Author's Posts

According to a new report by Flashpoint, high-ranking users and RAMP administrators are now actively attempting to communicate with new forum members in machine-translated Chinese. The forum has reportedly had at least thirty new user registrations that appear to come from China, so this could be the beginning of something notable. The researchers suggest that the most probable cause is that Russian ransomware gangs seek to build alliances with Chinese actors to launch cyber-attacks against U.S. targets, trade vulnerabilities, or even recruit new talent for their Ransomware-as-a-Service (RaaS) operations.”

To read the report posted by Flashpoint – https://www.flashpoint-intel.com/blog/ramp-ransomware-chinese-threat-actors/

Read more

According to a report from NordPass, people haven’t yet stopped relying on done-to-death passwords such as ”123456,” ”12345,” ”password,” and ”qwerty,” while research reveals that these three are the weakest passwords nowadays and can easily make you vulnerable to hacking. The password 123456 appeared over 103 million times in NordPass’s research. The study involved around fifty countries, and researchers conducted gender comparisons to reach a fair conclusion. As many as 222,287 females used ”iloveyou” as their password in the US, while 96,785 men used the same.

Read the rest of the article at: https://www.hackread.com/most-used-worst-passwords-of-2021/

Read more

Hello All. If you haven’t yet heard the news about this, you probably will eventually. This vulnerability made the news over the long weekend. I thought I would provide a bit of an update. This is another supply chain attack, and is similar in its basic methodology to last year’s SolarWinds attack, with malware installed via an update server.

The Virtual System/Server Administrator (VSA), is software used by Kaseya customers to monitor and manage their infrastructure. It is supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers. These SaaS VSA servers can be deployed by end-users or by MSPs. Kaseya sends out updates to these VSA servers and, on Friday July 2, an update was distributed that contained REvil ransomware code. It affected fewer than 40 Kaseya VSA customers — but around 30 of them were MSPs, and the code was then sent on to their customers. Potentially thousands of MSP client businesses were infected.

Here is VSA:

Kaseya has released a “Compromise Detection Tool” to detect if an installation has been compromised.  All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase security posture.

Here is a listing of various sites that have posted IOCs and/or TTPs:

  • Trend Micro – https://success.trendmicro.com/solution/000286890
  • McAfee – https://kc.mcafee.com/corporate/index?page=content&id=KB94660&locale=en_US
  • Cisco Talos – https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html
  • Huntress – https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
  • Splunk – splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html
Read more