World's Single-Biggest Ransomware Attack Hit 'Thousands' in 17 Countries

It's now being called "the single biggest global ransomware attack on record," with thousands of victims in at least 17 different countries breached with ransomware Friday, reports the Associated Press, citing new details provided by cybersecurity researchers.

An affiliate of the Russia-linked gang REvil deployed the ransomware "largely through firms that remotely manage IT infrastructure for multiple customers." A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported... The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit. In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported...

CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that." Voccola said in an interview that only between 50-60 of the company's 37,000 customers were compromised. But 70% were managed service providers who use the company's hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks...

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a "zero day," the industry term for a previously unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing. "The level of sophistication here was extraordinary," he said. When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn't just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software...

Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.
The attacks may have been timed to exploit America's three-day weekend celebrating the nation's founding, according to experts interviewed by the Associated Press. America's National Security advisor is now urging all who believed they were compromised to alert the FBI.

"The attack comes less than a month after Biden pressed Russian President Vladimir Putin to stop providing safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat."

UPDATE: Bleeping Computer notes the exploited vulnerability "had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before they rolled it out to customers."

In a statement today, DIVD posted that "During the last 48 hours, the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2,200 to less than 140 in our last scan today... A good demonstration of how a cooperative network of security-minded organizations can be very effective during a nasty crisis."

Software companies that are not competent?

[Futurepower(R)]

This is the overall issue, it seems to me: People with no understanding of software or computers are buying software from companies that are not competent.

A quote from the Slashdot story:

"The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled."

It would certainly be easy to write cash register software so that data could not possibly be corrupted.

The quality of the news reporting is very poor. T

Re:

[Spamalope]

That sounds like they outsourced their accounting/till/inventory so the registers can't scan items. Which means they were cost cutting to the 'cloud' rather than keeping control of core business systems.

Re:

[bn-7bc]

Well this is a prime example of a business thinking IT js nor cor to our buisness ( ie we are not an it shop sho why have the staff), they probably see their cor business as supply chain and stock + shelf space managment

Re:

[pacinpm]

Yet they maintain cleaners etc. even if cleaning ids not their core business.

Re:

[StormReaver]

Which means they were cost cutting to the 'cloud'....

This is the predictable (and widely predicted) outcome of aggregating a lot of companies' business operations to a large, common provider. The large, common provider becomes a large, common target for attacks just like these.

Cloud Computing is the most dangerous thing to happen to computing since the worldwide infection of computing hardware with the "Windows" virus.

Re:

[gweihir]

Indeed. One reason why you have to have your own competent IT experts is because otherwise you are incompetent as a buyer!

Re:Software companies that are not competent?

[ph1ll]

In the biological world, this idea of one company like Kaseya looking after everything would be considered crazy. I'm told by veterinarian friends that Western countries ban a single supplier owning the food chain (farms, slaughter houses, storage, delivery etc etc) because pathogens will only face one enemy. That is, the single supplier will employ the same sanitation techniques everywhere from farm to kitchen table for reasons of efficiency. This favors the pathogen that happens to be the most resistant to them.

The same natural selection process is true in the digital world.

"The quality of the news reporting is very poor"

People want simple stories simply told. Anybody who works in IT security knows that attribution is incredibly hard and often impossible. This is why you find wording that comes with plausible deniability. From the Slashdot blurb: "An affiliate of the Russia-linked gang..." How freakin' vague can you be? But for the average Jo Schmo who knows nothing about the industry and the people who are trying to sell their services to CEOs, this is all that's needed.

Re:

[ewibble]

Really sounds hard to me. Well if you want up to date prices, inventory management, etc you need to talk to a server, if that server goes down you are now stuck. Sure you could keep local copies until it comes back up, but that is extra development, and testing, time to market. Even then what if the server, or cash register sends malicious data, e.g. changes prices of items, how does the cash register know. A simple cash register where the staff enter the price, or the prices are loaded should be quite safe

Make paying ransoms illegal FFS

[Arnonyrnous Covvard]

As long as you keep paying, people will get ransomed.

Re:Make paying ransoms COMPULSORY

[aberglas]

These gangs are doing us all a favour. They are highlighting our sloppy security and focusing CEOs on fixing it.

If there is ever serious trouble with China, these ransoms will be insignificant compared to the damage a well funded malicious state could do.

Re:

[mnemotronic]

These gangs are doing us all a favour. They are highlighting our sloppy security and focusing CEOs on fixing it.

This Corona Virus is doing us a favor. It's highlighting our sloppy emergency planning and focusing politicians on fighting about election laws and not fixing anything.

I don't know. I personally find it hard to be a cheerleader for cyberterrorists or argue in favor of cybercrime with the tired "that which does not kill you makes you stronger" theology.

If there is ever serious trouble with Chi

Re:

[rtb61]

Depends who you think the biggest suspects are. For me, computer security companies are always going to be the number one suspects. Either companies doing badly, companies set up specifically to do that and operating at a loss to gain customers. Companies attacking the customers of their competitors to get them to change security systems suppliers. Companies looking to spur demand. Companies contracting to business. Companies interested in insider trading, steal data to trade ahead of the market at a profit

Re:

[jenningsthecat]

Number one suspects should always be computer security companies, size not an indicator of honesty. Especially going forward. To be one in the USA they should be forced to register with say the DHS and be audited for security fitness and personal upon a regular basis because of the amount of harm they can cause.

Your paranoia is breathtaking - I wish I didn't find it so damned plausible.

Unfortunately, when your mistrust reaches that level, how can you trust even government agencies? I guess none of them has ever been caught fomenting havoc and false-flagging in order to advance their own agendas? Oh, wait...

Re:

[CantankerousCoot]

No, CEOs will not focus on fixing things. Why? Because you can even buy randomware insurance these days. *That* is what they will do. They'll pay the ransom, file a claim (which might even cover lost revenue) and the one people who will actually suffer are the customers (like people who needed gas to get to work a couple of months ago). Companies won't change because they don't have to.

Re: Make paying ransoms COMPULSORY

[Malays2 bowman]

" randomware insurance these days."

Good, I'm tired of programs that crash and act up in random, unpredictable ways.

Guess how fire safety happened

[raymorris]

The electrical infrastructure in your building is pretty safe, FAR safer than it was several decades ago. Your house and your office comply with fire codes, which have vastly improved fire safety.

Electrical and fire safety is driven primarily by two organizations. UL, which tests, certifies, and lists electrical products. You don't put anything into the electrical system of a building until it's tested by UL. UL stands for Underwriters Laboratories. Underwriters means insurance companies. The insurance comp

Re: Make paying ransoms illegal FFS

[Anonymouse Cowtard]

But our data! Our backups were useless! The gummint must do something!

Re:

[Opportunist]

Erh... that's essentially what the GP suggests. The gubment makes it illegal for you to pay the ransom.

Be afraid, your wish may be granted...

Re: Make paying ransoms illegal FFS

[Malays2 bowman]

Wait until the ransomware moves to 'autopay'. So you lose your money, your data is likely still locked up, and you get to bunk with Bubba.

The "tough on crime" morons are creaming their pants more than the hackers over the thought of this.

Re:

[geekmux]

As long as you keep paying, people will get ransomed.

Going to take quite a bit of effort with international law change when you consider the planet has been outsourced to the planet.

And making this illegal in one country, would tend to make it a different type of target with a spotlight on it; the kind of target you want to permanently destroy.

Changing business behavior with regards to risk mitigation, is about as easy as convincing a CEO that good insourced IT staff, are worth it. Hell, we can't even get people to do backups properly, highlighted by the su

Re:

[thegarbz]

Someone will always pay. It's a complete fantasy that if people stopped paying that this crime will disappear. In other news 99.999% of people don't send Nigerian princes any money either.

Demonstration

[Bert64]

In a statement today, DIVD posted that "During the last 48 hours, the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2,200 to less than 140 in our last scan today... A good demonstration of how a cooperative network of security-minded organizations can be very effective during a nasty crisis."

Or more likely a demonstration of what happens when devices are compromised and hit with ransomware - they go offline.

Re:

[gweihir]

My thought as well. These installations will have been switched off in an attempt to close the barn door after the horse has bolted. (Still the right thing to do.)

Re:

[Bert64]

Most likely not intentionally switched off, just down because the ransomware has broken them.

Re:

[gweihir]

Most likely not intentionally switched off, just down because the ransomware has broken them.

Probably a mix of both.

Well, that's what you get

[Opportunist]

Security costs money and doesn't bring in any. Guess what gets skimped on.

The state of IT security in most companies is, in one word, shoddy. In a less nice word, utter crap. And we're not just talking about any companies where you could say "yeah, how should they know?" because security isn't exactly their core business. I do penetration tests for a living. Mostly in the vicinity of finance and banking software. You'd think that software and appliances in this field are built with security in mind, right?

Without breaking NDAs, because I sure as hell am not going to tell a huge secret here: HA!

Security is treated as sunk cost, which is to be avoided. Security is that pesky, useless thing we have to do to appease some laws or regulations, or something we have to pretend to have so we can do business with certain companies like card payment systems. Here it's mostly a game for lawyers to figure out how to do the least amount of work to fulfill that requirement or be compliant, to get that check in the all-important box to be checked off for another year. We have to do pentests for compliance? Ok, but it doesn't say how in-depth they have to be, right? Yeah, well, then you have a week to test an appliance that runs pretty much our complete core system. Anything more would mean you could actually find something which would mean that we'd have to fix it, and that again costs money!

I have to admit, I enjoy this. I really do. I enjoy watching those fuckers soak in their own sweat now because the shit finally did hit the fan. Even though I already know who gets the blame. After all, you did do a pentest of it, why didn't you find it?

And no, "becuase you gave me 3 days for a 3 weeks job" isn't the answer they want to hear.

Re:

[Bongo]

Yes, and one question. Whilst it isn't practical/possible to prove code is correct, and so everything has holes/zero days, are we as an industry just producing a lot of crap full of bugs which could have been prevented with care and effort? And then companies run their systems with equally bad negligence? I.e. is it that the technology -- writing code -- is inherently imperfect and always will be, or is it that we're just too damned negligent, and systems aren't 90% correct but barely 5% correct?

Re:

[Opportunist]

Pay peanuts, get monkeys.

If you want bespoke software development but are unwilling to pay more than 4 digits for it, don't expect it to be made by people who can do more than copy/paste from Stackexchange, usually without even having the foggiest idea why the code they just cribbed does what it should. But it compiles, ship it.

Re:

[gweihir]

Pay peanuts, get monkeys.

If you want bespoke software development but are unwilling to pay more than 4 digits for it, don't expect it to be made by people who can do more than copy/paste from Stackexchange, usually without even having the foggiest idea why the code they just cribbed does what it should. But it compiles, ship it.

Indeed. Also the state of IT qualifications is to blame as well. If these people were required to be actual engineers (expensive), they would be liable if they screw up to badly. We need that. All other tech field have it. because anything else is hugely expensive in the long run.

Re:

[LostMyAccount]

I don't disagree conceptually with the idea of requiring more actually engineering qualifications for software development.

However, the economist in me wonders how much more expensive *everything* would be if we did require it. One part of the increased expense would be the software itself -- from covering the increased labor cost to just more expensive development cycles, as better engineering takes more time and testing. The other would probably be just less software period, as the increased costs would

Re:

[Opportunist]

You pay for that one way or another. Either your engineers or your blackmailer.

Re:

[sjames]

Something people here are forgetting, these aren't random failures, they ware the result of someone expending considerable effort to cause a failure. How long do you suppose your house will resist a determined attempt at unauthorized entry? How about your car? If you had to define "grand theft auto" for your local police when making a report and they weren't really sure what a car is, how long do you think it would last in the parking lot when you go to work? Would the best solution to that situation really

Re:

[gweihir]

Well, the question is valid, but _all_ other engineering fields have gone that way and that is essentially because it is the cheapest version if you have a bit of a strategic view. And there are fields that produce things that are as complex. If you cannot rely on technology to work as expected, that comes with significant cost too. Sure, engineers still screw up occasionally and also get overruled by management occasionally (see, e.g. the Challenger catastrophe for a nice example of that). But non-engineer

Re:

[quonset]

Pay peanuts, get monkeys.

This must explain the issues with code from Microsoft [theverge.com], and Cisco [securityweek.com], and Adobe [securezoo.com], and Broadcom [arstechnica.com], to name just a few. They pay their programmers peanuts.

At least Linux has an excuse [theregister.com]. They don't pay anyone.

Re:

[Opportunist]

With these companies, the root cause is actually something else. Mostly rooted in ancient code that must not be touched by mortal hands, lest they could break something where the last person who actually had at least heard of the person who originally wrote it left the company about a decade ago and the documentation is curiously lacking.

Also, please add management requests that a certain feature (or antitrust bullcrap) has to be baked into the software, preferably a day before shipping.

Re:

[ewibble]

From what I have seen salary has very little to do with it. It is the constant drive to get features out the door, and the fear making any major change because the terrible code that you previously wrote may break, because it was written with the attitude of getting features out the door. Code quality and invisible features like security are always the first to go because customers don't see them.

I know that you have to balance features with quality but that balance is weight far to much on the "oh look, sh

Re:

[gweihir]

The problem is that code is not produced by engineers. In all other tech-fields, producing any custom design always comes with a requirement of "engineer", unless there is no risk of it doing real damage. Engineers do not only understand their field, they believe deeply in redundancy. And redundancy works for software as well. It is usually called "defense in depth", and it means things like doing privilege-separation with careful input validation and privilege reduction in all components for _any_ internet

Re:

[AmiMoJo]

A lot of these bugs won't be found by normal code analysis means. No compiler warnings, static analysis says it's okay, passes all unit tests etc.

It needs someone skilled in finding these flaws, who knows how to fuzz and interface and how to exploit a tiny crack to open the whole thing wide up. Such people are expensive and in very limited supply and most companies don't even know that they need one. Others just set up a paltry bug bounty and hope someone will do the work for free.

All construction workers, no engineers

[raymorris]

If you're going to build any kind of physical structure, such as a building or a bridge, a number of different people are involved. The architect and engineer design the building. For a large one, they may consult with specialists in particular fields.

Then the contractors manage the project, making sure things are done in the proper order, the right information and supplies get to the right people at the right time, etc.

Master electricians, master carpenters, etc supervise the laying of wires and all the d

Re:

[Opportunist]

I honestly don't know how many people there are with my particular skills set. But judging from my paycheck I dare say that the combination of IT security, finance and law seems to be rare.

The thing is, though, that this is not required for most jobs out there, and you don't need to be a master electrician to build a safe and secure electrical setup for a house. There are appliances that you can use and treat as black boxes that pretty much deal with the "dangerous" parts of electricity, all you have to do

Yep, there is no UL-listing for software

[raymorris]

With electrical equipment, the manufacturer has the components independently tested, makes the modules according to the safety spec, and marks each one with the appropriate markings to indicate what kind of use is safe. Builders (standard electricians) can replace one certified component with another when it's time for replacement
They look up in a table which wire gauge to use.

None of that happens for software.

The regular electricians that do maintenance work do NOT design the electrical system of y

Why people hate the cops

[Latent Heat]

Because they think about "civilians" the way you think about your clients?

Re:

[Opportunist]

I'd like to protect them if they only let me?

Re:

[Latent Heat]

If you think about it, that it is pretty much spot-on about what cops are thinking.

Looking at your sig, you can also put yourself into the frame of mind of what people are thinking about the police.

Well, that's what you get-Flushed cost.

[Ostracus]

Security costs money and doesn't bring in any. Guess what gets skimped on.

Same could be said for toilet paper. As a "sunk cost" I recommend doing away with it.

Re:

[nuckfuts]

Security costs money and doesn't bring in any. Guess what gets skimped on.

Insurance costs money and doesn't bring any in. Guess what every business pays for anyway?

Re:

[Opportunist]

You think they would if the didn't have to?

Biden not sure it's the Russians

[qaz123]

.. he said in an interview https://www.youtube.com/watch?... [youtube.com]

Why the fuck was this shit internet facing?

[Pinky's Brain]

There is no good reason I can conceived to have this shit be internet facing, lots of bad reasons though.

Service providers which went down because they had this shit internet facing should be sued for gross negligence.

Re:

[gweihir]

People have no clue how things actually work, because "management" does not hire experts and engineers, but cheap IT "technicians" that cannot hack it.

That is why patches do not get installed or get installed very late, a lot of things are internet-facing that have absolutely no business to be, cloud containers are not secured and everybody can copy the date, and, you know, MS crap is on so many desktops and servers. Actual engineers would tolerate nothing of this, because they face liability if they do not

What is interesting about real engineers

[Latent Heat]

is that they are not "hip" in their use of the Broad Anglo Saxon, especially when making recommendations to clients and customers.

Re:

[dskoll]

Ironically, part of the selling point of Kaseya and SolarWinds software was that they would help keep your systems patched. That's like painting a giant red bullseye telling attackers what software to target.

Re:

[gweihir]

Ironically, part of the selling point of Kaseya and SolarWinds software was that they would help keep your systems patched. That's like painting a giant red bullseye telling attackers what software to target.

Pretty much. It also shows that believe in a "magic tool" that will fix your problems, like, say, patching, is entirely misplaced.

Re:

[Opportunist]

I'm not even that sure they knew it was internet facing.

What's likely is that they hired the cheapest hacks as network admins that at least knew that TCP isn't the Chinese secret service who then configured the firewall by tinkering with it 'til it allowed the connection they needed, without any consideration whatever else was possible now.

The dl.asp insecurity was known how long ago?

[lgftsa]

There's a writeup of the apparent exploit that was used, which stated with "dl.asp" and then used several others to infect the server.

https://www.scmagazine.com/kas... [scmagazine.com]

I just did a google search for "dl.asp" and the first hit is from Kaseya's community forum site in 2010, discussing the fact that it has no security restrictions. I can't see the original page, as the server's not responding, but google is offering a cached copy of the page, as does the wayback machine.

Here's the links:

http://community.kaseya.com/xs... [kaseya.com]

http://webcache.googleusercont... [googleusercontent.com]

https://web.archive.org/web/20... [archive.org]

Re:

[daniel23]

+1 informative if anyone has modpoints

Stupid criminals

[gweihir]

They will obviously escalate the scale of their attacks until they get stopped. That makes them greedy and stupid, because eventually they will get stopped and then there will be hell to pay. If they had kept this on a small burner they could have done this forever.

Re:

[daniel23]

May be it goes that way. But there will be others. The example has been made and just like you cannot unthink a thought you can not wipe the lesson out that these supply chain hacks have given to countless potential adepts.

Changing laws. G7 passing a strong-worded resolution, closing some holes after they were used - that won't really help against the thread. The whole structure of IT outsourcing has opened numerous vulnerabilities. And it's still Windows everywhere.

Those attacks are possibly pushing for ch

Re:

[gweihir]

Well, one thing we will see is more regulation. And real penalties for CEOs and CTOs that skimped on security and then get hit. Whether this will be criminal penalties or just personal liability because of what is obviously gross negligence will remain to be seen. But this half-assed way a difficult ans still evolving engineering discipline is handled almost everywhere has to stop.

Honestly

[bumblebees]

I think in these situations its pretty ok to do some victim blaming and shaming. Put the same amount of resources as the CEO's salary and you will be pretty ok. And stop putting everything on the internet! Some devices really don't belong there even if its cool and convenient!

Honesty from Honestly

[Latent Heat]

I commend you for admitting that this is blaming and shaming. Generally, blaming and shaming crime victims is yet another thing most people hate about the police "Yes, all of your belongings are ransacked and you lost your grandmother's diamond ring, but you had a weak jamb on your front door and you left a radio playing too loud, tipping off the burglars no one was in the house."

It is also why most people think IT security dudes are dweebs.

Re:

[fluffernutter]

No it's actually more like, "you put all this stuff on your front lawn".

Re:Honestly

[Tony Isaac]

Most victims were small offices, like dentists or doctors, who hired a company to manage their computer systems. These people know nothing about computer security, they were relying on those service providers to worry about that. How would they even know what questions to ask, when selecting a service provider? "Are you using Kesaya?" Why would that be a red flag to them? Kesaya has been well-respected and used by many, for years. No, the victims are not to blame, this is all on the criminals.

Re:

[thegarbz]

Some devices really don't belong there even if its cool and convenient!

Like which devices? No really I'm keen to know which industry you personally want to send back to the 1980s ignoring the fact that putting things on the internet costs actual money and is therefore done for a reason.

Re: Honestly

[bumblebees]

Well sure. Put pipelines and critical infra on the internet but don't cry when you can't get fuel out of the pump when someone thought it was a good idea to turn them off. Im sure we dont need to send anyone back to the 1800's just because its more convenient to have it on the internet than atleast a very secure private network with no access to the internet from the connected computers. The techies can read the news on their phone instead of the monitoring station.

Re:

[Opportunist]

But by putting it in the cloud we managed to cut cost by 200%!

Re:

[nuckfuts]

I think in these situations its pretty ok to do some victim blaming and shaming.

The victims are clients of a Managed Service Provider. Blaming them is like saying it's your fault if you put your money in a bank and the bank gets robbed.

You snooze you lose

[Bert64]

UPDATE: Bleeping Computer notes the exploited vulnerability "had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before they rolled it out to customers."

Vendors move slowly.. Once they find out about the vulnerability, it takes them quite some time to validate the patch and make it available.
Corporates move slow, by the time a patch is released it takes quite some time before its deployed.
Hackers move quickly. As soon as they have an exploit, they'll be scanning looking for vulnerable systems. The tiny address space of legacy IPv4 makes it especially easy, and within a few hours anything vulnerable has already been exploited.

Hackers aren't slow, if you want to run at a glacial pace they will run rings around you.

Oh

[cascadingstylesheet]

mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that."

Oh ... so not "off limits [reuters.com]" then. All is well!

tax ransomware

[jmccue]

Want to stop this and make companies take security seriously ? Put a 400% tax on all payments for Ransomware. Then maybe companies will get serious.

Re:Time for Kinetic Response

[CaptQuark]

So now you want to take Swatting to an international level? How sure do you have to be of the true source before you declare war?

--

Re:

[Opportunist]

The same level as usual. We choose a country we want to whack about because they have what we want and declare that they are the culprit.

Re:

[Errol backfiring]

Yeah, put in a few PowerPoint presentations, and who cares about truth?

Re:

[fahrbot-bot]

So now you want to take Swatting to an international level?
How sure do you have to be of the true source before you declare war?

Kinda depends on if they're anyone we'd miss anyway if we were wrong ... #OnlyHalfJokingAtThisPoint

Re:

[AmiMoJo]

Countries have been fighting proxy wars for centuries, funding non-government orgs to do the fighting on their behalf.

Re:

[gweihir]

So now you want to take Swatting to an international level? How sure do you have to be of the true source before you declare war?

--

Indeed. If we knew were these people are, the problem would have been solved a while ago. As they now have escalated from "nuisance" to "threat", I think these morons have a massively reduced life-expectancy. All it takes is one goof on their side and they will get identified.

Re:Time for Kinetic Response

[Max_W]

People do not realize the true scale of this. It is not just a gang of like ten or twelve people. It is kind of a culture, a weird economy that is rising.

There are not many opportunities for young men and women in those parts due to multiple reasons including sanctions.

These folks have devices that erase a hard disk with an electromagnetic impulse in a second by pressing a button on a remote. They own facade legitimate businesses like hotels, discotheques, etc. Ans so on and so forth.

In my opinion, it would be not less harder to stop it than stopping say drugs production in Latin America. It is probably already bigger than any president.

Re:

[ArchieBunker]

I'd be participating too if I lived in a country without extradition treaties.

Re: Time for Kinetic Response

[Malays2 bowman]

I think the kinetic response should involve those in the cyber attack being pillowcased, punched in the stomach, bound up, and spirited away in a windowless van. In other words, a very high precision strike.

Time to secure our shit.

[Anonymous Coward]

Ehh, I'm a gonna take a hard NO on kinetics.

How about we secure our shit instead? Like we should have been doing from the very beginning?

Instead, we've got the Eff Bee Eye and other three letter agencies trying to force manufacturers into purposely including backdoors into computing products. Dumbshit like that makes Putin and Poohbear laugh!

Re:Time to secure our shit.

[geekmux]

How about we secure our shit instead? Like we should have been doing from the very beginning?

Sure. How about you demonstrate how to do that on day zero.

Not necessarily defending Kaseya here, but they were quite literally in the process of patching a zero day that was made known to them, when this attack happened.

If anything, industry is going to have to shorten the time between being notified of something like that, and deploying the fix. Unfortunately, you're asking vendors to hurry the fuck up with a patch, so might not be as easy as we think. Industry may have to resort to vuln disclosure with customers and let them decide to take services offline first, and patch later as a mitigation. Not a very easy thing to do when we're talking about MSPs that exist to provide this service, but probably easier than the mess they're dealing with now.

Re:

[fluffernutter]

You can't tell me that any software company couldn't drastically reduce their exploits if they were motivated to put more resources into it.

Re:

[geekmux]

You can't tell me that any software company couldn't drastically reduce their exploits if they were motivated to put more resources into it.

I had to wait to stop laughing before typing a response here.

Microsoft practically qualifies for a fucking patent on ransomware. If they barely care about securing their shitware with their resources, I fail to see how anyone else would find motivation. Cyber-insurance will boom before cybersecurity will.

Re:

[thegarbz]

I fail to see how anyone else would find motivation

Really? That's what you're going with? One company doesn't care and is able to weather reputational damage so all companies do the same?

Your posts get dumber by the day.

Re:

[geekmux]

I fail to see how anyone else would find motivation

Really? That's what you're going with? One company doesn't care and is able to weather reputational damage so all companies do the same?

Your posts get dumber by the day.

It's hardly one company. Microsoft hasn't learned yet, and I can assure you that insurance will respond faster than industry will. In fact, companies will lean on insurance as the excuse to not spend money on cybersecurity. NIST 800-171 has been in effect for over 3 years now, and the DIB has responded in kind, with hardly 3% of them being fully compliant with that security mandate. It's going to take CMMC and serious enforcement to change that, and I doubt that will even find success.

Prove me wrong, as

Re:

[Mattcelt]

demonstrate how to do that on day zero

The short answer there is... code better.

It won't fix all of them, but I estimate the software industry could reduce the number of zero days by 80% with a modest effort.

Far, far too many zero-days are the result of sloppy, uneducated, and insecure coding practices by companies who should know better - and can afford to do better.

We desperately need to expand liability for commercial software products to encourage more secure development practices.

Re:

[geekmux]

demonstrate how to do that on day zero

The short answer there is... code better.

It won't fix all of them, but I estimate the software industry could reduce the number of zero days by 80% with a modest effort.

Far, far too many zero-days are the result of sloppy, uneducated, and insecure coding practices by companies who should know better - and can afford to do better.

We desperately need to expand liability for commercial software products to encourage more secure development practices.

Even when companies can afford to do better, they choose not to. Says a lot about the actual motivation to "secure our shit". Perhaps when ransomware takes down entire governments someone might listen.

And liability will be smothered by cyber-insurance, or simply bought off. As horrific as cybercrime is today, it doesn't even hold a candle to the 2008 financial crisis, and we didn't even punish bankers for that horror brought upon the world.

Learn to Code, should be Learn to Code Securely. But that takes

Re:

[Gravis Zero]

Sure. How about you demonstrate how to do that on day zero.

Thank you for bringing this up because this is a vital part of security: third-party code reviews!

In short, corporations should be contracting other companies to review the source code of the software they use. Which software? ALL SOFTWARE. Obviously, this would work best if done as a collaborative effort to avoid duplication of efforts. Yes, it costs money but that's the price of free software. Don't have access to the source? It can still be reviewed but it's slower and costs more money.

Corporation

Re:

[ewibble]

Code reviews are dumb, they are just a plaster over the gaping wound that is security in software, and will not help significantly. At best they will make you feel better that you did something. Here is the scenario that I see in real life:

Developers write code, if the reviewer is good will pick up the mistake but usually it is a design flaw in the code, but that is time consuming (not in the long run) to fix so usually a workaround is implemented, because the feature must go out, we have commitments to cus

Re:

[Gravis Zero]

Any external reviewer that is too tough will simply not get hired.

Then the fault still lies with the companies for not hiring someone to do an honest assessment or for not follow the advice given by the reviewing company. Either way, it's still better than doing jack squat.

Your virtual machine idea is exactly what "containers" are all about and it's terrible.

Re:

[ShanghaiBill]

The major governments need to coordinate and approve kinetic responses & treat these as Act of War

Russia has over 6000 nuclear warheads, so starting a war might not be the best idea.

How about regular backups and some phishing training instead?

Re:

[Opportunist]

Nah, that sounds complicated. Let's stick to what we know best.

Re:Time for Kinetic Response

[mnemotronic]

How about ... some phishing training instead?

From: bleeping computer: [bleepingcomputer.com]

Since the attacks on Friday, Kaseya has been working on releasing a patch for the zero-day vulnerability exploited in the REvil attack. This zero-day was discovered by DIVD researchers who disclosed the t (sp) to Kaseya and helping test the patch. Unfortunately, REvil found the vulnerability simultaneously and launched their attack on Friday before the patch was ready, just in time for the US Fourth of July holiday weekend.

Phishing training is always a good idea. However, from what I've read, this particular attack does not appear to be the result of phishing.

Re:

[AmiMoJo]

The only defence is to be actively looking for these vulnerabilities and fixing them before others discover them.

Re: Time for Kinetic Response

[Pinky's Brain]

Revil is almost certainly deep in either the Kaseya or DIVD systems, it's far more likely they intercepted the communication and either used that information to speed up a planned attack or initiate one before the patch came in.

Re:

[jonbryce]

This was a supply-chain attack, so phishing training won't help.

Re:

[mnemotronic]

The major governments need to coordinate and approve kinetic responses

An emotional response rarely works out as wished.

Re:

[Opportunist]

Nah. That won't happen to me.

Shit like that always just happens to everyone else. Besides, security costs tons of money but doesn't make any, that cuts into my bottom line, and how do you explain to the shareholders that? They might even cut my bonus.

It's gonna be fine. Just hope for another year without an incident, then I'm gone with my golden parachute anyway.

Re:

[dskoll]

Oh, it'll happen again. My prediction? It'll be some other supplier like SolarWinds or Kaseya (Autotask or ConnectWise come to mind) and it will happen on September 3rd, the Friday before a US long weekend.

Being taken for 7 US dollars

[Latent Heat]

is a personal outrage.

Being taken for 7 billion dollars is a statistic.