In the middle of the crowd Supply chain chain ransomware attack which unleashed a chain of infection that put thousands of businesses at risk on Friday, new details have emerged on how the infamous Russia-linked REvil cybercrime may have pulled off the unprecedented hack.
The Dutch Vulnerability Disclosure Institute (DIVD) on Sunday uncovered It had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that were allegedly misused as a channel to deliver ransomware. The nonprofit said the company was in the process of resolving issues through coordinated vulnerability disclosure when the July 2 attacks took place.
Further details on the shortcomings were not given, but DIVD chairman Victor Gevers was indicated that the zero days are trivial to exploit. At least 1,000 companies were said to have been affected by the attacks, according to ESET, with victims identified in at least 17 countries including the UK, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
Kaseya VSA is a cloud-based IT management and remote monitoring solution for Managed Service Providers (MSPs) that provides a central console for monitoring and managing endpoints, automating IT processes, deploying security patches and controlling access via two-factor – Provides authentication.
REvil demands $ 70 million ransom
Active since April 2019, REvil (aka Sodinokibi) is best known for Extort $ 11 million from meat processor JBS earlier last month, with the ransomware-as-a-service business accounting for about 4.6% of attacks on the public and private sectors in the first quarter of 2021.
The group is now demanding a $ 70 million ransom to release a universal decryptor that can unlock any system that has been paralyzed by file-encrypting ransomware.
“On Friday (July 2nd, 2021) we launched an attack on MSP providers. More than a million systems have been infected. If anyone wants to negotiate a universal decryptor – our price is $ 70,000,000 in BTC and we’re going to publicly release a decryptor that will take files from all victims so everyone can recover from an attack in less than an hour, “REvil posted -Group on their dark web data leak site.
Kaseya, who asked FireEye for help investigating the incident, said it intends to “bring our SaaS data centers back online one at a time, starting with our data centers in the EU, UK and Asia Pacific, followed by our North American data centers.”
On-premises VSA servers require a patch to be installed before rebooting, the company noted, adding that the fix is being prepared for release on July 5th.
KAG problem advice
The development has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to make a note, encourage customers to download the Compromise detection tool provided by Kaseya to identify all indicators of a compromise (IoC), enable multi-factor authentication, limit communications with remote monitoring and management (RMM) to known IP address pairs, and the RMM management interfaces behind a virtual private network (VPN) or a firewall in a dedicated management network.
“Less than ten organizations [across our customer base] appear to have been affected and the impact appears to have been limited to systems running Kaseya software, “Secureworks chief threat intelligence officer Barry Hensley told The Hacker News via email.
“We saw no evidence that the threat actors were trying to sidestep or spread the ransomware through compromised networks. That means organizations with large Kaseya VSA deployments are likely to be much more affected than those running them on just one or two servers. “
By compromising a software vendor to target MSPs who, in turn, maintain and support other small and medium-sized businesses in an infrastructure or device-centric manner, the development once again underscores the importance of securing the software supply chain, while at the same time showing how hostile agents further their financial motives by combining the dual threats of supply chain attacks and ransomware to hit hundreds of victims simultaneously.
“MSPs are high quality targets – they have large attack surfaces, which makes them interesting targets for cyber criminals,” said Kevin Reed, Acronis chief information security officer. “One MSP can manage the IT for tens to hundreds of companies: instead of putting 100 different companies at risk, criminals only have to hack one MSP to get access to all of them.”
#REvil #0Day #Kaseya #ransomware #attack #demands #million #ransom