Hello, welcome to the Tuesday, July 6, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Kasea and Brent Nightmare are still dominating the news and should be where your attention is focused on today. So I did two special podcasts

this weekend, but do want to do a quick recap of what's kind of new about these two events.

So first let's start with Kasea, the MSP platform that apparently was breached.

Well, it looks now like the entry point was actually a vulnerability in Kasea VSA directly.

So it wasn't something where someone first breached Kesea in order to distribute the Malware,

but it looks like they did hit Kasea

VSA directly, and that's sort of how the malware was deployed. Still, if you are running

Kasea, there appear to be a number of vulnerabilities that Kasea was in the process of

patching. They promised a patch soon.

So keep the system offline until further notice or until you hear differently from Kasea

if you are running their product on premise.

Detection tools have been made available by Sisa and the FBI as well as by Kasea directly and by other third parties.

Wherever you get your detection tool from, get it from a trusted source and of course

verify the integrity of the binary before you run it.

And there is now a ransom demand of $70 million that was directed at

Kasea, and if Kasea pays the ransom, they should receive a key that will work for all affected

victims. The way the are evil or Suna Keebis, as it's sometimes also called Ransomware Works, there is one sort

of master key that's specific to the software itself. That key has never been leaked, and that

key is then used to generate campaign keys, and in this case, the Kasea campaign would use one of these campaign keys.

But then there are additional keys being generated from this campaign key that are unique

to each system and also unique to each file. So there is a chance that down the line maybe

...