Kaseya hack floods hundreds of companies with ransomware

Kaseya hack floods hundreds of companies with ransomware

On Friday, a flood of ransomware hit hundreds of companies around the world. A grocery store chain, a public broadcaster, schools, and a national railway system were all hit by the file-encrypting malware, causing disruption and forcing hundreds of businesses to close.

The victims had something in common: a key piece of network management and remote control software developed by U.S. technology firm Kaseya. The Miami-headquartered company makes software used to remotely manage a company’s IT networks and devices. That software is sold to managed service providers — effectively outsourced IT departments — which they then use to manage the networks of their customers, often smaller companies.

But hackers associated with the Russia-linked REvil ransomware-as-a-service group are believed to have used a never-before-seen security vulnerability in the software’s update mechanism to push ransomware to Kaseya’s customers, which in turn spread downstream to their customers. Many of the companies who were ultimately victims of the attack may not have known that their networks were monitored by Kaseya’s software.

Kaseya warned customers on Friday to “IMMEDIATELY” shut down their on-premise servers, and its cloud service — though not believed to be affected — was pulled offline as a precaution.

“[Kaseya] showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint.” Security researcher Victor Gevers

John Hammond, senior security researcher at Huntress Labs, a threat detection firm that was one of the first to reveal the attack, said about 30 managed service providers were hit, allowing the ransomware to spread to “well over” 1,000 businesses.” Security firm ESET said it knows of victims in 17 countries, including the U.K., South Africa, Canada, New Zealand, Kenya, and Indonesia.

On Monday night, Kaseya said in an update that about 60 Kaseya customers were affected and put the downstream number of victims at fewer than 1,500 companies.

Now it’s becoming clearer just how the hackers pulled off one of the biggest ransomware attacks in recent history.

Dutch researchers said they found several zero-day vulnerabilities in Kaseya’s software as part of an investigation into the security of web-based administrator tools. (Zero-days are named as such since it gives companies zero days to fix the problem.) The bugs were reported to Kaseya and were in the process of being fixed when the hackers struck, said Victor Gevers, who heads the group of researchers, in a blog post.

Kaseya’s chief executive Fred Voccola told The Wall Street Journal that its corporate systems were not compromised, lending greater credence to the working theory by security researchers that servers run by Kaseya’s customers were compromised individually using a common vulnerability.

The company said that all servers running the affected software should stay offline until the patch is ready. Voccola told the paper that it expects patches to be released by late Monday.

The attack began late Friday afternoon, just as millions of Americans were logging off into the long July 4 weekend. Adam Meyers, CrowdStrike’s senior vice president of intelligence, said the attack was carefully timed.

“Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down,” said Meyers.

A notice posted over the weekend on a dark web site known to be run by REvil claimed responsibility for the attack, and that the ransomware group would publicly release a decryption tool if it is paid $70 million in bitcoin.

“More than a million systems were infected,” the group claims in the post.

Related Articles

Passwordstate users warned to ‘reset all passwords’ after attackers plant malicious update

Click Studios, the Australian software house that develops the enterprise password manager Passwordstate, has warned customers to reset passwords across their organizations after a cyberattack on the password manager. An email sent by Click Studios to customers said the company had confirmed that attackers had “compromised” the password manager’s software update feature in order to…

FBI launches operation to remove backdoors from hacked Microsoft Exchange servers

A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks. The Justice Department announced the operation on Tuesday, which it described as “successful.” In March, Microsoft discovered…

How Jamaica failed to handle its JamCOVID scandal

As governments scrambled to lock down their populations after the COVID-19 pandemic was declared last March, some countries had plans underway to reopen. By June, Jamaica became one of the first countries to open its borders. Tourism represents about one-fifth of Jamaica’s economy. In 2019 alone, four million travelers visited Jamaica, bringing thousands of jobs…

0 0 votes
Reitingas
Subscribe
Notify of
guest
0 Komentarai
Inline Feedbacks
View all comments