Probably Inevitably, today’s two major cybersecurity threats- Supply chain attack And ransomware-combined can cause serious damage. This is exactly what happened on Friday afternoon. The notorious REvil criminal group successfully encrypted the files of hundreds of companies in one fell swoop, apparently due to the destruction of IT management software. And this is just the beginning.
The situation is still evolving, and certain details-most importantly, how the attacker initially penetrated the software-remain unknown. But considering the nature of the target, the impact is already serious and will only get worse. The problematic software Kaseya VSA is popular among so-called managed service providers, which provide IT infrastructure for companies that would rather outsource such things than run them on their own. This means that if you successfully crack an MSP, you will suddenly come into contact with its customers. This is the difference between cracking a safe at a time and stealing the master key of the bank manager.
So far, according to the security company Huntress, REvil has compromised 8 MSPs. 200 of the three companies directly working with Huntress discovered that their data was encrypted on Friday. It doesn’t take much inference to see that it gets worse from there, especially considering that Kaseya is everywhere.
“Kaseya is the Coca-Cola of remote management,” said Jake Williams, CTO of incident response company BreachQuest. “Because we will enter the end of the holiday week, until Tuesday or Wednesday next week, we don’t even know how many victims there are. But it is monumental.”
Best of both worlds
For a long time, MSP has been a popular target, especially nation-state hackers. If you can manage it, then attacking them is a very effective way of spying. As shown in the 2018 indictment of the Department of Justice, Chinese elite APT10 spies use MSP to compromise Steal hundreds of gigabytes of data from dozens of companies. REvil has also targeted MSP before, using its foothold to enter third-party IT companies hijack In 2019, there are 22 municipalities in Texas at the same time.
Supply chain attacks are becoming more and more common, especially in The devastating SolarWinds event Last year, this allowed Russia to reach multiple U.S. agencies and countless other victims. Like MSP attacks, supply chain hacking has a multiplier effect; polluting a software update can cause hundreds of victims.
Then you can begin to understand why supply chain attacks against MSP can have exponential consequences. Adding ransomware that destroys the system makes the situation more difficult to maintain. This is reminiscent of the devastating NotPetya attack, which also used supply chain compromise to spread a nation-state attack that appeared to be ransomware at first but was actually carried out by Russia. The more recent Russian election campaign also came to mind.
“This is SolarWinds, but with ransomware,” said Brett Callow, a threat analyst at antivirus company Emsisoft. “When a single MSP is compromised, hundreds of end users may be affected. In this case, multiple MSPs seem to have been compromised, so…”
Williams of BreachQuest stated that REvil appears to be asking the victim company for approximately $45,000 in damages. Cryptocurrency MoneroIf they cannot pay within a week, the demand will double. Security news site BleepingComputer report REvil has asked some victims for $5 million in decryption keys to unlock “all PCs on the encrypted network,” which may be specific to MSP rather than their customers.
“We often talk about MSP as the mother ship of many small and medium enterprises and organizations,” said John Hammond, a senior security researcher at Huntress. “But if Kaseya is hit, the bad actors will only damage all their motherships.”