.@CISAgov is taking action to understand and address the supply-chain #ransomware attack against Kaseya VSA and the multiple #MSPs that employ VSA software. Review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers: helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
We are monitoring a REvil 'supply chain' attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.
.@ATT Launches new managed comprehensive endpoint security solution with @SentinelOne. Endpoint protection against #cyberattacks and ransomware for advanced detection & response for greater network visibility. @ATTBusiness #ATTInfluencer #Cybersecurity s.bulk.ly/11Lf pic.twitter.com/QPRu93sLWW
The recent rise in ransomware attacks has made it clear -- now is the time to make historic investments in cybersecurity. Thank you, Chair @RepRoybalAllard, for your commitment to funding @CISAgov in line with @CyberSolarium’s recommendation! thehill.com/policy/cybersecurity/560806-house-lawmakers-propose-major-budget-increase-for-key-cyber-agency?rl=1
Huntress, a security company, said on Friday it believed the Russia-linked REvil ransomware gang was to blame. Last month, the FBI blamed the same group for paralyzing the meat packer JBS.
Active since April 2019, REvil develops network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms. JBS, a Brazil-based meat company, said it had paid the equivalent of an $11m ransom, escalating calls by US law enforcement to bring such groups to justice.
On a visit to Michigan, Biden was asked about the hack while shopping for pies at a cherry orchard. The president said “we’re not certain” who is behind the attack.
“The initial thinking was it was not the Russian government but we’re not sure yet,” he said.
Biden said he had directed US intelligence agencies to investigate, and the US would respond if it determined Russia was to blame. At a summit in Geneva on 16 June, Biden urged Vladimir Putin to crack down on hackers from Russia and warned of consequences if ransomware attacks continued.
The hackers who struck on Friday hijacked widely used technology management software from a supplier, Kaseya, that has headquarters in Dublin and Miami. They changed a tool called VSA, used by companies that manage technology at smaller businesses, then encrypted the files of those providers’ customers.
Kaseya said it was investigating a “potential attack” on VSA, which is used by IT professionals to manage servers, desktops, network devices and printers. Huntress said it was tracking eight managed service providers that had been used to infect about 200 clients.
The effects were felt internationally. In Sweden, most of the grocery chain Coop’s 800 stores were unable to open because cash registers weren’t working, according to the public broadcaster. State railways and a major pharmacy chain were also affected.
“This is a colossal and devastating supply chain attack,” said John Hammond, Huntress senior security researcher, referring to an increasingly high-profile technique of hijacking one piece of software to compromise hundreds or thousands of users.
Kaseya’s chief executive, Fred Voccola, said the company believed it had identified the source of the vulnerability and would “release that patch as quickly as possible to get our customers back up and running”.
Voccola said fewer than 40 Kaseya customers were known to be affected, but the ransomware could be affecting hundreds of companies that rely on Kaseya clients.
Voccola said the problem was only affecting “on-premise” customers, organizations running their own data centers. It was not affecting cloud-based services running software for customers, though Kaseya had shut down those servers as a precaution, he said.
The company said “customers who experienced ransomware and receive a communication from the attackers should not click on any links – they may be weaponised”.
A Gartner analyst, Katell Thielemann, said it was clear Kaseya “reacted with an abundance of caution. But the reality of this event is it was architected for maximum impact, combining a supply chain attack with a ransomware attack.”
Complicating the response was that the attack happened at the start of a major holiday in the US, when most corporate IT teams are not fully staffed. That could leave organizations unable to address other security vulnerabilities such as a dangerous Microsoft bug affecting software for print jobs, said James Shank, a threat intelligence analyst.
“Customers of Kaseya are in the worst possible situation,” Shank said. “They’re racing against time to get the updates out on other critical bugs.”
Shank said “it’s reasonable to think that the timing was planned” for the holiday.
The US Cybersecurity and Infrastructure Security Agency (Cisa) said it was “taking action to understand and address the recent supply-chain ransomware attack”. Such attacks have crept to the top of the cybersecurity agenda after the US accused hackers of operating at the Russian government’s direction and tampering with a network monitoring tool built by a Texas software company, SolarWinds.
On Thursday, US and British authorities said Russian spies accused of interfering in the 2016 US election had spent much of the past two years abusing virtual private networks (VPNs) to target organizations worldwide. Russia’s embassy in Washington denied the charge.
Read full article at The Guardian
03 July, 2021 - 05:02pm
Updated 7:33 PM ET, Fri July 2, 2021
03 July, 2021 - 05:02pm
WASHINGTON (AP) — A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond’s assessment.
“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,” Hammond said in a direct message on Twitter. “This is a colossal and devastating supply chain attack.”
Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.
Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.
“This is SolarWinds with ransomware,” he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It’s no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.
“There’s zero doubt in my mind that the timing here was intentional,” he said.
Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit.
“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” Hammond said.
The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.
CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.” Kaseya runs what’s called a virtual system administrator, or VSA, that’s used to remotely manage and monitor a customer’s network.
The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as “one of Miami’s oldest tech companies” in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.
Brian Honan, an Irish cybersecurity consultant, said by email Friday that “this is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers.”
He said it can be difficult for smaller businesses to defend against this type of attack because they “rely on the security of their suppliers and the software those suppliers are using.”
The only good news, said Williams, of Rendition Infosec, is that “a lot of our customers don’t have Kaseya on every machine in their network,” making it harder for attackers to move across an organization’s computer systems.
That makes for an easier recovery, he said.
Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.
REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts. The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.
Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims — though the long U.S. holiday weekend might give it more time to start working through the list.
Bajak reported from Boston; O’Brien contributed from Providence, Rhode Island.
03 July, 2021 - 05:02pm
On Saturday morning, the information technology company Kaseya confirmed that it had suffered a “sophisticated cyberattack” on its VSA software — a set of tools used by IT departments to manage and monitor computers remotely. The company said that only about 40 customers had been affected.
“I wouldn’t be surprised if it was thousands of companies,” said Fabian Wosar, the chief technology officer of Emsisoft, a company that provides software and advice to help organizations defend against ransomware attacks. “We just don’t know yet because of the long weekend in the U.S.”
A major grocery chain in Sweden said Saturday that its IT provider had been hit by an attack and that its cash registers were locked up. It had to shut down hundreds of stores, the company, Coop Sweden, said on its Facebook page.
Because of the vast number of companies potentially affected, the attack could prove to be one of the biggest in history. Researchers said REvil, the hacker group that attacked the meat processor JBS this spring, was behind this attack.
The assault could increase tensions between the United States and Russia, as it comes just weeks after President Biden met with Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow accountable for cyberattacks that originate in Russia. Many cybersecurity threat analysts think that REvil operates largely from Russia. The recent spate underscores the challenge the Biden administration faces in deterring ransomware attacks conducted by criminals given safe harbor in countries like Russia.
Instead of a careful, targeted attack on a single large company, this hack seems to have used managed-service providers to spread its harm indiscriminately through a huge network of smaller companies. Unlike most ransomware attacks, it doesn’t appear that REvil tried to steal sensitive data before locking its victims out of their systems, Wosar said.
“At this point, at least it seems it was more a spray-and-pray attack. They didn’t try to exfiltrate data from all the victims,” he said. “It was more like carpet bombing.”
“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it,” Kaseya CEO Fred Voccola wrote in a statement Friday night.
Researchers said cybercriminals were sending two different ransom notes on Friday — demanding $50,000 from smaller companies and $5 million from larger ones.
The U.S. Cybersecurity and Infrastructure Security Agency urged companies in a statement to follow Kaseya’s advice and said it is “taking action to understand and address the recent supply-chain ransomware attack.”
“It is absolutely the biggest non-nation-state supply-chain cyberattack that we’ve ever seen,” Allan Liska, a researcher with the cybersecurity firm Recorded Future, said Friday. “And it’s probably the biggest ransomware attack we’ve seen, at least the biggest since WannaCry.”
He noted that it could be the largest number of companies hit in one ransomware attack. The companies affected could include a wide range of small to large firms, and many are likely to be small to midsize businesses that use managed IT services. Kaseya also counts a number of state and local governments as customers, Liska said.
The WannaCry computer worm affected hundreds of thousands of people in 2017. The National Security Agency eventually linked the North Korean government to the creation of the worm.
Ransomware attacks increased significantly in frequency and severity during 2020. A report from a task force of more than 60 experts said nearly 2,400 governments, health-care systems and schools in the country were hit by ransomware in 2020. Organizations paid attackers more than $412 million in ransoms last year, according to the analysis firm Chainalysis.
After a May attack on Colonial Pipeline — which led to panicked lines at gas pumps and empty fuel stations — the U.S. government increased its emphasis on addressing cybersecurity issues and urged corporate America to strengthen its computer security.
Ransomware attacks have been on the rise as hackers band together and form cybercriminal gangs to extort companies for payment. The attacks are often carried out by attackers in Russia and Eastern Europe.
Hackers gain access to a company’s computer system using tactics such as sending “phishing” emails, which are designed to trick employees into inadvertently installing malware on their computers.
Once inside, cybercriminals will lock down parts of a company’s networks and demand payment to release them back to the owner. Additionally, hackers often steal private company information and threaten to leak it online if they are not paid.
It is still unclear how attackers gained access to Kaseya’s system. The company has been a popular target of REvil, Liska said, probably because it serves so many other organizations as customers.
The attackers included a ransom note directing victims to a website to make a payment, although Liska said the site had been down all of Friday afternoon and evening.
03 July, 2021 - 05:02pm
According to Coop, one of Sweden’s biggest grocery chains, a tool used to remotely update its checkout tills was affected by the attack, meaning payments could not be taken.
“We have been troubleshooting and restoring all night, but have communicated that we will need to keep the stores closed today,” Coop spokesperson Therese Knapp told Swedish Television.
The Swedish news agency TT said Kaseya technology was used by the Swedish company Visma Esscom, which manages servers and devices for a number of Swedish businesses.
State railways services and a pharmacy chain also suffered disruption.
“They have been hit in various degrees,” Visma Esscom chief executive Fabian Mogren told TT.
Defence Minister Peter Hultqvist told Swedish Television the attack was “very dangerous” and showed how business and state agencies needed to improve their preparedness.
“In a different geopolitical situation, it may be government actors who attack us in this way in order to shut down society and create chaos,” he said.
In Friday’s attack, the hackers changed a Kaseya tool called VSA, used by companies that manage digital services for smaller businesses. They then simultaneously encrypted the files of those providers’ customers, promising to decrypt them in return for payment.
Reporting by Johan Ahlander; Editing by Kevin Liffey
Our Standards: The Thomson Reuters Trust Principles.
02 July, 2021 - 09:41pm
In Sweden, a grocery chain temporarily closed its doors after the attack. Some companies have been asked for $5 million in ransom.
Hundreds of businesses around the world, including one of Sweden’s largest grocery chains, grappled on Saturday with potential cybersecurity vulnerabilities after a software provider that provides services to more than 40,000 organizations, Kaseya, said it had been the victim of a “sophisticated cyberattack.”
Security researchers said the attack may have been carried out by REvil, a Russian cybercriminal group that the F.B.I. has said was behind the hacking of the world’s largest meat processor, JBS, in May.
In Sweden, the grocery retailer Coop was forced to close at least 800 stores on Saturday, according to Sebastian Elfors, a cybersecurity researcher for the security company Yubico. Outside Coop stores, signs turned customers away: “We have been hit by a large IT disturbance and our systems do not work.”
Mr. Elfors said a Swedish railway and a major pharmacy chain had also been affected by the Kaseya attack. “It’s totally devastating,” he said.
Asked about the cyberattack after he landed in Michigan on Saturday on a trip to celebrate Covid-19’s retreat in the United States, President Biden said he had been delayed in getting off the plane because he was being briefed about the attack. He said he had directed the “full resources of the federal government” to investigate. “The initial thinking was it was not the Russian government, but we’re not sure yet,” he said.
The attack became public on Friday, when Kaseya said that it was investigating the possibility that it had been the victim of a cyberattack. The company urged customers that use its systems management platform, called VSA, to immediately shut down their servers to avoid the possibility of being compromised by attackers.
“We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only,” Kaseya posted on its website, referring to organizations that keep their software at their own sites rather than housing it with a cloud provider. “We are in the process of investigating the root cause of the incident with the utmost vigilance.”
Fred Voccola, Kaseya’s chief executive, said in a statement on Saturday that less than 40 customers had been affected by the attack, but those customers include so-called managed service providers, which can each provide security and tech tools to dozens or even hundreds of companies.
That has magnified the attack’s severity, said John Hammond, a researcher at the cybersecurity company Huntress Labs.
“What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business,” Mr. Hammond said. “Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business.”
Some of the affected companies were being asked for $5 million in ransom, Mr. Hammond said. Thousands of companies were at risk, he said.
The United States Cybersecurity and Infrastructure Security Agency described the incident in a statement on its website on Friday as a “supply-chain ransomware attack.” It urged Kaseya’s customers to shut down their servers and said it was investigating.
Hackers have carried out a slate of prominent cyberattacks against U.S. companies in recent months, including JBS and Colonial Pipeline, which moves fuel along the East Coast. Both were ransomware attacks, in which hackers try to shut down systems until a ransom is paid. The video game company Electronic Arts was also recently hacked, but its data was not held for ransom.
02 July, 2021 - 06:25pm
A Russia-based hacking group known as REvil has compromised the computer systems of at least 1,000 businesses by targeting managed service providers, according to to the cybersecurity firm Huntress Labs Inc.
Why it matters: It's a large-scale ransomware campaign — the full scope of which is not yet known — and comes on the heels of several other high-profile ransomware attacks this year.
Of note via Bloomberg: "Such attacks can have a multiplying effect, since the hackers may then gain access and infiltrate the MSPs’ customers too."
The latest: President Biden said Saturday that the U.S. government is still not certain who is behind the hack, according to Reuters.
What they're saying: John Hammond, a cybersecurity researcher at Huntress Labs, said more than 20 MSPs have been impacted. He noted the criminals targeted software supplier Kaseya, using its network-management package to spread the ransomware.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, told AP it's no accident that this happened before a holiday weekend, when IT staffing is generally thin.
The privately held Kaseya is based in Dublin, with a U.S. headquarters in Miami. The Miami Herald reported Kaseya's plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.
The big picture: The breach comes after a summit between President Biden and Russian President Vladimir Putin, during which Biden threatened to use the U.S.' "significant" cyber capabilities to respond if critical infrastructure entities are targeted by Russian hackers.
Sha'Carri Richardson. Photo: Cliff Hawkins/Getty Images
Reps. Alexandria Ocasio-Cortez (D-N.Y.) and Jamie Raskin (D-Md.) sent a letter to the U.S. Anti-Doping Agency encouraging the group to rethink sprinter Sha'Carri Richardson's one-month suspension for recreational marijuana use.
What they're saying: "We urge you to reconsider the policies that led to this and other suspensions for recreational marijuana use, and to reconsider Ms. Richardson’s suspension. Please strike a blow for civil liberties and civil rights by reversing this course you are on," Ocasio-Cortez and Raskin said.
Tropical storm Elsa barreled toward Haiti and the Dominican Republic on Saturday, where a storm surge is forecast, according to a 5 p.m. update from the National Hurricane Center.
The latest: A hurricane warning remain in effects for portions of Haiti, where near-hurricane conditions are expected through this evening, per the NHC.
The Department of Justice is reportedly looking into a potential antitrust violation tied to Activision Blizzard's Overwatch League.
Why it matters: The growing world of esports had largely avoided the scrutiny of U.S. officials.