Networking and IT infra software provider Kaseya was recently victimized in a ransomware attack by the REvil ransomware gang. According to the Dutch Institute for Vulnerability Disclosure (DIVD), the attack took place just as the United States was heading into the 4th of July weekend celebrations. The REvil ransomware gang, also known as Sodinokibi, exploited a zero-day vulnerability to gain entry into the target network and encrypt systems. The company issued a security advisory and apprised its more than 36,000 customers as soon as the infection was discovered, as well as instigated precautionary moves by shutting down its SaaS servers despite the attack chain affecting only on-premise implementations.īut it appears threat actors from REvil managed to inflict enough damage through the attack to command a more than hefty, not to mention the highest ever sum of $70 million as the ransom to decrypt systems. REvil’s Note for Kaseya | Source: Mark Loman, Director of Engineering at Sophos The REvil gang posted the following note on its leak site: The next biggest ransom demands also came in 2021 when Acer and Apple’s Taiwanese vendor Quanta were demanded $50 million each in two separate ransomware attacks.
#CABLE KREBS RANSOMWHERE PATCH#
Kaseya’s VSA endpoint management and network monitoring tool enables Managed Service Providers (MSPs) to carry out software deployment, patch management, antivirus and antimalware deployment, routine maintenance, etc.
See Also: 5 Reasons Why Your Business Should Have a Ransomware Plan in 2021 Background of the Kaseya Ransomware Attack This makes the attack a software supply chain one against not only Kaseya but also against thousands of organizations leveraging VSA. Unlike the SolarWinds incident from 2020, which was also a software supply chain attack, the maliciousness associated with this Kaseya incident relates more to usual ransomware operations for money, based on what’s known so far. In contrast, SolarWinds was a huge cyber-espionage campaign originating from the US’s all-weather adversary Russia by a well-known advanced persistent threat (APT) group APT 29 (Cozy Bear). APT29 carefully laid low for the duration of the attack, stealthily conducting reconnaissance and active operations. REvil, on the other hand, exploited a zero-day vulnerability existing in Kaseya VSA.
What’s peculiar is that this particular vulnerability, tracked CVE-2021-30116 Opens a new window, was already reported by DIVD to Kaseya and was being fixed. Kaseya had developed partial patches and was collaborating with DIVD to fix the security gap.ĬVE-2021-30116 is one of the several vulnerabilities that DIVD reported to Kaseya for which the company was validating a patch. Details of CVE-2021-30116, along with the other flaws remain under wraps as of now for obvious reasons. “It is time to be a bit more clear on our role in this incident. The Netherlands-based institute added, “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.” “And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure).” First things first, yes, Wietse Boonstra, a DIVD researcher, has previously identified a number of zero-day vulnerabilities which are currently being used in ransomware attacks,” DIVD said Opens a new window. Threat detection and response company Huntress Labs believes one of the vulnerabilities bypasses security authentication.
0 kommentar(er)
