A hot potato: A ransomware attack has affected hundreds of companies in the US, in a supply chain attack that targets Kaseya’s VSA system management platform (used for remote monitoring and IT management) . While Kaseya claims that fewer than 40 of the more than 36,000 clients were affected, the selection of large managed service providers has led to large numbers of subsequent clients being affected as a result.
Kaseya state who learned of a security incident around noon on Friday, as a result, they put their cloud services into maintenance mode and issued a security advisory warning all customers with a local VSA server to shut it down until further notice, such as “One One of the first things the attacker does is shut down administrative access to the VSA.” Kaseya also notified the FBI and CISA and began her own internal investigation.
The second of the company to update stated that the VSA cloud shutdown was done solely as a precautionary measure and that customers using its SaaS servers were “never at risk.” However, Kaseya also said that these services will remain suspended until the company determines that it is safe to resume operations and, at the time of writing, the suspension of the cloud VSA had been extended until 9 a.m. ET.
What the infected systems look like. Image: Kevin Beaumont, via DoublePulsar
The REvil ransomware gang appears to receive its payload through a standard automatic software update. It then uses PowerShell to decode and extract its content while suppressing numerous Windows Defender mechanisms such as real-time monitoring, cloud search, and controlled folder access (Microsoft’s built-in anti-ransomware feature). This payload also includes an older (but legitimate) version of Windows Defender, which is used as a trusted executable to start a DLL with the encryptor.
It is not yet known whether REvil is stealing data from victims before activating its ransomware and encryption, but the group is known to have done so in previous attacks.
The scale of the attack is still unfolding; Supply chain attacks like these that engage weak links higher up (rather than hitting targets directly) have the potential to wreak havoc on a large scale if those weak links are used extensively, such as Kaseya’s VSA, in this case. Furthermore, its arrival on the weekend of July 4 appears to have been timed to minimize the availability of personnel to deal with the threat and slow down the response to it.
BleepingComputer initially declared that eight MSPs had been affected and that cybersecurity firm Huntress Labs knew of 200 companies compromised by the three MSPs it was working with. However, further updates from Huntress’s John Hammond show that the number of affected MSPs and intermediate customers is much higher than the first reports and still growing.
** <40. Kaseya claims that fewer than 40 customers affected. pic.twitter.com/PyENI96A5E
– John Hammond (@_johnhammond) July 3, 2021
The demands have varied enormously. Intended to be paid in Monero cryptocurrency, most bailouts seem It starts at $ 44,999, but can go up to $ 5 million. Similarly, the payment due date, after which the ransom is doubled, also appears to vary between victims.
Of course, both figures are likely to depend on the size and scale of the affected target. REvil, which US authorities believe has ties to Russia, obtained $ 11 million from JBS meat processors last month and demanded $ 50 million from Acer in March.
Header image: Computer ringing