Kaseya patches imminent after zero-day exploits
The worldwide attacks on the Kaseya Virtual System/Server Administrator (VSA) platform by the REvil ransomware gang turn out to be the result of exploits for at least one zero-day security vulnerability, and the company is swinging into full mitigation mode, with patches for the on-premises version coming soon, likely today or Thursday, the company said. “The VSA server is used to manage large fleets of computers and is normally used by MSPs to manage all their clients,” explained researchers at TruSec. Kaseya has stated that while customers wait for patches, all on-premises VSA servers should continue to remain offline until they receive further instructions from Kaseya about when it is safe to restore operations, as a patch will be required to be installed prior to restarting the VSA. They add, “customers who experienced ransomware and receive communication from the attackers should not click on any links as they may be weaponized.”
REvil lowers ransom for universal decryptor
REvil has lowered its asking price for a universal decryptor for victims of the Kaseya attack from $70 million to $50 million. According to researcher Jack Cable, this may be a sign of desperation from the gang as a result of few victims willing or able to pay. This, he says would also explain why the gang is now allowing payment in Bitcoin in addition to Monero. Cable points out Bitcoin is easier to track. According to Threatpost some impacted companies are already turning to individual negotiations with REvil. With some ransoms being negotiated down from $500,000 to less than $50,000.
Researchers find new ransomware variant “Diavol”
Security researchers from Fortinet discovered a new ransomware dubbed Diavol targeting organizations globally from June 2021. While it appears to be a new ransomware threat as opposed to a variant, the researchers have identified code fingerprints pointing to Wizard Spider – a Russia-based cybercriminal group that operates Trickbot botnet. Diavol leverages Asynchronous Procedure Calls (APCs) with a unique encryption procedure, dropping a ransom note in every folder it encrypts. While Diavol does not use any tactics to evade security detections, researchers found an anti-analysis technique used by the group to disguise its code.
Pentagon cancels $10 billion JEDI cloud contract that Amazon and Microsoft were fighting over
The Department of Defense announced Tuesday it’s calling off the $10 billion Joint Enterprise Defense Infrastructure cloud contract that was the subject of a legal battle involving Amazon and Microsoft. In a press release sent yesterday, the Pentagon said that “due to evolving requirements, increased cloud conversancy, and industry advances, the JEDI Cloud contract no longer meets its needs.” The Pentagon did say however that it still needs enterprise-scale cloud capability and announced a new multi-vendor contract known as the Joint Warfighter Cloud Capability. It plans to solicit proposals from both Amazon and Microsoft for this contract, adding that they are the only cloud service providers that can meet its needs, but said further it will continue to do market research to see if others could also meet its specifications.
Thanks to our episode sponsor, Viakoo
Audacity denies spyware accusation
Microsoft 365 to let SecOps lock hacked Active Directory accounts
Microsoft is updating Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection or Azure ATP) to allow security operations teams to block attacks by locking a compromised user’s Active Directory account. After adding what the company named “native ‘response’ actions” to the Defender for Identity, “SecOps will have the ability to not only lock the Active Directory account, but also prompt for the password to be reset, meaning more direct action can be taken when a user is compromised.
Facebook partners with Liquid to extend Africa fiber network
Facebook Inc. and Africa’s largest fiber company, Liquid Intelligent Technologies, are extending their reach on the continent by laying 1,243 miles of fiber in the Democratic Republic of Congo. The move will make Facebook one of the biggest investors in fiber networks in the region. The cable will eventually extend the reach of 2Africa, a major sub-sea line that’s also been co-developed by Facebook, the two companies said in a statement Monday. Facebook switched to a predominantly fiber strategy following the failed launch of a satellite to beam signal around the continent in 2016. The build will 5,000 people to work on the project, the companies said.
Interpol arrests Moroccan hacker
A two-year investigation has successfully apprehended a threat actor, a Moroccan citizen nicknamed Dr HeX, who is allegedly responsible for targeting thousands of victims over several years and staging malware attacks on telecom companies, major banks, and multinational corporations in France as part of a global phishing and credit card fraud scheme. At least three different phishing kits presumably developed by the threat actor have been extracted, kits that were also sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims. His arrest ends a crime spree that started in 2009.