LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

REvil ransomware attackers demand $70m following Kaseya VSA supply chain attack 

2 years ago 341
BOOK THIS SPACE FOR AD
ARTICLE AD

Cybercrime gang exploited zero-day flaws

ttt

The REvil ransomware gang has demanded a $70 million payment after compromising IT management platform Kaseya VSA and reportedly encrypting the data of more than 1,000 downstream organizations.

A screenshot of the demand from the Russian state-linked group was posted by Huntress security researcher John Hammond yesterday (July 4). Hammond also said more than 1,000 organizations using VSA servers were affected, based on analysis of around 30 MSPs worldwide.

The cybercriminals exploited a zero-day SQLi vulnerability that was in the process of being patched, according to the Dutch Institute for Vulnerability Disclosure (DIVD), which had been coordinating remediation of the vulnerabilities involved with Kaseya when the attacker struck.

Read more software supply chain attack news and analysis

The vulnerabilities (CVE-2021-30116) were found by DIVD security researcher Wietse Boonstra.

After exploiting the flaws, ransomware was initiated via a fake auto update that deploys “across the estate – including on MSP client customers’ systems”, according to a blog post published on July 2 by British security expert Kevin Beaumont.

Server shutdown

In an ongoing series of rolling updates, Kaseya said its “fast response” to the “sophisticated cyber-attack” had localized the impact “to a very small number of on-premises customers only”. 

It said it believed “there is zero related risk right now” for SaaS and NOC (network operations centers) customers, as well as on-premises customers whose servers are offline.

After detecting the attacks, which began on July 2, Kaseya urged customers to immediately shut down their VSA servers, since one of the first things the attacker did was shut off administrative access to the VSA.

DIVD said yesterday that the number of internet-facing Kaseya VSA instances had since dropped from more than 2,200 to fewer than 140.

Patch schedule

Affected customers have been advised to only restore their VSA servers once a security patch is applied.

Kaseya said it would publish the schedule for distributing the patch for on-premises customers once the process of restarting SaaS data centers – provisionally set for today (July 5), after a day’s delay – was up and running.

“We will bring our SaaS data centers back online on a one-by-one basis starting with our EU, UK, and APAC data centers ,followed by our North American data centers,” said Kaseya.

RECOMMENDED Russian hacking group APT28 ‘conducting brute-force attacks’ against organizations worldwide

“We will be adding an additional layer of security to our SaaS infrastructure which will change the underlying IP addresses of our VSA servers.”

A compromise detection tool initially rolled out to almost 900 customers who requested it on July 2 is now available for download.

The vendor also promised to make enhancements to WAF capabilities and SaaS server monitoring.

CISA and the FBI have also issued additional mitigation advice aimed at MSPs and their customers.

‘Maximum effort’

Speaking on ABC TV show Good Morning America, Kaseya CEO Fred Voccola said: “We’re actually 100% confident that we know how it happened and we’ve remediated it.”

DIVD said Kaseya has been willing to put in the “maximum effort and initiative” to get the issue fixed and customers patched. “They showed a genuine commitment to do the right thing.”

Kaseya declined to comment further in response to a query from The Daily Swig

Kaseya VSA

Kaseya VSA is used by managed service providers to manage, monitor, and secure endpoints and corporate networks on behalf of their clients.

Miami-based Kaseya says its IT management products are used by more than 40,000 customers.

Supply chain attacks, which can compromise hundreds or thousands of downstream organizations by infiltrating a single software platform, have arguably become the gravest cybersecurity threat, with the Kaseya attack coming in the wake of the destructive SolarWinds attack earlier this year.

John Hammond also recalled how Huntress released an advice video in 2019 in response to a previous supply chain attack that compromised more than 100 MSPs.

RELATED NIST charts course towards more secure supply chains for government software

Read Entire Article
  3. REvil ransomware attackers demand $70m following Kaseya VSA supply chain attack 

Related

We’re going teetotal: It’s goodbye to The Daily Swig

We’re going teetotal: It’s goodbye to The Daily Swig

Bug Bounty Radar // The latest bug bounty programs for March 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

Password managers: A rough guide to enterprise secret platforms

Password managers: A rough guide to enterprise secret platforms

Chromium bug allowed SameSite cookie bypass on Android devices

Chromium bug allowed SameSite cookie bypass on Android devices

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Trending

1. OpenAI
2. Maldives
3. Zomato share price
4. Liverpool
5. Barcelona
6. Sushil Modi
7. 11th Result
8. HSC Result 2024 Maharashtra Board
9. CUET Admit Card
10. GV Prakash

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved