yaracroft @venom@nanao.cybtex.fr

Kaseya VSA Exploit POC - Authentication Bypass, Arbitrary File Upload & Command Injection

POC created by Caleb Stewart which reproduces the 2 July 2021 #REvil #ransomware attack against 30+ Managed Service Providers (MSP). In this demo, we demonstrate how a simple command can be run or a Meterpreter payload from MSFVenom can up uploaded and executed.

https://youtube.com/watch?v=dK4kvZ7n4eM

The Kaseya ransomware case continues #ransomware groups' abuse of trust

https://blog.f-secure.com/the-kaseya-ransomware-case-continues-ransomware-groups-abuse-of-trust/

Les attaques cyber subies par les administrations, les collectivités, les entreprises, les particuliers,.. ne cessent d'augmenter. Face à ce phénomène, qui ne touche pas seulement la #France mais tous les pays, la sous-direction en charge des assureurs à la direction générale du Trésor Public a donc créé un groupe de travail. L'objectif de ce groupe de travail sera de construire une offre d'assurance cyber adaptée aux besoins de l'#économie et aux enjeux de résilience. Un plan d'action sera présenté début 2022. #france #assurances #informatique #cyber #threats #ransomware

(fr) Le site web bitcoin.org cible d'une attaque #DDoS « absolument massive ». Inaccessible durant des heures, bitcoin.org a ensuite reçu une demande de rançon s'élevant à la moitié d'un #Bitcoin, soit approximativement 14,000 € . (en) bitcoin.org, one of the first bitcoin-related websites, was the target of a major #ransomware assault. It was attacked with a DDoS assault, and the hackers wanted 0.5 Bitcoin as a ransom.

#Ransomware statistics for 2021 : Q2 report

https://blog.emsisoft.com/en/38864/ransomware-statistics-for-2021-q2-report/

What led to « bags of gas ? »​ #Ransomware puts the #US's failings in #cyber security policy on full display.

https://www.linkedin.com/pulse/what-led-bags-gas-ransomware-puts-uss-failings-policy-alice-albl/

At least Five Australian MSPs, 300 customer sites hit in Kaseya #ransomware attack

https://www.crn.com.au/news/at-least-five-australian-msps-300-customer-sites-hit-in-kaseya-ransomware-attack-566900

#Ransomware : mois de juin 2021, entre espoirs douchés & nouvelles menaces

https://www.lemagit.fr/actualites/252503566/Ransomware-un-mois-de-juin-entre-espoirs-douches-et-nouvelles-menaces

CYBERCRIME : THIRD REPORT OF THE OBSERVATORY FUNCTION ON ENCRYPTION

People in the EU are becoming increasingly worried about security online, as well as about rising exposure to hate speech, other abusive and criminal behaviour, and use of encryption as a weapon in the form of #ransomware. Law enforcement continue to argue that important parts of the #digital world are « going dark », and there is a need for reliable and sufficiently rapid and scalable ways to access plaintext (decrypted data and messages).

This 3rd report of the Observatory Function on encryption builds on previous reports and looks at the relevant technical and legislative developments, re-visiting some topics, which deserved further consideration. In the interim between this and previous reports, there have only been a few developments in European Union (EU) Member States' national legal regimes to incorporate new provisions that tackle the challenge of encryption in criminal investigations. These new approaches can be categorised into two distinct parts: one deals with tools that directly tackle encryption and the others category provides for tools to gain access to content before it is encrypted, or after it is decrypted and bypass encryption altogether. This is further underpinned by jurisprudence that exemplifies the use of the provisions mentioned. Insights are shared on encryption in the context of cross-border cases. #europe #informatique

https://www.europol.europa.eu/sites/default/files/documents/3rd_report_of_the_observatory_function_on_encryption-web.pdf

World-leading chemical distribution company Brenntag has shared additional info on what data was stolen from its network by #DarkSide #ransomware operators during an attack from late April 2021 that targeted its North America division. The chemical distribution company is headquartered in Germany and has more than 17,000 employees worldwide at over 670 sites. The data exfiltrated by the DarkSide attackers includes « Social Security Number, Date of Birth, driver's license number and select medical information. The chemical distributor company paid a $4.4 million ransom to DarkSide for a decryptor and to prevent the ransomware gang from leaking the stolen data.

https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/

After talking to Kaseya we can now give the background story on who found the 0-day and how we collaborated with them to cope with the current Kaseya VSA #ransomware attacks. It's time to be a bit more clear on our role in this incident. First things first, yes, Wietse Boonstra, a DIVD researcher, has previously identified a number of the 0-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks. And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines.

https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/

It was probably inevitable that the two dominant #cybersecurity threats of the day - #supply #chain attacks and ransomware would combine to wreak havoc.
« This is SolarWinds, but with ransomware » (Brett Callow, Threat Analyst at Emsisoft )
Attackers have been able to distribute their #malware bundle to MSPs, which includes the #ransomware itself as well as a copy of #Windows Defender and an expired but legitimately signed certificate that has not yet been revoked. #wormable

https://www.wired.com/story/kaseya-supply-chain-ransomware-attack-msps/

Michigan Public School District's #ransomware attack results in it and phone systems disruption - FBI assisting Monroe schools in #cyber attack

https://eu.monroenews.com/story/news/2021/07/02/fbi-assisting-monroe-schools-cyber-attack/7826874002/

#Cyber reinsurance rates are skyrocketing due to a spate of devastating #ransomware attacks on major companies

https://www.reuters.com/technology/cyber-reinsurance-rates-rocket-july-renewals-willis-re-2021-07-01/

A new #Windows ransomware family : Diavol

• Wizard Spider is a financially motivated criminal group
• Wizard Spider is conducting #ransomware campaigns since at least 2018
• Wizard Spider is reportedly associated with Grim Spider & Lunar Spider
• Wizard Spider is the Russia-based operator of the #TrickBot banking #malware

https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider

200 businesses have been hit by #ransomware attacks following an incident at #US IT firm Kaseya in Miami #REvil

https://www.reuters.com/technology/200-businesses-hit-by-ransomware-following-incident-us-it-firm-huntress-labs-2021-07-02

#supply #chain attack : #REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote #management #solutions, and is using a malicious #update for the VSA #software to deploy ransomware on #enterprise #networks. The malicious Kaseya update is reaching VSA on-premise servers, from where, using the internal scripting engine, the #ransomware is deployed to all connected client systems. This incident, believed to have impacted thousands of companies across the world.

https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/

La ville de Villepinte confrontée au #ransomware #Grief

https://www.lemagit.fr/actualites/252503487/Cyberattaque-la-ville-de-Villepinte-confrontee-au-ransomware-Grief

Epsilon Red #ransomware

https://news.sophos.com/fr-fr/2021/06/11/epsilon-red-un-nouveau-ransomware-entre-dans-la-danse/