A massive ransomware attack has affected hundreds of businesses. This is what we know


Hackers have hit various IT management companies and compromised their business customers by targeting a key software vendor called Kaseya. On Monday, the attackers demanded a payment of $ 70 million in bitcoin in exchange for a decryption tool that could help victims recover from the attack.

Given that the attack took place just before a public holiday weekend, the full extent of the damage may not be known until this week. Here’s what we know so far.

On Friday afternoon, Kaseya was alerted to a potential attack involving remote management software called VSA, the company said in a statement. In less than an hour, he shut down access to this software in an attempt to stem the spread of the attack. US officials said on Saturday they were monitoring the attack.

Kaseya provides technology that helps other businesses manage their information technology – essentially, the digital backbone of their operations. In many cases, Kaseya sells its technology to third-party service providers, who manage IT for other businesses, often small and medium-sized businesses. In short, by targeting Kaseya’s software, attackers gained easier access to a range of different corporate networks.

Over the weekend, experts said the attack had already eliminated at least a dozen IT support companies that rely on Kaseya’s remote management tool. The incident affects not only Kaseya’s IT management customers, but also corporate clients of companies that have outsourced IT management to them.

Kaseya said Tuesday that about 50 of its customers who use the on-premises version of VSA were directly compromised by the attack, but said as many as 1,500 downstream companies around the world were compromised. These include dental offices, small accounting firms and local restaurants, the company said.
Kaseya chief executive Fred Voccola added in an interview with Reuters on Monday that it is difficult to assess the full impact of the attack, but he was not aware of any compromised organizations of national importance. in the attack.

“We are not envisioning massive critical infrastructure,” he told Reuters. “It’s none of our business. We don’t operate the AT&T network or the Verizon 911 system. No such thing.”

Who was behind?

REvil is the criminal hacking gang whose malware was behind the Kaseya attack, cyber researchers have said.

The group, which is said to operate in Eastern Europe or Russia, is one of the most infamous ‘ransomware-as-a-service’ providers, which means it provides tools for others to carry out ransomware attacks and take a share of the profits. He also performs some of his own attacks.

Experts have been following REvil since its inception in 2019 and have quickly become something of a “thought leader” in the hacking field, said Jon DiMaggio, chief security strategist at cybersecurity firm Analyst1 which tracks the ransomware. Several hacking groups, including the DarkSide gang that led the colonial pipeline attack in May, were said to have been created by people who originally worked for REvil, DiMaggio said.
the evil is supposed to operate from Eastern Europe or Russia because its representatives communicate online in Russian and its attacks are generally designed to avoid Russian aircraft, experts say. U.S. officials have urged Russia to take action to prosecute cybercriminal groups operating in the country.
the evil was also behind several other recent and high profile ransomware attacks – it hit JBS Foods last month, Apple (AAPL) Quanta Computer supplier in April and Acer electronics manufacturer in March.

About the moment …

It’s no surprise that the attack took place just before a major holiday weekend. Experts say vacations and long weekends are the best times for hackers to execute ransomware attacks, as it gives them more time to encrypt files and devices before anyone has a chance to. notice and respond.

The execution of the July 4 weekend attack, in particular, could also have been intentional, according to DiMaggio.

Hackers have a devastating new target

After U.S. officials took out DarkSide in the aftermath of the colonial pipeline attack and recovered some of the ransom it received, REvil took to online hacking forums to claim that the ransomware groups would not be deterred by the United States, DiMaggio said.

“They’ve always seemed anti-American, but especially since DarkSide pulled out, and now we’re seeing this massive attack on our infrastructure over Independence Day weekend,” he said. “I think that sends a very strong message.”

How did the White House react?

The White House has urged companies who believe their systems have been compromised by the attack to immediately report it to the Internet Crime Complaint Center.

“As of Friday, the United States government has been working across the agency to assess the Kaseya ransomware incident and help with the response,” Anne Neuberger, deputy national security adviser for cyber technologies, said on Sunday. and emerging. “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have worked with Kaseya and coordinated to conduct outreach to affected victims. “

President Joe Biden also told a press briefing this weekend that, while officials still investigate the source of the attack, the United States could retaliate if the Russian government is involved.

“If it’s knowingly and / or as a consequence of Russia, then I told Putin that we will respond,” Biden said on Saturday, referring to his meeting with the Russian leader last month. “We are not sure. The initial thought was not the Russian government but we are not sure yet.”

What do we need to learn?

The attack on Kaseya points to a popular target for ransomware attackers: managed service providers. MSPs such as Kaseya’s clients allow companies to outsource certain software and services, such as IT management, to third parties, which can help avoid the cost of having to employ such experts in-house.

SolarWinds, the company that was hit by a devastating security breach last year, also supplies IT management software to many Fortune 500 companies and government agencies.

While attacks against these types of vendors are not new, MSPs represent a great opportunity for hackers because of the way they interact with other companies’ networks, DiMaggio said. In many cases, there are no technical controls on software updates from these vendors, as they are considered “trusted” partners, potentially leaving customers vulnerable to bad actors who could embed loads. useful ransomware in these updates.

“There are going to have to be more checks and balances for any third-party vendor,” he said.


Source link

Previous LARGE IMAGE Scholar by day, street sweeper by night, black man navigates Rio's racial divide
Next Aust gives K25m for the Trans National Highway

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *