Home Vulnerabilities US Spy Agencies to Investigate Kaseya Supply Chain Attack

US Spy Agencies to Investigate Kaseya Supply Chain Attack

President Biden has ordered his intelligence agencies to investigate a major ransomware supply chain attack over the weekend that targeted a vendor of IT software used by managed service providers (MSPs).

Suspected to be the work of a REvil affiliate, the attack on Miami-headquartered Kaseya was spotted by its incident response team at around midday on Friday.

The firm’s latest update, dated Sunday, claimed that the incident had affected around 40 on-premises customers worldwide, who will need a patch to mitigate the targeted vulnerability before they can restart systems.

In the meantime, both they and the firm’s SaaS customers have been told to keep systems offline. A decision on when to restart the SaaS servers will be taken on Monday.

Customers who the ransomware actors have contacted have also been warned not to click on any links in these communications, as they may be weaponized with additional malware.

The attackers found and exploited a zero-day bug in the Kaseya VSA product to compromise the organization, according to researcher Kevin Beaumont.

The zero-day bug enabled them to remotely execute commands on the VSA appliance and deliver ransomware to the firm’s MSP customers via a fake software update.

“The attacker immediately stops administrator access to the VSA, and then adds a task called ‘Kaseya VSA Agent Hot-fix.’ This fake update is then deployed across the estate — including on MSP client customers’ systems — as it a fake management agent update. This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted,” explained Beaumont.

“By design Kaseya is designed to allow administration of systems with high level privileges. So ransomware can push itself to systems. The attackers pushed an management agent update, which is automatically installed on all managed systems — which means very wide impact.”

According to Huntress Security, the original vector is likely to have been an SQL injection vulnerability.

“We have high confidence that the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection,” it said. “We can confirm that SQL injection is how the actors began code execution.”

Although only 40 of Kaseya’s estimated 40,000 customers are thought to have been affected, these are MSPs that themselves have many customers. Huntress said it had tracked “well over 1,000” businesses whose systems have been encrypted as a result.

The attack is the latest in a string of high-profile compromises of the digital supply chain, following SolarWinds and Codecov. According to Team Cymru chief architect and Ransomware Task Force committee lead, John Shank, organizations should take note.

“This is not the first and it won’t be the last,” he warned. “It is time to add another item for already overwhelmed corporate security teams: audit suppliers and integrations with your supply chain providers. Limit exposure to the absolute minimum while still enabling business operations.”

Source link


New infosec products of the week: July 23, 2021

Stellar Cyber XDR Kill Chain allows security analyst teams to disrupt cyberattacks Stellar Cyber introduced a...

Kaseya Gets Universal Decryptor to Help REvil Ransomware Victims

Nearly three weeks after Florida-based software vendor Kaseya was hit by a widespread supply-chain ransomware attack, the company on Thursday said it obtained...

Kaseya obtains REvil decryptor, starts sharing it with afflicted customers • The Register

Software-for-services providers business Kaseya has obtained a "universal decryptor key" for the REvil ransomware and is delivering it to clients. A brief Thursday update...
- Advertisment -

Most Popular

Former Goldman Sachs CIO, joins fintech start-up Advisory Board

illumr removes bias in AI for financial services organisationsDamian Sutcliffe, the former EMEA CIO for Goldman Sachs...

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an...

Security breaches where working from home is involved are costlier, claims IBM report • The Register

Firms looking to save money by shifting to more flexible ways of working will need to think carefully about IT security and the...

Recent Comments