Catch Of The Week: Supply Chain Attacks

Los Alamos

Aren’t long weekends awesome? You can chill out, relax, maybe have some brews with your friends … use a previously unknown vulnerability in a remote monitoring and management software package to distribute REvil ransomware to over 1,000 businesses across 17 countries, and demand a $70 million ransom. Wait, what?

What exactly is a “remote monitoring and management software package?” It is software used to remotely manage a company’s IT networks and devices. This software is then sold to managed service providers (MSP) — basically outsourced IT departments — where it is used to manage their customers’ networks, often smaller companies.

In this case, the victim was Kaseya, a Miami-headquartered software company. The software affected was their “VSA Software”, virtual systems/server administrator (VSA) software used by large companies and technology service providers to manage and send out software updates to systems on computer networks.

About 60 total customers were affected, but since half of these were MSPs, the number increased dramatically from the flow down to the MSPs customers. 

What happened here? The cybercriminals targeted Kaseya’s VSA software, and they were able to distribute ransomware by exploiting several zero-day vulnerabilities in the software. What is a “zero-day” vulnerability? Basically, it’s a previously unknown vulnerability in software that attackers can immediately exploit, so you have “zero days” to fix it.

The fix for these vulnerabilities is usually a software patch. Kaseya is currently working on a patch to resolve the issue. Kaseya was alerted to the attack on Friday and was able to notify customers to shut down all on-site servers. Cloud services were not believed to be affected but were also shut down as a precaution. 

Supply chain attacks are especially scary because the attackers don’t even have to breach your network; they breach someone else’s and use that access to pivot the attack into yours. While this may draw comparisons to the Solar Winds attack, it’s important to remember that the REvil gang is likely motivated by financial reasons, not espionage. The advanced nature of the attack is worrying on so many levels.

The fact that the gang acquired the zero-days means either they paid someone for them or have access to elite network infiltration tools. According to Brett Callow, an analyst at the cybersecurity company Emsisoft, “The Kaseya incident really is a landmark event. It shows that cybercriminals are able to acquire and use zero-day vulnerabilities and use them to cause disruption on an absolutely massive scale”.

With an attack on this scale, it’s easy to see why the gang was able to ask for such a high ransom – $70 million. Most large companies now carry cyber insurance, which makes it much more likely the ransom will be paid, and in turn, gives cybercriminals motivation to keep up the ransomware attacks.

The attack didn’t cause much chaos here in the states, but it shut down Coop, a major Swedish grocery chain, for over a day and dentists’ offices, small accounting offices, and local restaurants. Over a dozen schools in New Zealand were shut down by the attack as well.

Ransomware is here to stay, and we can likely expect the attacks to keep getting bolder and the ransom demands to creep even higher.

Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.

LOS ALAMOS website support locally by OviNuppi Systems