It was likely inevitable that the two dominant cybersecurity threats of the day – Attacks on the supply chain and Ransomware– would combine to wreak havoc. This is exactly what happened on Friday afternoon when the notorious criminal group REvil successfully encrypted the files of hundreds of companies in one fell swoop, apparently thanks to compromised IT management software. And that is just the beginning.
The situation continues to evolve and certain details – most importantly, how the attackers infiltrated the software in the first place – remain unknown. However, the effects have already been severe and will only get worse given the nature of the targets. The software in question, Kaseya VSA, is popular with so-called managed service providers who provide IT infrastructure for companies that would rather outsource this than operate it themselves. This means that if you successfully hack an MSP, you suddenly have access to their customers. That’s the difference between cracking lockers one by one and stealing the bank manager’s key.
According to the security company Huntress, REvil has hacked eight MSPs so far. The three Huntress works with are directly responsible for 200 companies whose data was encrypted on Friday. It doesn’t take a lot of extrapolation to see how much worse it gets from there, especially given the ubiquity of Kaseya.
“Kaseya is the Coca-Cola of remote management,” said Jake Williams, chief technology officer for incident response company BreachQuest. “Because we’re going on a vacation weekend, we won’t know how many victims are out there until Tuesday or Wednesday next week. But it’s monumental. “
The worst of both worlds
MSPs have long been a popular target, particularly among nation-state hackers. Meeting them is an extremely efficient way to spy on if you can handle it. As a 2018 Justice Department indictment showed, China’s elite APT10 spies took advantage of MSP compromises Steal hundreds of gigabytes of data from dozens of companies. REvil has previously targeted MSPs and used its position in an external IT company to kidnap 22 Texas parishes simultaneously in 2019.
Attacks on the supply chain are also becoming more common, especially in the devastating SolarWinds campaign last year that gave Russia access to multiple US authorities and countless other victims. Like MSP attacks, supply chain hacks also have a multiplicative effect; The contamination of a software update can claim hundreds of victims.
So you are slowly starting to see why a supply chain attack targeting MSPs has potentially exponential consequences. Throw in crippling ransomware and the situation becomes even more unsustainable. It is reminiscent of that devastating NotPetya attackwhich also used a supply chain compromise to spread what initially appeared to be ransomware but was in fact a nation-state attack by Russia. A recent campaign in Russia also occurs to me.
“It’s SolarWinds, but with ransomware,” says Brett Callow, threat analyst at the anti-virus company Emsisoft. “If a single MSP is compromised, it can affect hundreds of end users. And in this case it appears that several MSPs have been compromised, so … “
BreachQuest’s Williams says REvil appears to be asking victim companies for an equivalent of about $ 45,000 a year Monero cryptocurrency. If they don’t pay within a week, the demand will double. BleepingComputer safety news site Reports that REvil asked some victims for $ 5 million for a decryption key that unlocks “all PCs on your encrypted network,” which may be specifically targeted at MSPs rather than their customers.
“We often talk about MSPs being the mother ship of many small to medium-sized businesses and organizations,” said John Hammond, senior security researcher at Huntress. “But when Kaseya gets hit, bad actors have just compromised all of their mother ships.”
#breed #ransomware #tsunami #hits #hundreds #businesses