From last 1 years we help companies reach their financial and branding goals. Cubsys is a values-driven technology agency dedicated.

Gallery

Contacts

A-15, Gokul Galaxy, Kathwada

Cubsys.com@gmail.com

+91 -8488-093-780

Design Development

A New Ransomware Tsunami Hits Hundreds of Companies

IT WAS PROBABLYย inevitable that the two dominant cybersecurity threats of the dayโ€”ย supply chain attacksย andย ransomwareโ€”would combine to wreak havoc. Thatโ€™s precisely what happened Friday afternoon, as the notorious REvil criminal group successfully encrypted the files of hundreds of businesses in one swoop, apparently thanks to compromised IT management software. And thatโ€™s only the very beginning.

The situation is still developing and certain detailsโ€”most important, how the attackers infiltrated the software in the first placeโ€”remain unknown. But the impact has already been severe and will only get worse given the nature of the targets. The software in question, Kaseya VSA, is popular among so-called managed service providers, which provide IT infrastructure for companies that would rather outsource that sort of thing than run it themselves. This means that if you successfully hack an MSP, you suddenly have access to its customers. Itโ€™s the difference between cracking safe deposit boxes one at a time and stealing the bank managerโ€™s skeleton key.

So far, according to security company Huntress, REvil has hacked eight MSPs. The three that Huntress works with directly account for 200 businesses that found their data encrypted Friday. It doesnโ€™t take much extrapolation to see how much worse it gets from there, especially given Kaseyaโ€™s ubiquity.

 

โ€œKaseya is the Coca-Cola of remote management,โ€ says Jake Williams, chief technology officer of the incident response firm BreachQuest. โ€œBecause weโ€™re going into a holiday weekend, we wonโ€™t even know how many victims are out there until Tuesday or Wednesday of next week. But itโ€™s monumental.โ€

Worst of Both Worlds

MSPs have long been a popular target, particularly of nation-state hackers. Hitting them is a terrifically efficient way to spy, if you can manage it. As a Justice Department indictment showed in 2018, Chinaโ€™s elite APT10 spies used MSP compromises to steal hundreds of gigabytes of data from dozens of companies. REvil has targeted MSPs before, too, using its foothold into a third-party IT company to hijack 22 Texas municipalities at once in 2019.

 

Supply chain attacks have become increasingly common as well, most notably in the devastating SolarWinds campaign last year that gave Russia access to multiple US agencies and countless other victims. Like MSP attacks, supply chain hacks also have a multiplicative effect; tainting one software update can yield hundreds of victims.

You can start to see, then, why a supply chain attack that targets MSPs has potentially exponential consequences. Throw system-crippling ransomware into the mix, and the situation becomes even more untenable. It brings to mind the devastating NotPetya attack, which also used a supply chain compromise to spread what at first seemed like ransomware but was really a nation-state attack perpetrated by Russia. A more recent Russian campaign comes to mind as well.

โ€œThis is SolarWinds, but with ransomware,โ€ says Brett Callow, a threat analyst at antivirus company Emsisoft. โ€œWhen a single MSP is compromised, it can impact hundreds of end users. And in this case it seems that multiple MSPs have been compromised, so โ€ฆโ€

BreachQuest’s Williams says that REvil appears to be asking victim companies for the equivalent of roughly $45,000 in the cryptocurrency Monero. If they fail to pay within a week, the demand doubles. Security news site BleepingComputer reports that REvil has asked some victims for $5 million for a decryption key that unlocks โ€œall PCs of your encrypted network,โ€ which may be targeted to MSPs specifically rather than their clients.

Bad Times

Itโ€™s still unclear how the initial compromise happened, although it appears so far to affect only those companies that run Kesaya VSA on-premises versus as software-as-a-service from the cloud. โ€œWe are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only,โ€ says Dana Liedholm, senior vice president of corporate communications for Kaseya โ€œWe have proactively shut down our SaaS servers out of an abundance of caution.โ€

That lines up with a notice that Kaseya posted this afternoon for its customers: โ€œWe are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us,โ€ the company wrote. โ€œIts critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.โ€

 

As of this writing, Kaseyaโ€™s own VSA servers are still offline as well. In an emailed statement sent Friday night, Kaseya CEO Fred Voccola confirmed that the company’s SaaS customers were “never at risk,” and that he expects service to be restored within 24 hours. The company says it has found the source of the vulnerability and is already working on a patch for on-premises customers who could be potential targets. He also put the estimated number of victims at “fewer than 40” worldwide, although again, hackers can use even a handful of MSP victims as a springboard to reach an order of magnitude more targets.

Regardless of how that initial compromise happened, the attackers have been able to distribute their malware bundle to MSPs, which includes the ransomware itself as well as a copy of Windows Defender and an expired but legitimately signed certificate that has not yet been revoked. The package is designed to circumvent Windows’ malware checks with a technique called side-loading that enables the ransomware to run.

A late Friday notice from the US Cybersecurity and Infrastructure Security Agency also failed to shed light on the root cause. โ€œCISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software,โ€ the agency wrote. โ€œCISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shut down VSA servers.โ€

Among the mysteriesโ€”and one likely never to be satisfactorily solvedโ€”is why REvil would take this route. It stands to make enormous profit if enough victims pay up. But by hitting hundreds of companies at once, it has also drawn inordinate attention to itself, akin to Darksideโ€™s ransomware attack on Colonial Pipeline last month. It also remains to be seen what ripple effects the encryption of these hundreds of companies might have, especially when the attack was likely timed to hit when most of them are short-staffed ahead of the July 4 holiday weekend in the US. In short, itโ€™s unbelievably reckless, even for a group not known for its restraint.

โ€œIโ€™m positive that these folks knew they were hitting lots and lots of customers and that they couldnโ€™t predict the entire impact,โ€ says Williams. โ€œThey knew that they were rolling heavy dice, and with this number of victims thereโ€™s no way that this wonโ€™t backfire.โ€

What form that takes remains to be seen. But the next phase of ransomwareโ€™s evolution is officially here, and the consequences are going to be extreme. They already are.

Author

admin

Leave a comment

Your email address will not be published. Required fields are marked *