Massive ransomware hack used computer software flaws, researchers say

Hackers behind a massive ransomware attack exploited several previously unknown vulnerabilities in Kaseya Ltd.’s IT management software, the latest sign of the Russian-linked group’s competence and aggression. , believed to be responsible for the incidents, cybersecurity researchers said on Sunday.

Marcus Murray, founder of Stockholm-based TrueSec Inc., said his company’s investigations involving multiple victims in Sweden revealed that hackers were opportunistically targeting them. In these cases, the hackers used a previously unknown flaw in the code of Miami-based Kaseya to push the ransomware to servers that used the software and were connected to the Internet, he said.

The Dutch Vulnerability Disclosure Institute said it alerted Kaseya to several vulnerabilities in its software which were later used in the attacks, and that it was working with the company on fixes when the ransomware was deployed. .

Kaseya “has shown a real commitment to doing the right thing,” the Dutch organization wrote. “Unfortunately, we were beaten by REvil in the final sprint because they could exploit the vulnerabilities even before customers could patch,” he added, referring to the Russia-based hacking group. REvil has been accused of being behind the May 30 ransomware attack on meat packaging giant JBS SA.

The results differentiate the latest incident – which cybersecurity firm Huntress Labs Inc. said affected more than 1,000 companies – from other recent attacks on the software supply chain. For example, an attack the United States blamed on Russia’s foreign intelligence service, disclosed in December, involved modified software updates from another IT management software vendor, Austin-based SolarWinds Corp, in Texas. In the end, nine federal agencies and at least 100 companies were infiltrated. via SolarWinds and other methods.

Regarding the most recent attack, Frank Breedijk, head of the Dutch institute’s IT security incident response team, highlighted the high level of proficiency of hackers in operating the Kaseya software.

“The big point behind this is that someone was willing, determined and had the resources to build this chain of attack, and it’s not a trivial chain to build,” he said in an interview. “You have to know what you are doing for an attack like this to work.”

Kaseya spokeswoman Dana Liedholm confirmed in an email that the incident involved multiple vulnerabilities in the company’s products and called it a “sophisticated armed attack with ransomware.”

“It wasn’t as easy as a single 0-day exploit,” Liedholm said, using an industry term for vulnerabilities in software that hackers are aware of but the creators of this code are not aware of. not.

Kaseya said his VSA product was the victim of a “sophisticated cyber attack” and that he informed the FBI. Kaseya has identified less than 40 customers affected by the attack, adding that its cloud-based services were not affected. In a later statement on Sunday, the company said it was working with FireEye Inc. and other security companies to help manage the fallout.

The US Agency for Cybersecurity and Infrastructure Security also said it continued to respond to the recent attack, which it said exploited a “vulnerability in Kaseya VSA software against multiple Managed Service Providers (MSPs) and their customers. “.

Kaseya’s customers include companies that provide remote IT support and cybersecurity services to small and medium businesses.

In the last attack, the hackers had to target the machines individually. It’s not complicated. Hackers and security researchers have access to many of the same basic tools to scan the Internet for computers vulnerable to attack. But by infecting IT support organizations, the malware was also transmitted to their customers, multiplying the impact.

One of the known victims – Swedish grocery chain Coop – said on Saturday that most of its more than 800 stores could not open because the attack resulted in their payment terminals being closed. Others include managed service providers, which provide IT services to other businesses, which means their infections may have spread to their customers.

Murray, from Swedish TrueSec, declined to identify any of his company’s clients. He said that due to Kaseya’s central role in security and IT management, victims might have longer recovery times than in typical ransomware incidents.

“The tool that these organizations normally use for patching, IT support, and recovery is Kaseya,” he said. “It’s a big business when someone takes away your ability to do the interview. “

“From a criminal standpoint, this is a brilliant target in the supply chain to pull out the tool needed to recover from the threat,” Murray added. “They don’t just encrypt systems, they also take the recovery tool out of the equation. “

Ross McKerchar, vice president and chief information officer of cybersecurity firm Sophos, said the hack was “one of the most extensive criminal ransomware attacks Sophos has ever seen.”

“Right now, our evidence shows that over 70 managed service providers have been affected, resulting in over 350 other organizations affected,” he said in a statement. “We expect the aggregate of victim organizations to be higher than what is reported by any individual security company.”

There are so far victims in 17 countries, including the UK, South Africa, Canada, Argentina, Mexico and Spain, according to Aryeh Goretsky, a researcher at cybersecurity firm ESET. .

US President Joe Biden said on Saturday he had ordered a “deep dive” to the intelligence community into the incident, which came just weeks after Biden implored Russian President Vladimir Putin at a summit on June 16 to curb cyber attacks against the United States. Biden said “we’re not sure” Russia was behind the attack. The president said he expected to know more about Sunday’s attacks.

“The original idea was that it was not the Russian government, but we are not sure yet,” he said.

In a time of both disinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us tell the story right.

SUBSCRIBE NOW

PHOTO GALLERY (CLICK TO ENLARGE)

Source link

About admin

Check Also

Latest updates: WeWork’s losses decrease as demand for office space increases

BBVA, the Spanish bank, has launched a € 2 billion bid for the 50.15% stake …

Leave a Reply

Your email address will not be published. Required fields are marked *