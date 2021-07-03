



This time, the REvil malware has attacked various IT management companies, endangering hundreds of corporate clients.

According to cybersecurity experts, cybercriminal organizations believed to be active in Eastern Europe and Russia have targeted a major software vendor, Kaseya, which is widely used by IT management companies.

Kyle Hanslovan, CEO of cybersecurity firm Huntress Labs, said the latest ransomware attack has already knocked out at least 12 IT support companies that rely on Kaseya’s remote management tools called VSA. In at least one case, the attacker demanded a $ 5 million ransom, according to Hans Roban.

According to Hans Roban, the incident affects not only IT management companies, but also customers of companies that outsource IT management. He estimated that as many as 1,000 small businesses could be affected by hacking.

“It’s only three and a half hours ago, so it’s very new and we don’t know the scale yet,” Hans Roban said.

In recent months, cybercriminals have increasingly targeted organizations that play an important role in a wide range of the US economy. A high-profile attack on the Colonial Pipeline in May disrupted fuel transport to gas stations across the East Coast, causing widespread hoarding. A JBS cyberattack temporarily shut down all nine US beef processing plants.

The latest, rapidly evolving attacks have warned cybersecurity experts.

“If you are using Kaseya VSA, * shut down * now * until you are instructed to reactivate and start. [incident response]I tweeted. Christopher Krebs, a former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said in his own recommendations that he is working to understand and address this issue.

Kaseya said in a blog post that she shut down the cloud server because she was investigating a VSA incident.

“We are investigating potential attacks on VSA and show that we are limited to a small number of on-premises customers,” says Kaseya. “We have taken great care to aggressively shut down the SaaS server.”

Malicious software analysis by cybersecurity firm Emsisoft shows that it was created by REvil. This is a ransomware gang that US officials have said they have infringed JBS Foods.

Meanwhile, three of the compromised IT service providers are one of Huntress Labs’ unique cybersecurity clients, Hans Roban said.

“We now know it directly and have confirmed that it is REvil,” Hans Roban said.

According to Hans Roban, 200 of the customers of the three affected IT service providers are infected with malware.

Ransomware appears to be secretly embedded in Kaseya VSA, which helped spread malicious software as IT management companies use VSA to distribute software updates to customers, Hans Roban said. I will. It is unknown how Kaseya’s software was first compromised.

This supply chain-style attack is similar to the tactics used by Russian hackers in the SolarWinds breach, but in this case malicious software was used to hijack the victim’s network rather than spy on it. it was done.

