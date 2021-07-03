



Ransomware gangs have successfully encrypted files in more than 200 enterprises after compromised remote IT monitoring and management tools as part of a supply chain attack. It is not yet known how the attacker compromised the tool or how widespread the attack was.

Companies running Kaseya VSA’s remote monitoring and management tools need to shut down the server running the service immediately, Fred Voccola, CEO of IT company Kaseya, said in a warning posted Friday. I will. Once the attacker behind the ransomware attack has access to the victim’s network, it disables administrative access to the VSA, complicating the task of containing and removing the ransomware.

As a precautionary measure, the company shut down the software version of the server as a service of the tool, even though it has not received reports of infringements affecting SaaS and hosted customers. According to the company, SaaS servers and hosted VSA servers will be operational when Kaseya determines that it can safely resume operations.

According to a ransomware task force report, ransomware has existed for many years, but has surged recently, with approximately 2,400 governments, healthcare systems and schools in the country hit by ransomware in 2020. I did. When ransomware encrypts files to make them inaccessible, data is the lifeline of modern enterprises and shuts them down.

Attacks on Kaseyas systems are the latest in a series of recent attacks on critical infrastructure and manufacturing companies across the United States (Colonial Pipeline, Molson Coors, and JBS Meads). The gang behind the attack REvil is the same one that the Federal Bureau of Investigation said a few weeks ago affected JBS.

Here’s a breakdown of supply chain ransomware attacks against Kaseya VSA and what that means for businesses.

What should the security team do now?

Organizations running Kaseya VSA on the network should shut down these servers immediately. The company says in its latest update that all on-premises VSA servers need to remain down until Kaseya further tells them when it’s safe to restore operations.

Kaseya says the patch must be installed before restarting the VSA. The company said in a previous update that it believed it had identified the cause of the vulnerability and was developing and testing security patches to mitigate the issue.

Sophos has also released a detailed guide to see if potential victims are under attack.

Isn’t it a bit overkill to shut down the server?

Cybersecurity and infrastructure security agencies don’t think so. The CISA recommends that organizations review Kaseya’s recommendations and follow the guidance for shutting down VSA servers immediately, the agency said in an alert on the National Cyber ​​Awareness System.

Huntress Labs, an independent security company, told Reuters that the attack could spread to companies of all sizes or sizes.

What does the attack look like?

At this time, no one knows how the attacker compromised the Kaseyas VSA, but REvil ransomware entered the customer network via the Kaseya update and everything connected via the VSA internal script engine. It seems that it is spreading to the client system of. VSA has administrator privileges and can infect clients. It is also unknown at this time whether the attacker actually stole the data before it was encrypted.

The malware disables local antivirus software, uses Windows Defender to sideload a malicious DLL, and when the malicious file encrypts a file on the compromised machine, Sophos malware Ana The list, Mark Loman, wrote on Twitter.

We are monitoring the occurrence of REvil’s “supply chain” attacks that may be due to malicious Kaseya updates. The REvil binary C: Windows mpsvc.dll is sideloaded to a legitimate Microsoft Defender copy and copied to C: Windows MsMpEng.exe to perform the encryption from the legitimate process.

Mark Roman @ (@ markloman) July 2, 2021

According to Kaseyas’ warning, one of the first things an attacker does after a ransomware breaks into a network is to block administrative access to the VSA.

How widespread is the attack?

It’s a little hard to say. Over 40,000 organizations use Kaseya products, including customers who use other Kaseya IT tools instead of VSA. Only a small number of on-premises customers have been affected, with less than 40 direct customers. However, researchers pointed out that VSA in particular may have a cascading effect because it is popular among managed service providers that provide IT services such as network management, system updates, and backups from other companies.

Security company Huntress Labs monitors the situation and posts regular updates to the Reddit thread. Huntress said it is tracking eight managed service providers used to infect more than 200 clients.

What if I’m already infected with ransomware?

If your organization is already infected with ransomware, your security team must implement an incident response plan. That may mean paying the ransom (it’s highly deprecated, but there were some notable payments, such as the $ 11 million JBS paid to the REvil gang), or all. Take your system offline and restore new data from your backup. Cisco Talos warns in a threat advisory that ransomware can target backup servers, so IT must check if the backup server is also infected and restore it from an offline backup if it exists. there is.

Ransoms range from $ 44,999 demanding ransom (posted by Sophos malware analyst Mark Loman on Twitter) to $ 5 million (reported by Reuters).

What about the fact that it was a supply chain attack?

This is not the first, and not the last, of an attacker targeting the supply chain to amplify the impact of an attack. Enterprises are increasingly relying on their providers’ networks for a wide range of ever-changing business operations, such as data processing and storage, networking infrastructure, and application delivery. Security incidents at suppliers are inevitably incidents for businesses as well.

The Ransomware Task Force considered the worst-case scenario and identified this type of supply chain attack as a serious weakness, saying that it was the leader of the worst-case scenario of the Ransomware Task Force Commission and the Chief Architect of Team Cymru’s Community Services. One James Shank said. Companies should audit their suppliers and carefully consider how to integrate with third-party vendors. Many organizations are discussing Zero Trust.

Finding the balance between minimizing exposure and having enough links to enable business operations is a difficult part.

Is the timing of the attack important?

perhaps. This type of attack requires planning and preparation, and is rarely randomly chosen or accidentally assigned. Armis CISO Curtis Simpson said attackers would plan the timing of this attack with the greatest impact if they knew that many digital companies were experiencing increased service usage over the weekend of US Independence Day. You should have done it.

Breaking News: Cyber ​​criminals are a $$ hole.

Keep in mind that this holiday weekend, all incident response teams will be busy again.

If you are using Kaseya VSA, * shut down * now * until you are instructed to reactivate and start the IR. The binaries are: https: //t.co/NIuGJZW84p https://t.co/GSXPlOPjFt

Crisclebs (@C_C_Krebs) July 2, 2021

It may also be a practical decision to delay detection and make repair more difficult. Many companies give employees vacations on Friday afternoons, which can result in fewer employees working on holiday weekends. Handling ransomware attacks is generally a full-blown situation, a stressful time, and many companies are preparing to fight smaller teams than usual. In some cases, the victim may not know that he was affected until he returned to work on Tuesday.

