Cyberattacks continue to escalate. As expected, the 4th of July celebrations in the US saw one of the most massive attacks in recent years.
According to Check Point Software, “they (REvil) chose this weekend and this method for a reason. They looked for a back door to over a thousand companies - one target through which they infect numerous others in a pandemic-like chain, and they picked the weekend as they know that company IT staff go offline and that companies are often on a skeleton crew, where eyes aren’t watching.”
According to Adam Meyers, senior vice president of CrowdStrike Intelligence, the Kaseya attack had all the hallmarks of the threat actor PINCHY SPIDER, operator of REvil ransomware and suspected culprit of the recent attack on JBS.
“It illustrates what we define as a Big Game Hunting attack, launched against a target to maximise impact and profit through a supply chain during a holiday weekend when business defences are down. What we are seeing now in terms of victims is likely just the tip of the iceberg,” added Meyers.
Didn’t we learn anything from SolarWinds?
Almost reminiscent of the attack against the SolarWinds supply-chain attack, now cybercriminals targeted multiple managed service provider (MSP) environments.
The attack strategy, almost a mirror of the SolarWinds version, used a two-step malware delivery process to successfully enter through the back door of tech environments. Unlike the SolarWinds attack, the goal here is monetary with the attackers planting ransomware demands on more than 70 managed service providers and more than 350 organisations, according to Ross McKerchar, Sophos vice president and chief information security officer.
Cybersecurity firm Huntress pegs the latest count at over 1,000 businesses using the Kaseya virtual system administrator (VSA). On its dark web post, REvil is claiming responsibility and put US$70 million in BTC before it will “publish publicly the decryptor.”
“A day after the attack, it became more evident that an affiliate of the REvil Ransomware-as-a-Service (RaaS) leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s Virtual Systems Administrator (VSA) software. Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environments,” said Mark Loman, director of engineering at Sophos.
According to ESET, once the server is infected, the malware shuts down administrative access and begins encrypting data, the precursor to the full ransomware attack cycle. Once the encryption process is complete, a ransom note is published on the system’s desktop wallpaper, should a victim look for and open it.
At least the cybercriminals are using lessons from past exploits to move on to the next.
At some point, you have to ask: are companies spending too much money on solutions marketed to them as “the best at solving their problems” without a proper safety net?
Should it not be the responsibility of these software vendors to make their products free from vulnerabilities?
What to do now?
If you are one of the 1,000 (maybe growing) businesses affected by the attack, Check Point suggests the following course of action:
- Unplug the Kaseya VSA from the network NOW.
- Use EDR, NDR and other security monitoring tools to verify the legitimacy of any new files in the environment since 02 July
- Check with security product vendors to verify protections are in place for REvil ransomware
- If help is needed, call in a team of experts to help verify the situation within the environment
The Kaseya Helpdesk is publishing daily updates offering guidance on where the company is with regards to efforts to counter the vulnerability. This includes an earlier posting on July 5, 2021 offering guidance on the next steps for users.
This attack should be a reminder that vigilance against cyberattacks is not about waiting for the next exploit. It is about being ahead of any attack. If you know how to do that, you destined to become the next superstar.
Just don’t let the spectacle blind you to the next attack.
* Kaseya acknowledges awareness of “fewer than” 1,500 downstream businesses affected by this incident. But as with all developing occurrences, this number will likely change over time.
** According to a Chainalysis blog post, ransomware victims paid over $406 million in cryptocurrency in 2020. Excluding the Kaseya attack, year-to-date ransomware payments have already reached $81 million.