On Friday, a flood of ransomware hit hundreds of businesses around the world. A grocery chain, a public broadcaster, schools and a national rail system have all been affected by the file-encryption malware, causing disruption and forcing hundreds of businesses to shut down.
The victims had something in common: a key piece of network management and remote control software developed by American technology company Kaseya. The Miami-based company manufactures software that is used to remotely manage a company’s networks and computing devices. This software is sold to managed service providers – efficiently outsourced IT services – which they then use to manage the networks of their customers, often small businesses.
But hackers associated with the Russian-linked ransomware-as-a-service group REvil reportedly used an unprecedented security vulnerability in the software update mechanism to push the ransomware to Kaseya customers, who in their opinion turn has spread downstream to their customers. . Many companies that ultimately fell victim to the attack may not have known that their networks were being monitored by Kaseya’s software.
Kaseya on Friday warned customers to shut down their on-premises servers “IMMEDIATELY”, and its cloud service – although it does not appear to be affected – has been taken offline as a precaution.
“[Kaseya] shows a real commitment to doing the right thing. Unfortunately, we were beaten by REvil in the final sprint. Security researcher Victor Gevers
John Hammond, senior security researcher at Huntress Labs, a threat detection company that was one of the first to reveal the attack, said around 30 managed service providers have been affected, allowing the ransomware to enter. propagate to “well over” 1000 companies. “Security firm ESET said it knows of victims in 17 countries, including the UK, South Africa, Canada, New Zealand, Kenya and Indonesia.
Monday night Kaseya said in an update that approximately 60 Kaseya customers have been affected and the downstream casualty count is less than 1,500 companies.
Now it’s becoming clearer how hackers pulled off one of the biggest ransomware attacks in recent history.
Dutch researchers said they discovered several zero-day vulnerabilities in Kaseya’s software as part of a web administration tools security investigation. (Zero days are named as such because it gives businesses zero days to resolve the issue.) The bugs were reported to Kaseya and were being fixed when the hackers struck, said Victor Gevers, who heads the group of researchers, in a blog post.
Kaseya Managing Director Fred Voccola said The Wall Street Journal that its business systems were not compromised, giving greater credence to the working theory of security researchers that servers managed by Kaseya customers were individually compromised using a common vulnerability .
The company said all servers running affected software should remain offline until the patch is ready. Voccola told the newspaper that he expects the fixes to be released on Monday evening.
The attack began late Friday afternoon, as millions of Americans disconnected from the July 4 long weekend. Adam Meyers, senior vice president of intelligence at CrowdStrike, said the attack was carefully timed.
“Make no mistake, the timing and target of this attack is no coincidence. It illustrates what we define as a big game hunting attack, launched against a target to maximize impact and profits across a supply chain during a holiday weekend when the company’s defenses are in use. failure, ”Meyers said.
A notice posted over the weekend on a dark website known to be run by REvil claimed responsibility for the attack and that the ransomware group would publicly release a decryption tool if paid $ 70 million in bitcoin.
“Over a million systems have been infected,” the group said in the post.