Risky Business #632 -- The Kaseya incident wasn't nearly as big as we thought

PLUS: Adam talks through the latest Active Directory disaster, PetitPotam...
28 Jul 2021 » Risky Business

On this week’s show Patrick Gray and Adam Boileau discuss recent security news, including:

  • Analysis suggests the Kaseya REvil incident was actually a bit of a fizzer
  • They also obtained a decrypt key and no one knows how
  • EU to follow US Treasury on Bitcoin controls
  • Israeli Government has eyes on NSO fallout
  • PetitPotam Active Directory technique is very bad news
  • Much, much more…

This week’s show is brought to you by Remediant. Remediant makes a PAM solution that’s, well, quite different from the traditional password-vault style solutions. That’s put them in an interesting situation lately with Gartner. Remediant scored an honourable mention as a PAM to take note of, alongside Microsoft, but the thing is they don’t even qualify as a PAM vendor under Gartner’s own criteria. This might mean the analyst firms need to re-jig the way they evaluate and rank tech given there are so many more ways to skin cats these days. Remediant co-founder Paul Lanzi will join me in this week’s sponsor slot to talk through all of that.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Security Researchers’ Hunt to Discover Origins of the Kaseya VSA Mass Ransomware Incident
Kaseya says it didn't pay ransomware gang for decryption key after hacks affected hundreds
Kaseya obtains universal decryptor for REvil ransomware victims
Joe Tidy on Twitter: "The impact of the South African port cyber attack is getting worse. The Road Freight Association (RFA) said it was “dismayed and gravely concerned” about the cyber-attack on Durban Port. https://t.co/iT1WAP165Z https://t.co/ipssCVfSIo" / Twitter
Port cyber attack: Now Road freighters concerned about goods
Chat logs show how Egregor, an $80 million ransomware gang, handled negotiations with little mercy
FBI tracking more than 100 active ransomware groups
New Haron ransomware gang emerges, borrows from Avaddon and Thanos - The Record by Recorded Future
BlackMatter ransomware targets companies with revenue of $100 million and more - The Record by Recorded Future
Spammer floods the Babuk ransomware gang's forum with gay porn GIFs - The Record by Recorded Future
No More Ransom celebrates success in helping 600k people recover from ransomware attacks | The Daily Swig
Justice Department officials urge Congress to pass ransomware notification law
New EU legislation to ban anonymous cryptocurrency wallets, transfers - The Record by Recorded Future
Government said to form team to deal with fallout of NSO spyware revelations | The Times of Israel
‘If You’re Not A Criminal, Don’t Be Afraid’—NSO CEO On ‘Insane’ Hacking Allegations Facing $1 Billion Spyware Business
NSO Group CEO Claims BDS Is Probably Behind Damning Investigation
New PetitPotam attack forces Windows servers to authenticate with an attacker - The Record by Recorded Future
HD Moore on Twitter: "It is wild to see *unauthenticated* RCE via NTLM relay attacks, again, in 2021: https://t.co/CiS4bKH8oV (decades since smbrelay / karma / karmetasploit PoCs)" / Twitter
KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
A Controversial Tool Calls Out Thousands of Hackable Websites | WIRED
IDEMIA fixes vulnerability that can allow threat actors to open doors remotely - The Record by Recorded Future
PlugwalkJoe Does the Perp Walk – Krebs on Security
UK man arrested in Spain for role in Twitter 2020 hack - The Record by Recorded Future
Praying Mantis APT targets IIS servers with ASP.NET exploits - The Record by Recorded Future
Botnet operator who proxied traffic for other cybercrime groups pleads guilty - The Record by Recorded Future
Chinese hacking group APT31 uses mesh of home routers to disguise attacks - The Record by Recorded Future
VPN servers seized by Ukrainian authorities weren’t encrypted | Ars Technica
Accused CIA leaker Joshua Schulte allowed to represent himself at next Vault 7 trial
Seriously Risky Business