While millions of Americans were celebrating the long Fourth of July holiday weekend, the notorious REvil cybercriminal gang was busy proving cyber threat never rests. Businesses around the globe are still reeling from what may turn out to be the biggest and most destructive ransomware attack ever perpetrated. This new strike hit Dublin, Ireland-based software provider Kaseya and had already impacted around 1,500 companies as of Monday.
One victim of the Kaseya ransomware attack was Swedish grocery chain Coop, which closed 800 stores on Saturday as its information technology (IT) systems went down, posting signs on the doors that read, “We have been hit by a large IT disturbance and our systems do not work.” The attack was widespread enough that President Joe Biden was briefed on it during a holiday trip to Michigan. Kaseya is currently working with U.S. government agencies, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to mitigate the effects of the strike. CISA is encouraging organizations that might be impacted to review the Kaseya advisory and immediately follow their guidance to shut down VSA servers.
“This extremely serious attack highlights the supply chain’s vulnerability to ransomware attacks,” said David Bicknell, principal analyst, Thematic Research at GlobalData, a data and analytics company. “2020 was a challenging year for cybersecurity, and things have got worse in 2021. Last year’s SolarWinds attack showed that hackers breaching one provider magnifies the cyber threat and provides an opportunity to launch a bigger attack at scale.”
Following the attack, the White House urged companies who believe their systems were compromised to immediately report it to the Internet Crime Complaint Center.
“Since Friday, the United States Government has been working across the interagency to assess the Kaseya ransomware incident and assist in the response,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology, according to the New York Times. “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working with Kaseya and coordinating to conduct outreach to impacted victims.”
Though the Kaseya ransomware attack is larger in scale, it’s reminiscent of several recent breaches. The REvil criminal gang, the same group that extorted $11 million from the world’s largest meat processing company, JBS, has taken credit for the attack and is asking for $70 million in bitcoin to publish a universal decryptor to unlock affected computers. In a message on its dark web blog, REvil, believed to operate out of Russia, claimed more than 1 million systems have already been infected.
The Kaseya ransomware attack also has echoes of the SolarWinds incident that infiltrated several major U.S. government agencies and corporations earlier this year. One of the reasons attacks like these can be so damaging is that they exploit a company’s supply chain, meaning hackers use a vendor’s network to distribute malicious code to its customer base. As of now, it looks like the Kaseya attack might not have been a supply chain attack, unlike SolarWinds.
“I think the first thing you have to recognize is that [hackers] are unethical as a lot because they’re seeking to accomplish a mission, their own mission, often with profit as the motivation,” said Rick Peters, chief information security officer (CISO) of operational technology (OT) North America at Fortinet, who spent 33 years working for the National Security Agency (NSA). “They’re looking for what they can take away, whether they’re selling intellectual property — your tradecraft, your secrets, your crown jewels — whether the giving away data, if it’s records privacy data. Whatever form that takes, it’s gaining access, and access is the key. I know in my former life, access was always that first step.
“We start to look at what the kill chain looks like, and there’s lots of models out there from the point of access. I think SolarWinds was a great example of that. You had a lot of discretion on the part of an adversary gaining access using a party that was delivering a service. So the service was the payload. What a wonderful way to get on a wide variety of targets. Whether you were the primary target or collateral, it’s a widespread attack that gained lots of access. And once I’m on target, then I’m going to use higher-grade tools to gain access, or further access or penetration. So it’s getting on target and then using exploits that will allow me to achieve and move within the environment. I would say my natural instinct once I’m on point is to move quickly. If you’re not containing me, I’m gone. I’ve moved on to where my ultimate destination is to achieve probably a comprehensive or a multithread campaign.”
Timing the Kaseya ransomware attack during a U.S. holiday weekend was also a savvy maneuver, allowing REvil to take advantage of lower staffing levels throughout the country to slow the response time and increase the spread of the malware through the company’s network.
Kaseya has a presence in more than 10 countries and serves customers worldwide in industries such as finance, health care, manufacturing, managed services, government and retail, according to their website. Its products are often used by managed service providers (MSPs) that offer remote IT services to smaller companies. This domino effect — breaching Kaseya to reach its MSPs to reach the MSP’s customers — has magnified the attack’s impact around the globe.
The company said it learned of the “sophisticated cyberattack” involving its vector signal analysis (VSA) software around midday on Friday, July 2. Kaseya immediately shut down its software as a service (SaaS) server as a precautionary measure and notified its on-premises customers to disable their VSA servers to prevent them from being compromised.
“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” said Kaseya CEO Fred Voccola in a statement.
Infecting the supply chain means it’s not just large companies that will be impacted. Many of the businesses that use Kaseya’s software are smaller and don’t have the resources to manage their own IT functions. Each MSP can serve hundreds of smaller organizations.
“Small and medium-sized companies will suffer the most,” Bicknell said. “They trust their managed service providers for support and now face potentially devastating ransomware attacks delivered through IT management software used by those very managed service providers.”
Researchers believe REvil infiltrated Kaseya’s networks through a previously unknown zero-day vulnerability. When Kaseya customers tried to run a software update, they instead got REvil’s malware.
“We have been advised by our outside experts that customers who experienced ransomware and receive communication from the attackers should not click on any links — they may be weaponized,” the company warned in a statement.
Ransomware dominated the news in 2020 and seems to be gaining momentum this year. According to the annual Bitdefender Consumer Threat Report, there was a 485% increase in year-over-year ransomware attacks throughout 2020. The increase in people working from home and the COVID-19 pandemic have both increased vulnerabilities, but it also comes down to ease of use.
“All you’re really doing is encrypting somebody’s server or data, and then you’re just holding it hostage,” said Wayne Dorris, a certified information systems security professional (CISSP) and business development manager for cybersecurity with Axis Communications. “Now you have a victim that is probably more than willing to pay for that. Compare that to a traditional attack, where the attacker will spend months in your system trying to figure out what is the personal data that I can go and get or intellectual property or what credentials I can get. I then exfiltrate that, I put that on the dark web, dark net, and then I have to find another buyer. That becomes a lengthy process.”
The Kaseya ransomware attack comes on the heels of a spate of high-profile breaches that have hit critical components of the U.S. and global economies. Major companies like Electronic Arts (gaming), Colonial Pipeline (energy/oil and gas) and JBS (food and beverage) have all suffered recent attacks that have caused delays and shutdowns.
“When you take a look at what’s going on activity-wise, you obviously see a huge increase,” Peters said. “At least, it seems to be making a lot more headlines, and the reality is the numbers bear out that way. We saw a 400% increase in attacks on OT just in the last year. That probably doesn’t surprise many because, in these times of uncertainty, and certainly a global pandemic, it creates lots of confusion and innovation.”