.@CISAgov is taking action to understand and address the supply-chain #ransomware attack against Kaseya VSA and the multiple #MSPs that employ VSA software. Review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers: helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
We are monitoring a REvil 'supply chain' attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.
A v. special ~this week in security~ just went out: • Ransomware cascades after Kaseya hack • PrintNightmare bug affects all Windows PCs • Fancy Bear brute-force attacks • DoubleVPN seized • A new cyber cat, and more Sign up: this.weekinsecurity.com mailchi.mp/zackwhittaker.com/this-week-in-security-july-4-edition
.@ATT Launches new managed comprehensive endpoint security solution with @SentinelOne. Endpoint protection against #cyberattacks and ransomware for advanced detection & response for greater network visibility. @ATTBusiness #ATTInfluencer #Cybersecurity s.bulk.ly/11Lf pic.twitter.com/QPRu93sLWW
Read full article at The Block Crypto
04 July, 2021 - 04:09pm
Russian-based hackers have launched a cyberattack on at least 200 information technology management firms in the United States and demanded up to $5 million in ransom, it has been revealed.
The REvil gang, a major Russian-speaking ransomware syndicate that was linked to the JBS meat processor hacking incident, appears to be behind the attack despite President Joe Biden's threat earlier this month of 'retaliation' to Russian President Vladimir Putin if the hacks continued.
The massive scale of the attack, which paralyzed the networks of at least 200 U.S. companies on Friday, was revealed by a cybersecurity researcher whose company was responding to the incident.
John Hammond of the security firm Huntress Labs said the criminals targeted a software supplier called Kaseya, which earlier in the day had said in a press release that the 'potential attack' had been 'limited to a small number of on-premise customers only.'
'We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us,' the company wrote.
'Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.'
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack despite President Joe Biden's threat of 'retaliation' to Russian President Vladimir Putin if they continued
The extent of the hacking incident was revealed by Huntress Labs, which responded to the incident
Kyle Hanslovan, CEO of Huntress Labs, said the hackers demanded a ransom of $5 million from at least one of the companies
It came after Kaseya earlier in the day had said in a press release that the 'potential attack' had been ' limited to a small number of on-premise customers only'
The hackers used Kaseya's network-management package as a conduit to spread the ransomware through cloud-service providers, Hammond said. Other researchers agreed with Hammond's assessment.
'Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,' Hammond told the Associated Press in a direct message on Twitter.
'This is a colossal and devastating supply chain attack.'
Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.
It was not immediately clear how many Kaseya customers might be affected or who they might be.
Kyle Hanslovan, CEO of Huntress Labs, told CNN that the attackers demanded a ransom of $5 million from at least one of the companies.
Cyber security expert Kevin Beaumont tweeted that the REvil ransom sought about $45,000 per victim, but added that 'there’s no way to pay it.'
'The payload has Donald Trump references (makes a change to references to Biden being a pedo etc),' Beaumont tweeted. 'It’s all one affiliate a la Darkside, so it’s possible they did too wide targeting (ie made a boo boo).'
Cyber security expert Kevin Beaumont tweeted that the REvil ransom sought about $45,000 per victim,
He said that REvil also made references to Black Lives Matter in the registry key set of their ransomware attack.
Beaumont said that Kaseya 'have shut down Kaseya Cloud entirely.'
Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.
'This is SolarWinds with ransomware,' he said.
Callow's comment referred to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It's no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.
'There's zero doubt in my mind that the timing here was intentional,' he said.
The REvil gang, a major Russian-speaking ransomware syndicate that was linked to the meat processor JBS hacking incident, appears to be behind the attack
Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted about the attack
Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers.
He said thousand of computers were hit.
'We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,' Hammond said.
Hammond wrote on Twitter: 'Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi.' The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.
U.S. President Joe Biden and Russian President Vladimir Putin meet during the U.S.-Russia summit on June 16
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.
CISA urged anyone who might be affected to 'follow Kaseya's guidance to shut down VSA servers immediately.' Kaseya runs what's called a virtual system administrator, or VSA, that's used to remotely manage and monitor a customer's network.
Christopher Krebs, former CISA director, said on Twitter that: 'News Flash: cybercriminals are a$holes.'
'Keep all the Incident Response teams in mind this holiday weekend as they're in the thick of it...again,' Krebs wrote.
'If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate IR.'
The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as 'one of Miami's oldest tech companies' in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.
Brian Honan, an Irish cybersecurity consultant, said by email Friday that 'this is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers.'
He said it can be difficult for smaller businesses to defend against this type of attack because they 'rely on the security of their suppliers and the software those suppliers are using.'
The only good news, said Williams, of Rendition Infosec, is that 'a lot of our customers don't have Kaseya on every machine in their network,' making it harder for attackers to move across an organization's computer systems.
That makes for an easier recovery, he said.
Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.
REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts.
The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.
Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims — though the long U.S. holiday weekend might give it more time to start working through the list.
Earlier this month, Biden did not rule out retaliation against Russian President Vladimir Putin for cyber attacks on American companies, saying: 'We're looking closely at that issue.'
However, when asked if he believed he was being tested by his Russian counterpart, Biden said: 'No.'
White House Press Secretary Jen Psaki has said that Biden 'certainly thinks that President Putin and the Russian government has a role to play in stopping and preventing' cyber attacks on U.S. companies.
Earlier this month, it was also revealed that the U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters.
The letter was sent to Deputy Attorney General Lisa Monaco and was titled 'Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion'
Internal guidance sent to U.S. attorney's offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.
The letter was sent to Deputy Attorney General Lisa Monaco and was titled 'Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion,' according to Cyber Scoop News which obtained a copy of the letter.
‘Recent ransomware attacks – including the attack last month on Colonial Pipeline – underscore the growing threat that ransomware and digital extortion pose to the Nation, and the destructive and devastating consequences ransomware attacks can have on critical infrastructure,' Monoco wrote in the letter.
'A central goal of the recently launched Ransomware and Digital Extortion Task Force is to ensure that we bring to bear the full authorities and resources of the Department in confronting the many dimensions and root causes of this threat.'
The guidance added: 'To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking.'
The comments below have not been moderated.
The views expressed in the contents above are those of our users and do not necessarily reflect the views of MailOnline.
By posting your comment you agree to our house rules.
Do you want to automatically post your MailOnline comments to your Facebook Timeline?
Your comment will be posted to MailOnline as usual.
Do you want to automatically post your MailOnline comments to your Facebook Timeline?
Your comment will be posted to MailOnline as usual
We will automatically post your comment and a link to the news story to your Facebook timeline at the same time it is posted on MailOnline. To do this we will link your MailOnline account with your Facebook account. We’ll ask you to confirm this for your first post to Facebook.
Part of the Daily Mail, The Mail on Sunday & Metro Media Group
04 July, 2021 - 04:09pm
REvil, the group blamed for the May 30 ransomware attack of meatpacking giant JBS SA, is believed to be behind hacks on at least 20 managed-service providers, which provide IT services to small- and medium-sized businesses. More than 1,000 businesses have already been impacted, a figure that’s expected to grow, according to the cybersecurity firm Huntress Labs Inc.
“Based on a combination of the service providers reaching out to us for assistance along with the comments we’re seeing in the thread we are tracking on our Reddit, it’s reasonable to think this could potentially be impacting thousands of small businesses,” according to John Hammond, a cybersecurity researcher at Huntress Labs.
Biden said he had ordered a “deep dive” by U.S. intelligence officials on what happened in the attacks. At this point, he said “we’re not sure” that Russia is behind them.
“I directed the intelligence community to give me a deep dive on what’s happened and I’ll know better tomorrow,” Biden said, recalling that he told Putin during their meeting in June that the U.S. would respond to cyber transgressions. He added that he hasn’t called the Russian president about the latest case.
Biden Says ‘Not Sure’ If Russia Is Behind Latest Cyberattack
“We’re not sure it’s the Russians,” he said. “The initial thinking was, it was not Russian government, but we’re not sure yet.”
Attacking MSPs is a particularly devious method of hacking, since it may allow the attackers to then infiltrate their customers as well. Hammond said more than 20 MSPs have been affected so far.
In Sweden, most of grocery chain Coop’s more than 800 stores couldn’t open on Saturday after the attack led to a malfunction of their cash registers, spokesperson Therese Knapp told Bloomberg News.
There are victims in 17 countries so far, including the U.K., South Africa, Canada, Argentina, Mexico and Spain, according to Aryeh Goretsky, a distinguished researcher at cybersecurity firm ESET.
The ransomware attack is the latest in a string of devastating hacks in recent months, making cybersecurity an increasingly pressing national security issue for the Biden administration. At a summit on June 16, Biden warned Russian President Putin that 16 types of critical infrastructure -- including food and agriculture, emergency services and health care -- were off limits to future attacks. It’s not yet known if the U.S. victims of the latest ransomware attack fell within those sectors.
QuickTake: How Cryptocurrency Turbocharged the Cybercrime Racket
A software supply chain attack revealed in December included nine U.S. agencies and about 100 businesses as victims. Russian-state sponsored hackers were accused of the attack, where hackers implanted malicious code in updates for popular software for SolarWinds Corp. Customers who downloaded the updates inadvertently created a backdoor that the hackers could then exploit. It was particularly sophisticated and highlighted the terrifying potential of supply-chain hacks.
More recently, ransomware attacks on Colonial Pipeline Co., the operator of the nation’s largest fuel pipeline, and JBS have revealed gaping security vulnerabilities in crucial U.S. businesses. Both Colonial and JBS paid the hackers millions of dollars. The hackers behind the Colonial attack, a group called DarkSide, have also been tied to Russia.
Friday’s attack appears to combine a supply-chain attack with ransomware, vastly increasing the number of potential victims and presumably, the payout. Ransomware is a type of attack in which hackers encrypt computer files and then demand payment to unlock them.
Among the companies targeted was Kaseya Ltd., a Miami-based developer of software for managed service providers, as a way to attack its customers, according to cybersecurity experts.
“What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business,” Hammond said. “Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business.”
In a statement, Kaseya said it has notified the FBI. The company said it had so far identified less than 40 customers that were impacted by the attack.
Allan Liska, a senior threat analyst at cybersecurity firm Recorded Future Inc., said REvil was behind the attacks.
Eric Goldstein, the executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency said the group is closely monitoring this situation.
“We are working with Kaseya and coordinating with the FBI to conduct outreach to possibly impacted victims,” he said in a statement. “We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities.”
Two of the affected MSPs include Synnex Corp. and Avtex LLC, according to two people familiar with the breaches. Avtex President George Demou told Bloomberg News in a text message on Friday night, “Hundreds of MSPs have been impacted by what appears to be a Global Supply Chain hack.”
“We are working with those customers who have been impacted to help them to recover,” he added.
A Synnex spokesperson didn’t immediately respond to requests for comment. The Republican National Committee said it was alerted that its vendor Synnex may have been affected.
“Today, Microsoft informed us that one of our vendors, Synnex, systems may have been exposed,” said Mike Reed, a spokesman for the RNC. “There is no indication the RNC was hacked or any RNC information was stolen. We are investigating the matter and have informed DHS and the FBI.”
(Adds Biden’s comments starting in the fourth paragraph, RNC’s comment in final paragraph.)
More stories like this are available on bloomberg.com
Subscribe now to stay ahead with the most trusted business news source.
American actress and singer Vanessa Williams will perform the song "Lift Every Voice and Sing," which has become known as the "black national anthem," at the annual A Capitol Fourth televised celebration.
Mircea Popescu a controversial figure in the world of crypto boasted one of the single-biggest bitcoin fortunes and his amassed wealth in digital assets may be lost to the ether after his untimely death last month, some speculate.
It’s been a mixed start to the day for Bitcoin and the broader market. A Bitcoin move back through to $34,000 levels would provide support, however.
It’s been a mixed start to the day for the majors. Failure to revisit early highs would leave support levels in play.
Apple has been an American success story several times over with the Mac, iPod, iPhone and other inventions. But is Apple stock a buy now? Here's what its stock chart and earnings show.
WASHINGTON (Reuters) -Hundreds of American businesses were hit Friday by an unusually sophisticated ransomware attack that hijacked widely used technology management software from a Miami-based supplier called Kaseya. The attackers changed a Kaseya tool called VSA, used by companies that manage technology at smaller businesses. Security firm Huntress said it was tracking eight managed service providers that had been used to infect some 200 clients.
Software giant Microsoft has earned plaudits for its successful pivot from desktop computing to cloud computing. Many investors may be wondering: Is Microsoft stock a buy right now?
There's something new coming to some Roku remotes. It's not a big deal, but it's also a big deal.
Kaseya is warning of one of the largest supply chain ransomware attacks to date, with over 200 companies affected.
The closer it got to the release date, the more apparent it became that the Nikon Zfc would be a crop sensor body. This was a feature that I was desperately hoping against, having made the decisive and firm jump to Full-Frame sensors nearly a decade ago. If the similarly styled Nikon Df could have been released with a Full-Frame sensor, why did the Zfc have to fall short in this department? With a hark back to the classic styling of its FM2, the Nikon Zfc comes at an attractive starting price point.
Qualcomm (NASDAQ: QCOM) recently upgraded its most powerful mobile chipset, the Snapdragon 888, with a "Plus" version that increases its clock speed by 5% to nearly 3.0 GHz and boosts its AI processing power by about 20%. Its GPU speed will remain unchanged. Qualcomm revealed the 888 Plus at this year's Mobile World Congress in Barcelona, and said the chipset will start powering higher-end phones from ASUS, Honor, Lenovo's Motorola, Vivo, and Xiaomi (OTC: XIACF) in the second half of 2021.
The digital-asset manager sold some existing constituents of the fund and used the proceeds to purchase ADA.
The 4th of July is the best time to score a TV during the summer — Sony, Samsung, LG, take your pick!
Apple (NASDAQ: AAPL) and Alphabet's (NASDAQ: GOOG) (NASDAQ: GOOGL) Google compete against each other in mobile operating systems, smartphones, smart speakers, streaming media services, digital payments, and other growing markets. Five years ago, Apple signed a deal with Google Cloud to host some of its iCloud services. The details weren't disclosed, but it was considered a loss for Amazon (NASDAQ: AMZN) Web Services (AWS) and Microsoft's (NASDAQ: MSFT) Azure, which previously hosted most of Apple's iCloud services.
The fight for the next generation of hardware has already begun, and nearly all the tech giants are taking part.Why it matters: All the firms that were successful with the phone want a place in what comes next. So do all the companies who came up short in mobile. That's a lot of companies. Stay on top of the latest market trends and economic insights with Axios Markets. Subscribe for freeHere's a look at the three most critical new categories, with some of their pros and cons, and a look at the
(Bloomberg) -- A Russia-linked hacking group has compromised roughly 200 businesses in a large-scale ransomware attack that is ongoing, according to the cybersecurity firm Huntress Labs Inc.The hackers targeted managed service providers, which often give IT support to small- to medium-size businesses, according to Huntress Labs. By targeting a managed service provider, or MSP, hackers may then be able to access and infiltrate its customers’ computer networks.Two of the affected managed service p
Maybe you shouldn’t buy a new TV this summer during all the inevitable sales events. Why not? It’s because there’s another option that you should consider for your living room or basement. Amazon has some terrific post-Prime Day deals this year on home theater projectors, with prices starting at just $599.99 for the beloved Epson … The post Why buy a new TV when a 120″ home theater projector is half the price? appeared first on BGR.
Apple and Intel are reportedly testing chip designs with TSMC's 3-nanometer process and could be first to market with the technology.
It’s been yet another bearish morning for Bitcoin and the broader market. A Bitcoin move back through to $34,000 levels would be needed to deliver support to the broader market,
Dogecoin (DOGE) has been moving downwards since reaching an all-time high price on May 8.
04 July, 2021 - 04:09pm
The ransomware group that collected an $11 million payment from meat producer JBS SA about a month ago has begun a widespread attack that has likely infected hundreds of organizations world-wide and tens of thousands of computers, according to cybersecurity experts.
The group, known as REvil, has focused its attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates to systems on computer networks, according to security researchers and VSA’s maker, Kaseya Ltd.
REvil is a well-known purveyor of ransomware—malicious software that locks up a victim’s computer until a digital ransom is paid, typically in the form of bitcoin. This latest attack appears to be its largest ever. The incident may have infected as many as 40,000 computers world-wide, according to cybersecurity experts.
The use of trusted partners like software makers or service providers to identify and compromise new victims, often called a supply-chain attack, is unusual in cases of ransomware, in which hackers shut down the systems of institutions and demand payment to allow them to regain control. The Kaseya incident appears to be the largest and most significant such attack to date, said Brett Callow, a threat analyst for cybersecurity company Emsisoft.
Among those affected was a supermarket chain in Sweden. The company said that in some cases its cash registers were hit in the attack, prompting many of its stores to remain shut Saturday.
Upon learning of the attack Friday, Kaseya immediately shut down its servers and began warning customers, the company said. Friday evening it said only customers running the software on their own servers, rather than users of Kaseya’s online service, appeared to have been affected. In an update Saturday morning, the company recommended that users of its software keep those products offline until further notice. The company also is keeping its own cloud-based services offline until it determines that it can safely restart them, Kaseya said.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advised Kaseya users to shut down their VSA servers immediately. “CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact,” said Eric Goldstein, the agency’s executive assistant director for cybersecurity.
Kaseya says that fewer than 40 of its more than 36,000 customers were affected by the incident. However, more than 30 of these customers were service providers, a company spokeswoman said Saturday. Those providers, in turn, have many more customers that could have potentially been hit.
Most of the customers of these providers are small and midsize organizations, said Kyle Hanslovan, chief executive of the security firm Huntress.
While the cause of the attack is still being investigated, it is “very likely there is some vulnerability or a flaw that is being mass-exploited in VSA,” Mr. Hanslovan said.
Ransomware groups, including REvil, have targeted service providers in the past, including with a 2019 attack that hit at least 22 municipalities in Texas, said Emsisoft’s Mr. Callow.
“I’ve never seen a ransomware attack impact so many companies at one time,” said Al Saikali, a partner at law firm Shook, Hardy & Bacon LLP, which was brought in to consult on six ransomware attacks related to the VSA incident Friday. On his busiest previous day, he said, he had signed up two clients. Ransom demands in the six attacks ranged from $25,000 to $150,000, he said.
For service providers themselves, the demands are higher—in one case, $5 million, Mr. Hanslovan said.
Ransomware has emerged as one of the country’s most serious security problems in recent years, as hackers have targeted businesses, hospitals, schools and other institutions. Attackers have grown bolder as millions of people began using less-secure home internet connections for work and school during pandemic lockdowns.
The ransomware phenomenon shot into the spotlight in May when an attack forced Colonial Pipeline Co., a major shipper of gasoline to the U.S. East Coast, to shut down a pipeline, drying up supplies at gas stations across the Southeast. Intelligence officials have linked this attack and others to Russia, a charge officials there denied.
President Biden, traveling in Michigan, told reporters he had been briefed on the attack and that U.S. officials were trying to determine the extent of the Russian government’s involvement.
“First of all we’re not sure who it is for certain,” Mr. Biden said when asked about the attack. “The initial thinking was it was not the Russian government. But we’re not sure yet.”
He added that he has warned Russian President Vladimir Putin that the U.S. would respond to Russian government-sponsored cyberattacks. At a recent summit with Mr. Putin, the president addressed cybersecurity and said critical infrastructure should be off-limits to attacks.
About a month ago, a REvil attack temporarily knocked out plants that process one-fifth of the U.S. meat supply. JBS’s U.S. unit paid $11 million in ransom to the attackers, according to a company executive.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
Like us on Facebook to see similar stories
Please give an overall site rating:
04 July, 2021 - 04:09pm
04 July, 2021 - 04:09pm
04 July, 2021 - 04:09pm
CEO Fred Voccola tells CRN how Kaseya is assisting MSPs compromised in the ransomware attack, what the company must do before restoring access to its VSA tool, and why cryptocurrency poses such an immense danger to society.
The REvil gang has pulled off one of the biggest ransomware heists in years, exploiting a vulnerability in Kaseya’s on-premise VSA remote monitoring and management tool to compromise roughly 50 MSPs and encrypt the data and demand ransom payments from more than 1,000 of their end user customers.
Kaseya CEO Fred Voccola spoke with CRN Saturday afternoon to discuss how Kaseya is assisting impacted MSPs, what the company must do before restoring access to its VSA tool, and why the company decided to terminate access to the SaaS version of its VSA software even though only on-premise customers were compromised.
“We spend tens of millions of dollars in our security organization on R&D, best practices, external pen tests. You name it, we do it,” Voccola told CRN. “The question then becomes, ‘How good are you at preventing it?’ Well, no one is. The bad guys are highly motivated. It’s ’How quickly and effectively can you respond to make sure that you minimize the impact?’”
Here are Voccola’s major takeaways on what the ransomware attack means for Kaseya, its MSPs, and the cybersecurity industry at large.
04 July, 2021 - 02:37pm
In what is shaping up to be one of the largest ransomware attacks in history, the hackers hijacked a widely used management software from the international IT firm Kaseya to push out a “malicious update” to deploy its malware “to companies across the world,” the Record reports.
The culprit is suspected to be REvil, a notorious cybercriminal syndicate believed to have ties to Russia that’s previously gone after high-profile targets such as Apple and Acer, according to the security firm Huntress Labs. The group is also believed to be behind last month’s successful attack on the world’s largest meat processing company, JBS, that extorted $11 million in ransom.
On Friday, Kaseya warned customers to shut down their VSA servers immediately after discovering a security incident involving the software. Kaseya uses its VSA cloud platform to manage and send software updates to network devices of its clientele, i.e. managed service providers or MSPs that then supply remote IT services to hundreds of smaller businesses that aren’t able to conduct those processes in-house.
However, considering how many of those customers are likely to be MSPs, that could translate to hundreds of smaller businesses that rely on their services being at risk. Huntress, which has been publicly tracking the attack, said via Reddit that it has identified more than 1,000 businesses whose servers and workstations were encrypted as a result of the attack. One suspected victim of the breach, the Sweden-based retailer Coop, closed down at least 800 stores over the weekend after its systems were taken offline, the New York Times reports. Huntress senior security researcher John Hammond told the outlet that the hackers were demanding $5 million in ransom from some of the affected companies.
“This is a colossal and devastating supply chain attack,” Hammond later said in a statement to Reuters. Supply chain attacks, in which hackers exploit a single piece of software to target hundreds or even thousands of users simultaneously, are quickly becoming the technique de jour for high-profile cybercriminals. The SolarWinds hackers used a similar scheme to infect network management software used by several major U.S. federal agencies and corporations.
In an update posted to Kaseya’s blog Sunday morning, the company said it is working with the FBI and the Cybersecurity and Infrastructure Security Agency to address the situation and affected customers.
“We are in the process of formulating a staged return to service of our [software as a service] server farms with restricted functionality and a higher security posture (estimated in the next 24-48 hours but that is subject to change) on a geographic basis,” the company wrote. “More details on both the limitations, security posture changes, and time frame will be in the next communique later today.”
Kaseya added that it has rolled out a new “compromise detection tool” to almost 900 customers who requested it, and is in the process of developing a private download site to provide access to more customers.