Kaseya hit by ransomware
Last Friday, the infamous REvil Ransomware hacking group performed a massive supply-chain cyber-attack that compromised a large number of businesses all over the globe.
Since the attack, additional details about how it was performed have become known. Yesterday, it was revealed that the Ditch Institute of Vulnerability Disclosure (DIVD) had already alerted Kaseya – the company that was first attacked and from where the supply-chain infection started – that there are several zero-day flaws in the company’s VSA software and that those flaws are getting exploited for Ransomware deployment. DIVD stated that Kaseya was already in the process of fixing the discovered bugs when the attack happened.
After the flaws’ discovery, no additional specifics about the vulnerabilities were disclosed, but according to DIVD, the flaws aren’t difficult to find and exploit even if such details aren’t publicly available.
Currently, it is estimated that no less than 1,000 businesses spread across at least 17 countries have been compromised by the REvil attack. The countries where there are victims of the attack include Canada, the U.K, Mexico, Argentina, New Zealand, Indonesia, South Africa, Kenya, and more.
The Kaseya company where it all started develops network-managing and remote-monitoring solutions for MSPs (Managed Service Providers). Its products offer centralized consoles for monitoring the endpoints connected to a network and managing them by deploying security patches, controlling the authentication and access to them, and more.
70$ million demanded for a decryptor
REvil (also known as Sodinokibi) is a Russian hacking group that operates as a ransomware-as-a-service operation and that has, on multiple occasions, pulled off massive ransomware attacks with large ransom requests. Last month, REvil performed attacked the JBS food processing company and extorted from it 11$ million. In the first quarter of 2021, REvil took up 4.6% of the attacks on both public and private-sector organizations and businesses.
As for the current attack, the REvil hackers request a whopping $70 million as a ransom payment in exchange for a universal decryptor that can free the locked files on all systems that the current attack has compromised.
REvil posted on its dark web leak site a brief statement in which the requested sum was declared. According to the statement by the REvil group, over one million systems have been infected by the Ransomware attack. The group also claims that the universal decryptor can restore the locked data within less than an hour.
Currently, Kaseya is working with FireEye to investigate the incident and start the process of restoring its SaaS (Software as a Service) data centers . According to a statement made by the company, the recovery process will start with the U.K., E.U, and Asia-Pacific affected data centers followed by the ones based in North America. Kaseya also noted that a patch would need to be installed on on-premises VSA servers. According to the company, such a patch is due to be released today (July the 5th).
Recommended Security Precautions
In an advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), customers have been advised to download a detection tool developed by Kaseya that can scan a system for indicators of compromise. The advisory also urges customers to use two-actor authentication in their systems, to limit communication that has RMM (remote monitoring and management) capabilities, and to enable their firewalls.
Secureworks’ Chief Threat Intelligence Officer, Barry Hensley, has stated that less than ten organizations/businesses from the company’s customer base have been compromised by the attack and that all of them are ones that have been using Kaseya software. He notes that there hasn’t been any evidence of the hackers trying to spread their Ransomware laterally through the attacked network, which means that organizations that use Kaseya software more widely are likely to be affected more severely by the attack compared to those that only run such software on a couple of their servers.
Considering the mechanism of the attack that targets a software vendor for MSPs who, themselves, provide their services to small and medium businesses and organizations, the importance of having a secure supply chain becomes especially apparent. Such attack instances also show how the goals and tactics of threat actors are evolving and shifting, and serve as an indicative of what’s to be expected in the near future of the cybercrime world as a whole.
The chief information security officer of Acronis, Kevin Reed, notes that MSPs are getting targeted due to the large attack surface that they provide to the threat actor if the initial hacking attempt is successful. A single MSP can be responsible for managing a hundred organizations and companies that would all become vulnerable if the MSP gets compromised.