Looks like there’s no Party in the USA!
On July 3rd, 2021, it was reported that a ransomware attack resurfaced once again, affecting thousands of organisations following a software supply chain compromise at the supplier of software to Managed Service Providers (MSPs).
This incident was thought to begin with the compromise of ‘Kaseya’, a US-based software developer that supplies MSPs, and it is understood that the attack was centred on exploiting an initial vulnerability in Kaseya’s automated update system for its remote monitoring and management system known as VSA.
The attack was apparently carried out by the notorious Russian-based hunter group, REvil, representing a catastrophic combination of 2021’s most notorious cyber attack trends, supply chain attacks and ransomware. It is also the name used for the ransomware strain itself. In fact, REvil is one of the most prominent ransomware families on the planet, responsible for dozens of major breaches since 2019.
After learning about the attack, Kaseya deactivated their Software-as-a-Service (SaaS) servers as a safety measure and began warning their customers to shut down any on-prem VSA server.
Post-compromise, it is understood that the threat group shifted their attention to users of the VSA system. It was also reported that they took advantage of the product’s patch management functionality to deliver the REvil ransomware threat and reset administrative access, ensuring that they would retain control of any compromised host.
The group chose the perfect time, it was Independence Day weekend for the US which falls on the 4th of July, and method for a reason. That was the likeliest period that the company’s IT staff would go offline, and companies would often be on a skeleton crew, where eyes aren’t watching. This can help the threat actors in a few ways:
It allows the ransomware to be fully deployed before anyone notices.
It induces more panic during response operations if key players within the victim’s environment are unavailable to respond, possibly increasing the chances that a ransom demand will be paid.
They also looked for a back door to over a thousand companies – one target through which they could infect numerous others in a pandemic-like chain. In that sense, MSPs may well be the perfect target due to the nature of their business in managing customer’s IT infrastructure and/or end-user systems.
REvil has been very active recently and cybersecurity company, Sophos, is among those that are actively investigating the attack on Kaseya, which they see as a supply chain distribution attack. When CSA reached out to Mark Loman, Sophos Director of Engineering, he commented that the adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type.
“This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more. In other widescale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely-used IT management are the conduit,” he added.
Meanwhile, according to Adam Meyers, Senior Vice President of CrowdStrike Intelligence, the timing, and target of this attack are no coincidence. “It illustrates what we define as a ‘Big Game Hunting’ attack, launched against a target to maximise impact and profit through a supply chain during a holiday weekend when business defences are down. What we are seeing now in terms of victims is likely just the tip of the iceberg,” he said before adding that based on CrowdStrike’s telemetry, the recent ransomware attack on Kaseya has all the hallmarks of the threat actor PINCHY SPIDER, operator of REvil ransomware and suspected culprit of the recent attack on JBS.
Due to the continued success of large software supply chain attacks impacting organisations of all sizes, there’s no reason for the threat actors to stop as they found how profitable and wide-ranging, they can be. Therefore, organisations must understand how severe their reality is if they have not established a mature cybersecurity strategy.
According to Ross McKerchar, Sophos Vice President and Chief Information Security Officer, this is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen. He commented further, “At this time, our evidence shows that more than 70 Managed Service Providers were impacted, resulting in more than 350 further impacted organisations. We expect the full scope of victim organisations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions.”