Where is your company on the AI introduction curve? Take our AI survey find out.
A ransomware gang successfully encrypted the files of more than 200 companies after using a remote IT monitoring and management tool as part of a Attack on the supply chain. It is not yet known how the attackers compromised the tool or how widespread the attack is.
Companies using Kaseya VSA remote monitoring and management tools should immediately shut down the servers running the service, Fred Voccola, CEO of the IT company Kaseya said in a warning posted on Friday. Attackers behind the ransomware attack disable administrative access to VSA as soon as they have access to the victim’s network, making efforts to contain and remove the ransomware more difficult.
The company has shut down the servers for the software-as-a-service version of its tool as a precaution, although there have been no reports of SaaS and hosted customers being compromised. The company said SaaS and VSA hosted servers “will be operational once Kaseya determines that we can safely restore operations.”
Ransomware has been around for years but has risen sharply recently, with ransomware affecting nearly 2,400 governments, health systems, and schools in the country in 2020, according to a 2020 Ransomware Task Force Report. Data is the lifeblood of a modern business – when ransomware encrypts files and makes them inaccessible, it brings the business to a standstill.
The attack on Kaseya’s systems is the latest in a series of new attacks targeting critical infrastructure and manufacturing companies in the United States: Colonial pipeline, Molson Coors and JBS Foods. The gang behind this attack – REvil – is the same gang that the Federal Bureau of Investigation said attacked JBS a few weeks ago.
Below is a breakdown of the supply chain ransomware attack against Kaseya VSA and its impact on businesses.
What should security teams do now?
Organizations running Kaseya VSA on their networks should shut down these servers immediately. “All local VSA servers should remain inactive pending further instructions to Kaseya as to when it is safe to restore operations,” the company said in its latest update.
A patch must be installed prior to restarting VSA, Kaseya said. The company said in an earlier update that it believes it has identified the source of the vulnerability and is developing and testing a security patch to mitigate the problem.
Sophos also has published a detailed guide so that potential victims can find out if they are being attacked.
Isn’t shutting down the servers a little excessive?
The Cybersecurity and Infrastructure Security Agency doesn’t think so. “CISA encourages organizations that Kaseya advice and immediately follow their instructions on shutting down VSA servers, ”the agency said in a Warning from the National Cyber Awareness System.
That said the independent security firm Huntress Labs Reuters The attack has “the potential to spread to companies of any size and scale”.
What does the attack look like?
No one currently knows how the attackers compromised Kaseya’s VSA, but the REvil ransomware appears to infiltrate customer networks via a Kaseya update and spread to all connected client systems via VSA’s internal scripting engine. Because VSA has administrator rights, it can infect clients. It is also unclear at this point whether the attackers actually exfiltrated data before encrypting it.
The malware disables local antivirus software and sideloads a malicious DLL using Windows Defender – and this malicious file encrypts the files on the compromised computer, Mark Loman, a Sophos malware analyst, wrote on Twitter.
We are witnessing an outbreak of a REvil “supply chain” attack that appears to be from a malicious Kaseya update. The REvil binary, C: Windows mpsvc.dll, is side-loaded into a legitimate Microsoft Defender copy and copied to C: Windows MsMpEng.exe to perform the encryption from a legitimate process.
– Mark Loman @ 🏡 (@markloman) July 2, 2021
Kaseya’s warning stated that as soon as the ransomware infiltrated the network, the first thing the attacker would do was “block administrative access to the VSA”.
How widespread is the attack?
A little hard to say. More than 40,000 companies use Kaseya products, but that number includes customers using another Kaseya IT tool other than VSA. Affected are “only a very small number of on-premises customers” – that seem to be fewer than 40 direct customers. However, researchers indicated that there might be a cascading effect, especially since VSA is popular with managed service providers who provide IT services like network management, system updates, and backups for other companies.
The security company Huntress Labs is monitoring the situation and regularly publishes updates on a Reddit thread. Huntress said it is tracking eight managed service providers that have been used to infect more than 200 clients.
What if we are already infected?
If the organization has already been infected by the ransomware, security teams should work through the incident response plan. That could mean paying the ransom (although it is strongly discouraged, there have been some high profile payments like the $ 11 million JBS paid to the REvil gang) or taking all systems offline and rewriting data from backups restore. Ransomware can attack backup servers Cisco Talos warned in its threat advisor, so IT may need to verify that the backup servers have also been infected and restore from offline backups, if any.
Ransoms vary from Ransom demands of $ 44,999 (posted on Twitter by Mark Loman, a malware analyst for Sophos) to $ 5 million (as reported by Reuters).
What about the fact that it was a supply chain attack?
This is not the first time attackers have targeted the supply chain to amplify the impact of their attacks, and it will not be the last. Increasingly, organizations rely on a network of providers for a wide variety of business operations, including computing and storage, network infrastructure, and application delivery – this trend is not going away. A Security incident at the supplier will inevitably be an incident for the company as well.
The Ransomware Task Force as “worst case scenarios” and identified this type of supply chain attack as a critical vulnerability, said James Shank, Ransomware Task Force Committee Lead for Worst Case Scenarios and Chief Architect, Community Services for Team Cymru. Organizations need to review suppliers and carefully consider how to integrate with third party suppliers. Many organizations talk about Zero trust.
The hard part is finding the balance between keeping exposure to the bare minimum and having enough connections to keep the business running.
Does the time of the attack matter?
Probably. Such attacks require planning and preparation, and the timing is unlikely to be random or left to chance. Attackers could have timed this attack to have the greatest impact, knowing that many digital companies saw an increase in service usage over the weekend of U.S. Independence Day, said Curtis Simpson, CISO at Armis.
News Flash: Cyber criminals are A $$ holes.
Think of all the Incident Response teams on this holiday weekend as they are in the thick of it … again.
– Chris Krebs (@C_C_Krebs) July 2, 2021
Delaying detection and making it harder to fix could also be a practical decision. Many companies have given their employees Friday afternoons off and may have fewer staff over the holiday weekend. Handling a ransomware attack is generally an all-hand-on-deck situation and a stressful time – and many companies are preparing to battle with a smaller team than usual. In some cases, victims may not know they are affected until they return to work on Tuesday.
VentureBeat’s mission is to be a digital marketplace for tech decision makers to gain knowledge of transformative technologies and transactions. Our website provides important information on data technologies and strategies to help you run your organization. We invite you to become a member of our community to gain access:
- current information on the topics of interest to you
- our newsletters
- closed thought leader content and discounted access to our award-winning events such as Transform 2021: Learn more
- Network functions and more
#Supply #Chain #Attack #Kaseya #Infects #Hundreds #Ransomware