Thursday, July 15, 2021

A Modest Proposal About Ransomware

On the evening of July 2nd the REvil ransomware gang exploited a 0-day vulnerability to launch a supply chain attack on customers of Kaseya's Virtual System Administrator (VSA) product. The timing was perfect, with most system administrators off for the July 4th long weekend. By the 6th Alex Marquardt reported that Kaseya says up to 1,500 businesses compromised in massive ransomware attack. REvil, which had previously extorted $11M from meat giant JBS, announced that for the low, low price of only $70M they would provide everyone with a decryptor.

The US government's pathetic response is to tell the intelligence agencies to investigate and to beg Putin to crack down on the ransomware gangs. Good luck with that! It isn't his problem, because the gangs write their software to avoid encrypting systems that have default languages from the former USSR.

I've writtten before (here, here, here) about the importance of disrupting the cryptocurrency payment channel that enables ransomware, but it looks like the ransomware crisis has to get a great deal worse before effective action is taken. Below the fold I lay out a modest proposal that could motivate actions that would greatly reduce the risk.

It turns out that the vulnerability that enabled the REvil attack didn't meet the strict definition of a 0-day. Gareth Corfield's White hats reported key Kaseya VSA flaw months ago. Ransomware outran the patch explains:
Rewind to April, and the Dutch Institute for Vulnerability Disclosure (DIVD) had privately reported seven security bugs in VSA to Kaseya. Four were fixed and patches released in April and May. Three were due to be fixed in an upcoming release, version 9.5.7.

Unfortunately, one of those unpatched bugs – CVE-2021-30116, a credential-leaking logic flaw discovered by DIVD's Wietse Boonstra – was exploited by the ransomware slingers before its fix could be emitted.
DIVD praised Kaseya's response:
Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness.

During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.
But if Kaseya's response to DIVD's disclosure was praisworthy, it turns out it was the exception. In Kaseya was warned about security flaws years ahead of ransomware attack by J., Fingas reports that:
The giant ransomware attack against Kaseya might have been entirely avoidable. Former staff talking to Bloomberg claim they warned executives of "critical" security flaws in Kaseya's products several times between 2017 and 2020, but that the company didn't truly address them. Multiple staff either quit or said they were fired over inaction.

Employees reportedly complained that Kaseya was using old code, implemented poor encryption and even failed to routinely patch software. The company's Virtual System Administrator (VSA), the remote maintenance tool that fell prey to ransomware, was supposedly rife with enough problems that workers wanted the software replaced.

One employee claimed he was fired two weeks after sending executives a 40-page briefing on security problems. Others simply left in frustration with a seeming focus on new features and releases instead of fixing basic issues. Kaseya also laid off some employees in 2018 in favor of outsourcing work to Belarus, which some staff considered a security risk given local leaders' partnerships with the Russian government.
...
The company's software was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy.
To reiterate:
  • The July 2nd attack was apparently at least the third time Kaseya had infected customers with ransomware!
  • Kaseya outsourced development to Belarus, a country where ransomware gangs have immunity!.
  • Kaseya fired security whistleblowers!
The first two incidents didn't seem to make either Kaseya or its customers re-think what they were doing. Clearly, the only reason Kaseya responded to DIVD's warning was the threat of public disclosure.

Without effective action to change this attitude the ransomware crisis will definitely result in what Stephen Diehl calls The Oncoming Ransomware Storm:
Imagine a hundred new Stuxnet-level exploits every day, for every piece of a equipment in public works and health care. Where every day your check your phone for the level of ransomware in the wild just like you do the weather. Entire cities randomly have their metro systems, water, power grids and internet shut off and on like a sudden onset of bad cybersecurity “weather”.

Or a time in business in which every company simply just allocates a portion of its earnings upfront every quarter and pre-pays off large ransomware groups in advance. It’s just a universal cost of doing business and one that is fully sanctioned by the government because we’ve all just given up trying to prevent it and it’s more efficient just to pay the protection racket.
To make things worse, companies can insure against the risk of ransomware, essentially paying to avoid the hassle of maintaining security. Insurance companies can't price these policies properly, because they can't do enough underwriting to know, for example, whether the customer's backups actually work and whether they are offline enough so the ransomware doesn't encrypt them too.

In Cyber insurance model is broken, consider banning ransomware payments, says think tank Gareth Corfield reports on the Royal United Services Institute's (RUSI) latest report, Cyber Insurance and the Cyber Security Challenge:
Unfortunately, RUSI's researchers found that insurers tend to sell cyber policies with minimal due diligence – and when the claims start rolling in, insurance company managers start looking at ways to escape an unprofitable line of business.
...
RUSI's position on buying off criminals is unequivocal, with [Jason] Nurse and co-authors Jamie MacColl and James Sullivan saying in their report that the UK's National Security Secretariat "should conduct an urgent policy review into the feasibility and suitability of banning ransom payments."
The fundamental problem is that neither the software vendors nor the insurers nor their customers are taking security seriously enough because it isn't a big enough crisis yet. The solution? Take control of the crisis and make it big enough that security gets taken seriously.

The US always claims to have the best cyber-warfare capability on the planet, so presumably they could do ransomware better and faster than gangs like REvil. The US should use this capability to mount ransomware attacks against US companies as fast as they can. Victims would see, instead of a screen demanding a ransom in Monero to decrypt their data, a screen saying:
US Government CyberSecurity Agency

Patch the following vulnerabilities immediately!

The CyberSecurity Agency (CSA) used some or all of the following vulnerabilities to compromise your systems and display this notice:
  • CVE-2021-XXXXX
  • CVE-2021-YYYYY
  • CVE-2021-ZZZZZ
Three days from now if these vulnerabilities are still present, the CSA will encrypt your data. You will be able to obtain free decryption assistance from the CSA once you can prove that these vulnerabilities are no longer present.
If the victim ignored the notice, three days later they would see:
US Government CyberSecurity Agency

The CyberSecurity Agency (CSA) used some or all of the following vulnerabilities to compromise your systems and encrypt your data:
  • CVE-2021-XXXXX
  • CVE-2021-YYYYY
  • CVE-2021-ZZZZZ
Once you have patched these vulnerabilities, click here to decrypt your data

Three days from now if these vulnerabilities are still present, the CSA will re-encrypt your data. For a fee you will be able to obtain decryption assistance from the CSA once you can prove that these vulnerabilities are no longer present.
The program would start out fairly gentle and ramp up, shortening the grace period to increase the impact.

The program would motivate users to keep their systems up-to-date with patches for disclosed vulnerabilities, which would not merely help with ransomware, but also with botnets, data breaches and other forms of malware. It would also raise the annoyance factor customers face when their supplier fails to provide adequate security in their products. This in turn would provide reputational and sales pressure on suppliers to both secure their supply chain and, unlike Kaseya, prioritize security in their product development.

Of course, the program above only handles disclosed vulnerabilities, not the 0-days REvil used. There is an flourishing trade in 0-days, of which the NSA is believed to be a major buyer. The supply in these markets is increasing, as Dan Goodin reports in iOS zero-day let SolarWinds hackers compromise fully updated iPhones:
In the first half of this year, Google’s Project Zero vulnerability research group has recorded 33 zero-day exploits used in attacks—11 more than the total number from 2020. The growth has several causes, including better detection by defenders and better software defenses that require multiple exploits to break through.

The other big driver is the increased supply of zero-days from private companies selling exploits.

“0-day capabilities used to be only the tools of select nation-states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” the Google researchers wrote. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise; now they just need resources.”

The iOS vulnerability was one of four in-the-wild zero-days Google detailed on Wednesday.
...
Based on their analysis, the researchers assess that three of the exploits were developed by the same commercial surveillance company, which sold them to two different government-backed actors.
As has been true since the Cold-War era and the "Crypto Wars" of the 1980s when cryptography was considered a munition, the US has prioritized attack over defense. The NSA routinely hoards 0-days, preferring to use them to attack foreigners rather than disclose them to protect US citizens (and others). This short-sighted policy has led to several disasters, including the Juniper supply-chain compromise and NotPetya. Senators wrote to the head of the NSA, and the EFF sued the Director of National Intelligence, to obtain the NSA's policy around 0-days:
Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors,
It would be bad enough if the NSA and other nations' security services were the only buyers of 0-days. But the $11M REvil received from JBS buys a lot of them, and if each could net $70M they'd be a wonderful investment. Forcing ransomware gangs to use 0-days by getting systems up-to-date with patches is good, but the gangs will have 0-days to use. So although the program above should indirectly reduce the supply (and thus increase the price) of 0-days by motivating vendors to improve their development and supply chain practices, something needs to be done to reduce the impact of 0-days on ransomware.

The Colonial Pipeline and JBS attacks, not to mention the multiple hospital chains that have been disrupted, show that it is just a matter of time before a ransomware attack has a major impact on US GDP (and incidentally on US citizens). In this light, the idea that NSA should stockpile 0-days for possible future use is counter-productive. At any time 0-days in the hoard might leak, or be independently discovered. In the past the fallout from this was limited, but no longer; they might be used for a major ransomware attack. Is the National Security Agency's mission to secure the United States, or to have fun playing Team America: World Police in cyberspace?

Unless they are immediately required for a specific operation, the NSA should disclose 0-days it discovers or purchases to the software vendor, and once patched, add them to the kit it uses to run its "ransomware" program. To do less is to place the US economy at risk.

PS: David Sanger reported Tuesday that Russia’s most aggressive ransomware group disappeared. It’s unclear who disabled them.:
Just days after President Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went off-line early Tuesday.
...
A third theory is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the American and Russian presidents. That is what another Russian-based group, DarkSide, did after the ransomware attack on Colonial Pipeline, ...

But many experts think that DarkSide’s going-out-of-business move was nothing but digital theater, and that all of the group’s key ransomware talent will reassemble under a different name.
This is by far the most likely explanation for REvil's disappearance, leaving victims unable to pay. The same day, Bogdan Botezatu and Radu Tudorica reported that Trickbot Activity Increases; new VNC Module On the Radar:
The Trickbot group, which has infected millions of computers worldwide, has recently played an active role in disseminating ransomware.

We have been reporting on notable developments in Trickbot’s lifecycle, with highlights including the analysis in 2020 of one of its modules used to bruteforce RDP connections and an analysis of its new C2 infrastructure in the wake of the massive crackdown in October 2020.

Despite the takedown attempt, Trickbot is more active than ever. In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets.
As regards the "massive crackdown", Ravie Lakshmanan notes:
The botnet has since survived two takedown attempts by Microsoft and the U.S. Cyber Command,
Update:
Source

Via Barry Ritholtz we find this evidence of Willie Sutton's law in action. When asked "Why do you rob banks?", Sutton replied "Because that's where the money is."

Source

And, thanks to Jack Cable, there's now ransomwhe.re, which tracks ransomware payments in real time. It suffers a bit from incomplete data. Because it depends upon tracking Bitcoin addresses, it will miss the increasing proportion of demands that insist on Monero.

14 comments:

Unknown said...

Companies could also stop creating monoculture networks that are easy to manage and also easy to compromise. When every device is a domain joined Windows 10 machine running some low level centralized remote management system, it's just a matter of time before you are completely owned.

This is the "Encryption Backdoor" problem in Computer Science (aka "Exceptional Access Systems"). It is impossible to build an exceptional access system and then ensure it is only used by good people to do good things.

David. said...

Lorenzo Franceschi-Bicchierai reports on today's 0-day news in Mysterious Israeli Spyware Vendor’s Windows Zero-Days Caught in the Wild:

"Citizen Lab concluded that the malware and the zero-days were developed by Candiru, a mysterious Israel-based spyware vendor that offers “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets," according to a document seen by Haaretz. Candiru was first outed by the Israeli newspaper in 2019, and has since gotten some attention from cybersecurity companies such as Kaspersky Lab."

Alwyn Schoeman said...

How could we exploit the Russian Locale exception?

Unknown said...

The correct response is to copy the law that the EU passed that can fine companies up to 10% of revenue for lax cyber security.

Equifax, SolarWinds and Kaseya all had lax security that caused untold damage to businesses and the public. I do not support letting cyber criminals get away without punishment, but I do support holding companies liable for gross negligence in cyber security.

David. said...

Brian Krebs originally suggested to Try This One Weird Trick Russian Hackers Hate by installing Russian keyboard support, but the bad guys figured out quickly that what they needed to test was not the keyboard support but the default language. So unless you want your machine to talk to you in Cyrillic, forget it. Hat tip to Bruce Schneier.

David. said...

I can't find anything that says the EU can impose 10% of revenue. When the UK implemented the EU regulations in 2018 (my emphasis):

"some of these organisations could be liable for fines of up to £17 million - or four per cent of global turnover - if lax cyber security standards result in loss of service under the Government’s proposals to implement the EU's Network and Information Systems (NIS) directive from May 2018."

£17M is chickenfeed compared to the damage, this only applies to critical infrastructure, and I don't see any evidence that the EU has levied any such fines.

David. said...

All I could find for the US was this from 2018:

"The U.S Department of Health and Human Services has fined Fresenius Medical Care Holdings Inc., a major supplier of medical equipment, $3.5 million for five separate data breaches that occurred in 2012."

A derisory fine, 6 years late, for losing control of physical devices containing health information. Not exactly impressive.

HMTKSteve said...

How about keeping an air gap between critical systems and the internet? When companies used dedicated data circuits this kind of thing did not happen. Too many accountants have veto powers over IT and it shows.

Static said...

The government has no business patronizing anyone to keep their IT secure anymore than it has business telling them to lock their front door.

David. said...

Static, tell that to the FBI. Alex Hern reported April 14 that FBI hacks vulnerable US computers to fix malicious malware:

"The FBI has been hacking into the computers of US companies running insecure versions of Microsoft software in order to fix them, the US Department of Justice has announced.

The operation, approved by a federal court, involved the FBI hacking into “hundreds” of vulnerable computers to remove malware placed there by an earlier malicious hacking campaign, which Microsoft blamed on a Chinese hacking group known as Hafnium."

David. said...

The Washington Post's Gerrit De Vynck, Rachel Lerman, Ellen Nakashima and Chris Alcantara have a excellent explainer from 10 days ago entitled The anatomy of a ransomware attack.

David. said...

And the class action lawyers get in on the ransomware act. In First came the ransomware attacks, now come the lawsuits, Gerrit De Vynck reports on Eddie Darwich, a pioneering plaintiff:

"Now he’s suing Colonial Pipeline over those lost sales, accusing it of lax security. He and his lawyers are hoping to also represent the hundreds of other small gas stations that were hurt by the hack. It’s just one of several class-action lawsuits that are popping up in the wake of high-profile ransomware attacks.

Another lawsuit filed against Colonial in Georgia in May seeks damages for consumers who had to pay higher gas prices. A third is in the works, with law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP pursuing a similar effort.

And Colonial isn’t the only company being sued. San Diego-based hospital system Scripps Health is facing class-action lawsuits stemming from a ransomware attack in April."

David. said...

Charlie Osborne's Updated Kaseya ransomware attack FAQ: What we know now is a useful overview.

David. said...

In the wake of major attacks, ransomware groups Avaddon, DarkSide and REvil went dark. Now Dan Gooding reports that they may be re-branding themselves in Haron and BlackMatter are the latest groups to crash the ransomware party:

"Both groups say they are aiming for big-game targets, meaning corporations or other large businesses with the pockets to pay ransoms in the millions of dollars.
...
As S2W Lab pointed out, the layout, organization, and appearance of [Haron's] site are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.
...
Recorded Future, The Record, and security firm Flashpoint, which also covered the emergence of BlackMatter, have questioned if the group has connections to either DarkSide or REvil."