Breaking Down the Kaseya Ransomware Attack [Weekly Cybersecurity Brief]

Just as we begin to move past large-scale cybersecurity events such as the Colonial Pipeline and JBS attacks, we are faced with yet another detrimental hacking. The recent ransomware attack carried out against software maker Kaseya is being considered one of the worst cybersecurity attacks to date. We break down some of the details surrounding the news.

According to an article from Ars Technica, a malware attack targeting customers of Kaseya struck 1,500 businesses around the world. Among the organizations affected were Swedish supermarket chain Coop, which had to shut about half of its 800 stores because of operational disruptions, a number of schools in New Zealand and public administration offices in Romania. It is reported that the attack was executed by hackers affiliated with REvil, a notorious group for ransomware campaigns including the ransomware attack on the JBS meatpacking company. They were able to compromise a vulnerability in Kaseya’s VSA remote management service and distribute a malicious software update. In order to obtain a universal decryptor, the group is demanding $70 million.

In addition to the scale of the attack, the Washington Post is also highlighting the uniqueness of the attack’s method. The Washington Post’s “Cybersecurity 202” explained that REvil, the group responsible for the attack, “exploited a computer bug that had never been used and was unknown to top cybersecurity experts.” This style of attack is considered highly sophisticated and is known as a zero-day attack. While it is still unknown how REvil was able to gain such access, it is suspected that they may have been spying on communications between Kaseya and a Dutch security research group that was in contact with the company to warn of the potential security risk. 

As a report from The Hill shared, the Miami-based technology firm was warned in April of a cybersecurity vulnerability by the Dutch Institute for Vulnerability Disclosure (DIVD). The DIVD wrote that after uncovering the vulnerability in Kaseya’s system it let the company know. In their statement DIVD explained that “After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do.”  As of right now, the DIVD still has not released details of what they uncovered. In the meantime, White House press secretary Jen Psaki assured that the administration will “will convene key leaders across the interagency, including the State Department, Department of Justice, DHS [Department of Homeland Security] and members of the intelligence community to discuss ransomware and our overall strategic efforts to counter it.”

Key Takeaways:

“Up to 1,500 businesses infected in one of the worst ransomware attacks ever” – Dan Goodin, Ars Technica

https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/

  • A malware attack targeting customers of Kaseya struck 1,500 businesses around the world.
  • Among the organizations affected were Swedish supermarket chain Coop, which had to shut about half of its 800 stores because of operational disruptions, a number of schools in New Zealand and public administration offices in Romania.
  • REvil, the group responsible for the attack, took advantage of a vulnerability in the VSA remote management service and are now demanding a $70 million ransom in return for a universal decrytor.

“The Cybersecurity 202: The Kaseya attack is a revolution in sophistication for ransomware hackers” – Joseph Marks & Aaron Schaffer, The Washington Post

https://www.washingtonpost.com/politics/2021/07/08/cybersecurity-202-kaseya-attack-is-revolution-sophistication-ransomware-hackers/

  • As the Washington Post explained, REvil “exploited a computer bug that had never been used and was unknown to top cybersecurity experts.”
  • This style of attack is considered highly sophisticated and is known as a zero-day attack.
  • While it is still unknown how REvil was able to gain such access, it is suspected that they may have been spying on communications between Kaseya and a Dutch security research group.

“Cybersecurity researchers say they warned Kaseya of flaw in April” – Joseph Choi, The Hill

https://thehill.com/policy/cybersecurity/561927-cybersecurity-researchers-warned-kaseya-of-flaw-in-april-report

  • The Dutch Institute for Vulnerability Disclosure (DIVD) reportedly warned Kaseya in early April that it had detected a cybersecurity vulnerability in the system.
  • In their statement DIVD explained that “After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do.”
  • As of right now, the DIVD still has not released details of what they uncovered.
Share
Share on facebook
Share on twitter
Share on linkedin
Share on email