LA-SAFE Cyber Digest - July 6, 2021
Fri, 07/09/2021 - 10:07amLA-SAFE CYBERDIGEST 0
CYBER POLICY| CYBER INFRASTRUCTURE | CYBERCRIME
Japan to Bolster National Cybersecurity Defense with 800 New Hires: Report-ZDNet-07.06.2021
Japan’s Ministry of Defense has announced plans to hire 800 more staff by the end of March 2022 to help
defend against increasingly sophisticated cyber-attacks. The cybersecurity unit is currently responsible for
protecting shared systems used by Japan's Self-Defense Forces (SDF). But a new unit will be launched in
2022 to oversee the cyber defense for the entire SDF and consolidate units for each branch. The plans
announced by the Japanese government to enhance its cybersecurity defense follows a cyber-attack in May
where data from various government entities was compromised. Government officials announced new regulations across 44 sectors to further strengthen its national cyber defense The government plans to amend
various laws governing each sector by passing new laws requiring each sector to be conscious of national
security risks.
Analyst Note:
Japan recognizes the importance of investing in cyber infrastructure. Cybercrime can interrupt many
daily processes within critical infrastructure sectors. Certain sectors that need protection include telecommunications, electricity, finance, railroads, government services, and healthcare. Unfortunately, this
aspect is a main reason why cybercrime can be utilized for warfare. Like many other world powers, Japan is beginning to invest heavily in the protection of its cyber infrastructure. With this expansion of
funding, the Japanese government can increase awareness and allocate more resources to nation protection.
MALWARE | SOCIAL ENGINEERING | RANSOMWARE
Kubernetes Clusters Exploited to Perform Brute Force Attacks–CyWareSocial- 07.05.2021
An advisory has been released by NSA, CISA, FBI, and NCSC warning about an ongoing global campaign using brute force techniques. The advisory links the campaign to the Russian government, particularly to Russia’s General Staff Main Intelligence Directorate (GRU). According to the security agencies,
these ongoing brute force access attempts have been used against hundreds of organizations around the
world, particularly in the U.S. and Europe. Targeted organizations include government, military, think
tanks, political consultants and parties, law firms, defense contractors, energy, logistics, universities, and
media companies. once the attackers gain access, they spread laterally throughout the network
while deploying a reGeorg web shell for persistence. As part of their attacks, the threat actors are
using various exploits, including the Microsoft Exchange and remote code execution vulnerabilities. They further harvest other credentials and steal files from the targeted systems.
July 6, 2021
Homeland Security Standing Information Needs (HSEC SINs): HSEC-1.1; HSEC-1.3; HSEC-1.3.2; HSEC-1.5; HSEC-1.5.2.
LA-SAFE SINs: LA-21010; LA-21030.
For additional information, please contact LA-SAFE at 1-800-434-8007 or LaFusion.Center@la.gov and reference 21-049116
Analyst Note:
Brute force is an attack method used to obtain private information (usernames, passwords, and passphrases) by repeatedly submitting different combinations of credentials. Attackers can ultimately guess the
privacy credentials correctly, and gain access to the data those credentials protect. It is recommended that
administrators use multi-factor authentication, enable lock-out features for password authentication, captchas, change default credentials, and use appropriate network segmentation. It is better to use many protection features to heighten the safety of user data.
SECURITY BREACH |CYBER DEFENSE
Up to 1,500 Businesses Affected by Ransomware Attack, U.S. Firm’s CEO Says-Reuters-07.06.2021
It is estimated between 800 and 1,500 businesses around the world have been affected by a ransomware
attack centered on U.S. information technology firm Kaseya, its chief executive said on Monday. Kaseya
is a company which provides software tools to IT outsourcing shops. One of those tools was subverted on
Friday, allowing the hackers to paralyze hundreds of businesses on all five continents. The hackers who
claimed responsibility for the breach have demanded $70 million to restore all the victim’s data. Kaseya
CEO, Voccola, said neither he nor the investigators his company had brought in had seen any sign of
threat actors monitoring the network. The firm was in the process of fixing a vulnerability in the software
that was exploited by the hackers when the ransomware attack was executed.
Kaseya says it’s Seen no Sign of Supply Chain Attack, sets SaaS Restoration…-TheRegister-07.06.2021
Kaseya has said it’s been unable to find signs its code was maliciously modified and offered its
users a ray of hope with news that it is testing a patch for its on-prem software and is considering
restoring its SaaS services on Tuesday. The company is fighting a supply chain attack on its
VSA product that it has documented with a rolling advisory that was updated on July 5th. The
company was infected by Russia linked REvil ransomware, the impact is substantial. The company has also posted an initial analysis of the attack that states it has found “no evidence that Kaseya’s VSA codebase had been maliciously modified. Analysts believe the attackers were able to
exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary
command execution.
Analyst Note:
The overall goal of unified monitoring is to centralize the state of the entire IT infrastructure into a single
block. The unified monitoring system in each of these businesses is managed and monitored by Kaseya.
In this case, there was a vulnerability in Kaseya’s VSA product. The company did not have a patch in
time to fix the vulnerability. This resulted in numerous businesses IT infrastructure being attacked. Kaseya is the second unified monitoring system company to be compromised within the last 2 years (SolarWinds attack was the first). These companies should prove as an example of how businesses need to
monitor their systems continuously, without solely relying on the unified monitoring company.