The hackers behind a mass ransomware attack exploited multiple previously unknown vulnerabilities in IT management software made by Kaseya, the latest sign of the skill and aggressiveness of the Russia-linked group believed to be responsible for the incidents, cybersecurity researchers said Sunday.
Marcus Murray, founder of Stockholm-based TrueSec, said his firm’s investigations, involving multiple victims in Sweden, found the hackers targeted them opportunistically. In those cases, they used a previously unknown flaw in Miami-based Kaseya’s code to push ransomware to servers that used the software and were connected to the internet, he said.
The Dutch Institute for Vulnerability Disclosure said it had alerted Kaseya to multiple vulnerabilities in its software that were then used in the attacks, and that it was working with the company on fixes when the ransomware was deployed.
Kaseya “showed a genuine commitment to do the right thing”, the Dutch organisation wrote. “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” it added, referring to the Russian-based hacking group. REvil was accused of being behind the May 30 ransomware attack of Brazilian meatpacking giant JBS.
The findings differentiate the latest incident, which US cybersecurity firm Huntress Labs said affected more than 1,000 businesses, from other recent assaults on the software supply chain. For instance, an attack the US blamed on Russia’s foreign intelligence service, disclosed in December, involved altered software updates from another provider of IT management software, Texas-based SolarWinds. Ultimately, nine federal agencies and at least 100 companies were infiltrated via SolarWinds and other methods.
Regarding the most recent attack, Frank Breedijk, head of the Dutch institute’s computer security incident response team, emphasised the hackers’ high skill level in exploiting the Kaseya software.
“The big point behind this is someone was willing, determined and had the resources to build this attack chain, and it’s not a trivial chain to build,” he said. “You have to know what you’re doing to make an attack like this work.”
Kaseya spokesperson Dana Liedholm confirmed the incident involved multiple vulnerabilities in the company’s products and called it a “sophisticated weaponised attack with ransomware”. “This was not as simple as a single 0-day exploit,” Liedholm said, using an industry term for vulnerabilities in software that hackers are aware of, but the makers of that code are not.
REvil has demanded $70m (about R996m) in bitcoin for a universal decryptor, said two cybersecurity experts who reviewed an announcement on the group’s website.
REvil has demanded $70m (about R996m) in bitcoin for a universal decryptor, said two cybersecurity experts who reviewed an announcement on the group’s website. Daniel Smith, the head of research at cybersecurity firm Radware, said he has observed REvil asking for $45,000 (about R640,000) per infected system in the past.
The $70m is “considerably less than the $45bn (about R640bn) they would ask to unlock the one million systems they claim to have encrypted,” said Brett Callow, a threat analyst at New Zealand cybersecurity firm Emsisoft, who confirmed the ransom demand.
Kaseya said its VSA product was the victim of a “sophisticated cyberattack” and that it had notified the FBI. Kaseya has identified fewer than 40 customers impacted by the attack, adding that its cloud-based services weren’t impacted. In a later statement on Sunday, the firm said it was working with US-based FireEye and other security companies to help manage the fallout.
The US Cybersecurity and Infrastructure Security Agency also said it was continuing to respond to the recent attack, which it said leveraged a “vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers”.
Kaseya’s clients include companies that provide remote IT support and cybersecurity services for small- and medium-sized businesses.
In the latest attack, the hackers had to target machines individually. That’s not complicated. Hackers and security researchers have access to many of the same basic tools for scanning the internet looking for computers that are vulnerable to attack. But by infecting IT support organisations, the malicious software was passed to their customers as well, multiplying the impact.
One of the known victims, Swedish grocery chain Coop, said on Saturday that most of its more than 800 stores couldn’t open because the attack led to a shutdown of its payment terminals. Others include managed service providers, which provide IT services to other businesses, meaning their infections may have spread to their customers.
One of the MSPs affected was the US’s Avtex, which said it detected a ransomware attack on Friday morning that appeared to have originated through Kaseya. “Avtex’s security engineers immediately alerted Kaseya to the severity of the issue and proceeded to activate proactive and precautionary measures to safeguard its clients and its infrastructure,” Avtex said, adding that its systems were all fully operational and it had seen no evidence of any data breach.
From a criminal standpoint it’s a brilliant supply-chain target to take away the tool that’s needed to recover from the threat.
— Marcus Murray, TrueSec Inc founder
Murray declined to identify any of his firm’s clients. He said because of Kaseya’s central role in managing security and IT that victims could have longer recovery times than in typical ransomware incidents.
“The tool these organisations are using normally for patching and IT support and recovery is Kaseya,” he said. “It’s a big undertaking when someone takes away all your ability to do the maintenance.
“From a criminal standpoint it’s a brilliant supply-chain target to take away the tool that’s needed to recover from the threat,” he added. “They’re not only encrypting the systems, but they’re also taking the recovery tool out of the equation.”
Ross McKerchar, vice-president and chief information security officer at UK cybersecurity firm Sophos, said the hack was “one of the farthest-reaching criminal ransomware attacks Sophos has ever seen”.
“At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organisations,” he said. “We expect the full scope of victim organisations to be higher than what’s being reported by any individual security company.”
There are victims in 17 countries so far, including the UK, SA, Canada, Argentina, Mexico and Spain, according to Aryeh Goretsky, a researcher at cybersecurity firm ESET in Slovakia.
US President Joe Biden said on Saturday he had ordered a “deep dive” from the intelligence community about the incident, which came just weeks after he implored Russian President Vladimir Putin at a summit on June 16 to curb cyberattacks against the US. Biden said “we’re not sure” that Russia is behind the attack, adding that he expected to know more about the attacks on Sunday.
“The initial thinking was it was not the Russia government, but we’re not sure yet,” he said.
— Bloomberg News. More stories like this are available on bloomberg.com
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.