THREAT INTELLIGENCE REPORTS

KASEYA REVIL SUPPLY-CHAIN RANSOMWARE ATTACK

By Fortress Information Security, July 7, 2021

The July 2, 2021, ransomware attack on managed service provider (MSP) Kaseya is still ongoing. Kaseya has stated they are deploying an update for their Virtual System Administrator (VSA) that patches the flaw used by the attackers, allowing the company to bring their Software as a Service (SaaS) back online. The attacker, REvil, has asked $70 million for a universal decryption key. There are rumors that REvil has reduced the asking price and may go even lower. However, it is unlikely at this point that Kaseya will pay the ransom, which may cause REvil to shift focus onto the individual clients affected by the attack.

SOL ORIENS DATA BREACH

By Fortress Information Security, June 15, 2021

In May 2021, Sol Oriens, a subcontractor for the Department of Energy (DOE) who works with the National Nuclear Security Administration (NNSA), was the subject of a cyberattack which originated from the known ransomware group REvil. Specific details surrounding how the attack was executed, including the initial intrusion vector, are unknown at this time. The attackers were able to steal employee names, social security numbers, pay rates, a contracts ledger, and information related to employee training programs, all of which were posted on the dark web. While more sensitive information does not appear to have been exfiltrated, this incident highlights the threat posed by breaches affecting critical suppliers of U.S. government entities.

 

THE REGULATORY ENVIRONMENT

Supply chain risk-management is critical for industry and government alike. Policymakers have long been concerned with supply chain threats posed by secondary and tertiary suppliers. This has spurred a new wave of expansive regulatory action in the United States that is likely to continue for the foreseeable future.


Here are two regulations that federal government contractors cannot ignore:

 

PROHIBITED TELECOMMUNICATIONS

NDAA Sec. 889 requires government contractors to certify the products they sell the government are not supplied by certain Chinese companies:


Part A prohibits the government from obtaining (through a contract or other instrument) certain telecommunications equipment (including video surveillance equipment) or services produced by covered entities and their subsidiaries and affiliates


Part B prohibits the government from contracting with any entity that uses certain telecommunications equipment or services produced by the entities listed in the statute.

CMMC CYBERSECURITY

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department of Defense's industry partners' networks.