We are monitoring a REvil 'supply chain' attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.
“The REvil ransomware gang is asking for $70 million for a universal decryptor that can unlock all computers locked. In a message the REvil gang took credit for the attack and claimed they locked more than one million systems during the Kaseya incident.” therecord.media/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack/
Hello! Wake up - this is problem of global scale…….. The ransomware group REvil has focused its attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates www.wsj.com/articles/ransomware-group-behind-meat-supply-attack-threatens-hundreds-of-new-targets-11625285071
New stmt from WH on latest ransomware attacks says @POTUS yesterday "directed the full resources of the government to investigate this incident." FBI & CISA "have been working with Kaseya and coordinating to conduct outreach to impacted victims."
The supply chain attack has reached over a thousand organizations.
Kaseya’s software is used by Managed Service Providers to perform IT tasks remotely, but on July 2nd, the Russia-linked REvil ransomware group deployed a malicious software update exposing providers who use the platform, and their clients.
The Dutch Institute for Vulnerability Disclosure (DIVD) revealed that it appears the exploit used for the breach was same one they discovered and were in the process of addressing when the attackers struck. “We were already running a broad investigation into backup and system administration tooling and their vulnerabilities,” DIVD wrote. “One of the products we have been investigating is Kaseya VSA. We discovered severe vulnerabilities in Kaseya VSA and reported them to Kaseya, with whom we have been in regular contact since then.”
On Friday, Kaseya CEO Fred Vocolla said that “Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.” Sophos VP Ross McKerchar said in a statement Sunday that “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger followed up on earlier comments by President Biden, saying “The FBI and CISA will reach out to identified victims to provide assistance based upon an assessment of national risk.”
Huntress Labs is participating in the response to the attack and has cataloged most of the available information, saying the attack compromised over 1,000 businesses that it’s tracking.
So far, once of the companies most noticeably impacted by the attack is Coop, a line of over 800 grocery stores in Sweden that closed Saturday as the attack shut down its cash registers. According to a note on its website, stores where customers can shop using Coop’s Scan & Pay mobile app have reopened, while other locations remain closed. Experts have predicted that on Tuesday when workers return to offices in the US, there may be more victims discovered.
Three days after the attack, Kaseya’s SaaS cloud servers remain offline. The company says it will provide an updated timeline for server restoration this evening, as well as more technical details of the attack to help recovery efforts by customers and security researchers.
Subscribe to get the best Verge-approved tech deals of the week.
Check your inbox for a welcome email.
Read full article at The Verge
05 July, 2021 - 05:02pm
05 July, 2021 - 05:02pm
05 July, 2021 - 05:02pm
New Zealand and other nations must also more strongly confront the need to hold nation states accountable for their roles in conniving at, or commissioning, the assaults that have become ever-more commonplace.
Lately the extortionists have reached further into New Zealand than the previously targeted Reserve Bank and stock exchange, to instead grasp the throats of health services and some of our schools.
There’s nothing very special about that, sad to say. Government operations, the corporate world, and harassed households worldwide have felt the clammy grip of cyber criminals in ways which too often have been undisclosed.
Prime Minister Jacinda Ardern recently called for heightened global effort to combat the rise in cyber attacks. Her warning was bracketed by the attacks on Waikato DHB and the more recent international ransomware assault via Miami-based firm Kaseya.
That global response cannot simply be a renewed effort to fend off these attacks at an IT level. Concerted commitment for technical protections must, indeed, be treated as massive priorities requiring co-ordinated and well-resourced effort from governments and private firms alike. Which is itself a terribly complex task.
But more than that, to honestly confront the scale of the problem also requires the sort of political stare-downs that we’re also starting to see through the Biden administration in the US.
American and British authorities have concluded that Russian spies accused of interfering in the 2016 US presidential elections have in more recent times been turning their bony-fingered endeavours to abusing virtual private networks, hitting hundreds of organisations.
Biden has directed US intelligence agencies to investigate who was behind the Kaseya attacks and security firm Huntress believes it’s the Russia-linked REvil gang, recently blamed for paralysing US meat packer JBS.
It’s a tad disconcerting to learn that Biden has, in his stern message to Russia, identified 16 areas of US infrastructure that apparently should be off-limits, including telecommunications, healthcare, food and energy sectors.
The implicit message is that even if agreement is reached on that score it will presumably leave potential targets that are off the list – and these will be legion – in some sort of regrettable-but-tolerable realm.
For his part, Russian President Vladimir Putin reciprocates Biden’s reproach, citing attacks “co-ordinated from US cyberspace’’. And it’s true the US isn’t above a measure of retaliation-in-kind. It lined up responses following the SolarWinds hack that infiltrated US government agencies and corporations and was traced back to the Kremlin.
This time, Biden has told Putin to expect responses if intelligence pins culpability for the latest attacks on Russia. The trigger would include the attacks being made simply with the knowledge of, rather than at the behest of, Putin’s administration.
It’s highly debatable whether the best way to confront cyber villainy is to directly mirror its very tactics. Quite apart from the moral issues – there’s no parental figure here to intrude and insist “I don’t care who started it’’ – there’s the risk of escalation into the realms of the Cold War’s perilously balanced stakes of mutually assured destruction.
But the dangers and damages of cyberattacks worldwide from within not only the likes of Russia but China or North Korea and even private enterprise terrorists who have acquired ransomware, require a combination of measured political retaliation, alongside real efforts to achieve mutually beneficial political co-operation as an alternative to escalation.
And how hard could that be? Until countries can collectively answer that, we have a massively dangerous and destabilising situation on our hands.
05 July, 2021 - 04:09am
The latest in a string of severe cyberattacks has affected more than 1,000 businesses worldwide. Here’s what we know so far.
On Friday (2 July), a major ransomware attack in the US hit multiple managed service providers, affecting more than 1,000 businesses and organisations.
This includes schools, small public sector bodies, travel companies, credit unions and accountants.
The White House deputy national security adviser for cyber and emerging technology, Anne Neuberger, said in a statement that the FBI and the Department of Homeland Security’s cyber arm “will reach out to identified victims to provide assistance based upon an assessment of national risk”.
While the attack started in the US, it has impacted companies around the world, including Swedish grocery store chain Coop, which closed hundreds of its stores over the weekend. This is because a tool used to update its checkout tills remotely was affected by the attack.
It is the latest in a string of major ransomware attacks receiving global attention, including incidents impacting a major gas pipeline, the world’s largest meat producer and Ireland’s Health Service Executive (HSE).
The attack began at Kaseya, a Miami-based software supplier. On Friday, the company reported a “sophisticated attack” on its VSA software, a set of tools used by IT departments to manage and monitor computers remotely.
The cybercriminals responsible for the attack found a vulnerability in Kaseya’s supply chain and used a malware protection program to deliver ransomware code to businesses that use the software.
While Kaseya initially estimated that only about 40 customers had been directly affected, the impact of the attack spread further because its customers include managed service providers (MSPs) that use the software to service hundreds of businesses.
Cybersecurity firm Huntress Labs, which is investigating the incident, said as many as 30 MSPs across the US, Australia, the EU and Latin America had been hit and more than 1,000 of those MSPs’ clients could be affected.
According to security company ESET, the majority of reports are coming from the UK, South Africa, Canada, Germany, the US and Colombia.
Kaseya has advised its customers that all on-premises VSA servers should remain offline and said a patch will need to be installed prior to restarting the VSA.
In its latest security update, the company also said it had been advised by outside experts that customers who experience ransomware and receive communication from the attackers should not click on any links as they may be weaponised.
The attack is believed to come from REvil, a ransomware-as-a-service cybergang thought to be based in Russia. On its dark web blog, REvil claimed responsibility and said the attack infected more than a million systems.
The gang has an affiliate structure and previous attacks attributed to REvil or its affiliates include a ransomware outbreak in 2019 that affected more than 20 local governments in Texas and the recent attack on meat producer JBS Foods.
REvil has demanded $70m in ransom for a universal decryption tool promising to decrypt files of all victims in less than an hour. If paid, it could become the highest ransomware payment ever made.
However, paying ransoms is generally not advised by security experts. This is because it allows cybercriminals to profit, encouraging further attacks and putting a target on companies that agree to the demands.
According to a study from infosec company Cybereason, 80pc of organisations that opted to pay a ransom demand suffered a second ransomware attack, often from the same threat actor group.
Furthermore, there is no guarantee that cybercriminals will make good on their promises even if a ransom is paid. According to a recent report from security software company Sophos, 92pc of companies that opt to pay a ransom don’t get their data back.
Even when decryption tools are provided, the cost and time it takes to restore systems with a large attack such as this one could be huge.
Speaking at an Oireachtas Joint Committee on Health on 23 June, HSE CEO Paul Reid said it will take months before systems are fully restored and immediate costs are “well over €100m”.
“Decryption takes much longer than the original encryption, and eradication involves additional tasks to ensure that the perpetrators have no access route back into our systems,” he added.
In its latest security update, Kaseya said its teams are working “around the clock in all geographies” to restore its customers to service.
“We have successfully completed an external vulnerability scan, checked our SaaS databases for indicators of compromise, and have had external security experts review our code to ensure a successful service restart.”
It does not currently have a timeline for when its data centres can go back online but it plans to start the restoration process by the end of today (5 July).
“Once we have begun the SaaS data centre restoration process, we will publish the schedule for distributing the patch for on-premises customers,” the company added.
It also announced that it hired cybersecurity company FireEye to help deal with the fallout.
Kaseya said some lightly used legacy VSA functionality will be removed out of an “abundance of caution”.
It also said there will be new security measures implemented including enhanced security monitoring of its SaaS servers by FireEye.
Jenny Darmody is the deputy editor of Silicon Republic