concerns a supply chain attack that may have started at Kaseya, a supplier of management software. Customers using a product to remotely manage computers and mobile devices, are advised to disable the program. Check out link for more details.

A ‘Colossal’ Ransomware Attack Hits Hundreds Of U.S. Companies, A Security Firm Says

Overview of security incidents from June 26 to July 2, 2021

Overview of security incidents from June 26 to July 2, 2021 New attacks by hackers who hacked SolarWinds, data leaks of hundreds of millions of users, attacks with the exploitation of critical vulnerabilities in the Windows print spooler service and Cisco ASA, secret documents of the UK Department of Defense forgotten at a bus stop…

Overview of security incidents from June 26 to July 2, 2021

Kaseya VSA Users Hit by Ransomware, (Fri, Jul 2nd)

We are aware that some MSSP’s customers (Managed Security Services Providers) have been hit by a ransomware. It seems that four(4) MSSP’s have been affected until now. The ransomware was spread through the remote management solution “VSA”  provided by Kaseya[1]. This looks to be a brand new type of supply chain attack. What we know so far? […]

Kaseya VSA Users Hit by Ransomware, (Fri, Jul 2nd)

XKEYSCORE Spy Program Revealed by Snowden Still a Problem

The US Civil Liberties Oversight Board presented to the government the results of an investigation into XKEYSCORE late last year. The Privacy and Civil Liberties Oversight Board (PCLOB) has conducted a classified investigation into the government’s surveillance program XKEYSCORE, but one of the investigators disagrees. Through the XKEYSCORE program, the US National Security Agency analyzed […]

XKEYSCORE Spy Program Revealed by Snowden Still a Problem

Hackers tried to poison California water supply in major cyberattack

Hackers tried to poison California water supply in major cyberattack On January 15 this year, a hacker tried to poison the water at a water treatment plant that serves part of the San Francisco Bay Area.  According to NBC News, which obtained a report from the Northern California Regional Intelligence Center, the attacker gained access….read on by following the link below.

Hackers tried to poison California water supply in major cyberattack