Experts Weigh In On Kaseya Ransomware Attack

BACKGROUND:

A successful ransomware attack on a single company has spread to at least 200 organizations and likely far more, making it one of the single largest criminal ransomware sprees in history. The attack believed to be carried out by the prolific ransomware gang REvil against Kaseya, an international company that remotely controls programs for companies managing internet services businesses.

Subscribe
Notify of
guest

8 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Jeff Costlow
Jeff Costlow , CISO
InfoSec Expert
July 8, 2021 9:21 am

<p>Kaseya is a terrifying example of how quickly cybercriminals are adopting Advanced Persistent Threat (APT) tactics. In the Kaseya attack, the threat actors deliberately targeted a well-established but little-known software management firm that would allow them access to hundreds of other environments. They meticulously researched their target and found a zero day flaw in their software. They then exploited it and waited for a long holiday weekend to detonate their ransomware.</p>
<p>This technique parallels almost exactly the techniques used by nation-state adversaries in the NotPetya attack four years ago –– which used an exploit in Ukrainian tax software MeDoc –– and more recently, in the SolarWinds SUNBURST attack. Both NotPetya and SUNBURST used exploits in software that was widely used but little known to the public to disseminate malware on a massive scale. Both waited for national holidays (the former in the Ukrainian, the latter in the US) when many were out of the office to detonate their attacks.</p>
<p>The fact that techniques that were once the dominion of the most advanced nation states are now being used to extract multi-million dollar ransoms should serve as a stark warning for every organization and every software vendor. The threat of sanctions or other diplomatic repercussions is of no concern to cybercriminals that operate outside the bounds of any government. Ransomware is now an advanced persistent extortionate threat –– one that’s far more calculated than opportunistic. </p>

Last edited 1 year ago by Jeff Costlow
Romain Lecoeuvre
InfoSec Expert
July 8, 2021 9:15 am

<p>The Kaseya cyberattack demonstrate the ability of one attack to target a very large number of users, servers and workstations at once, using a \"trusted\" distribution vector within the information systems of its partners or customers to mass distribute malicious code. To combat this type of threat, businesses have to put rules in place to protect their customers, employees and reputation now, before it’s too late.  </p>
<p>To do so, they must: </p>
<ul>
<li>Deploy a strong integrity control strategy </li>
<li>Require a strong authentication (MFA) for administration or development actions </li>
<li>Check or have checked regularly the different components of your IS </li>
<li>Reduce as much as possible the permissions and the scope of code coming from third parties </li>
<li>Have a BCP/BRP (Business Continuity Plan/Business Recovery Plan) to be able to react quickly and efficiently in case of an incident </li>
</ul>
<p>By implementing these rules, businesses can ensure that regardless of the threat surface, that their data, customers and employees remain protected.  </p>

Last edited 1 year ago by Romain Lecoeuvre
Saumitra Das
Saumitra Das , CTO and Co-founder
InfoSec Expert
July 8, 2021 9:08 am

<p>This is another reminder that supply chain attacks remain an issue after the Solarwinds breach brought this topic to the forefront. Organizations are thinking harder about the supply chain security of their vendors and partners. But ultimately, they will need to limit the blast radius inside their networks assuming their vendors and partners do get compromised. The speed at which this Kaseya attack evolved was notable give these tools were used for remote IT management and had the privilege to do operations inside the organizations\’ networks on behalf of their MSP.</p>
<p>This is one among a host of supply chain issues this year and specifically issues caused by security vendors themselves. Security itself needs to be agentless and deployed isolated or with the least privilege so it does not contribute to increasing attack surface. VPNs, firewalls, email gateways have all been misused recently to gain a foothold with privilege inside an organization’s network without having to phish a user or hope for open RDP to compromise.</p>
<p>Attackers are not just targeting governments and infrastructure company supply chains but anyone who gives them a foothold into multiple organization’s networks. While this may not cause disruptions to our infrastructure like the Colonial Pipeline attack, it is nevertheless a huge burden for lots of SMB and mid-market organizations that are already struggling with budget and skill shortage issues.</p>
<p>Organizations need to focus on detection and response because clearly current technology, configurations and the endless stream of security supply chain vulnerabilities together make it hard to prevent initial access into networks.</p>

Last edited 1 year ago by Saumitra Das
Casey Ellis
Casey Ellis , CTO and Founder
InfoSec Expert
July 7, 2021 3:05 pm

<p style=\"font-weight: 400;\">The thing I find most concerning about this attack is the coupling of supply-chain techniques to gain access with the incentives and devastating impacts of ransomware, including the encryption of and denial of service to systems and data. </p>
<p style=\"font-weight: 400;\">Something that is immediately interesting about this attack is the fact that only 8 months after SolarWinds – a relatively non-destructive nation-state supply chain attack – it looks as though cybercriminals, or smaller financially motivated nation-states, are deploying these techniques. </p>
<p style=\"font-weight: 400;\">This means they have the resources to create or procure the necessary tooling, possibly out of the proceeds of other ransomware operations. The REvil operators set their ransom between 45k and 5M USD per organization, and have since released an offer of 50M USD to decrypt all systems affected by this attack. Aside from being the largest ransomware payment in history, this would provide ample capital for REvil to reinvest in progressively better and more invasive tooling for future attacks.</p>
<p style=\"font-weight: 400;\">It also raises the topic of whether you\’d prefer to get hacked by Russia, or the REvil gang. Nation state attacks have national security and economic implications, while cybercriminals tend to be more destructive and impactful to the affected business themselves.</p>
<p style=\"font-weight: 400;\"> </p>

Last edited 1 year ago by Casey Ellis
Charles Carmakal
Charles Carmakal , SVP and CTO
InfoSec Expert
July 7, 2021 3:02 pm

<p style=\"font-weight: 400;\">On July 2, 2021, an affiliate of REvil/Sodinokibi exploited multiple vulnerabilities in the Kaseya VSA product to distribute a ransomware encryptor to connected endpoints. Kaseya VSA is a remote monitoring and management solution used by managed service providers (MSPs) and organizations to remotely manage computer systems. The number of impacted organizations is not currently known, but Kaseya estimates that the number of organizations impacted by the REvil ransomware disruption is under 1,500 organizations. Many of the impacted organizations are very small family businesses who are only now discovering the impacts because of the holiday weekend.</p>
<p style=\"font-weight: 400;\">REvil ransomware-as-a-service (RaaS) has been marketed in Russian-language underground forums since May 2019. In the RaaS business model, a central group develops ransomware, communicates with victims and runs back end infrastructure, while partners, or affiliates, carry out intrusions and deploy the ransomware. The RaaS is operated by the actor \"UNKN\" (aka \"Unknown\") who does not accept English-speaking partners and does not allow partners to target CIS countries, including Ukraine. While the known affiliates are Russian speaking, it is probable that some of the operators may not physically reside in Russia. Notably, following the Colonial Pipeline incident, UNKN made an effort to restrict targeting of REvil affiliates, insisting on vetting targets prior to ransomware deployment.</p>
<p style=\"font-weight: 400;\">REvil took credit for the operation on the evening of July 4<sup>th</sup>, claiming to have impacted over a million systems. They are asking $70 million for a universal decryptor which could be used to unlock any system affected by this incident. This exorbitant demand is the largest on record. In private conversations, REvil has proactively decreased their demands, and they have been known to exaggerate the scope and impact of their intrusions. Furthermore, at this time, REvil has not leaked data from their intrusions, a scheme they often use to pressure victims into paying ransoms. As long as criminals can demand ransoms in the tens of millions of dollars, and are unlikely to face jail, this problem will continue to grow from bad to worse. These actors are well-funded and highly-motivated and only dramatic, collaborative action is going to turn back the tide.</p>

Last edited 1 year ago by Charles Carmakal
Information Security Buzz
8
0
Would love your thoughts, please comment.x
()
x