• Advertise
  • Contact Us
  • About Us
  • Supplier Directory
  • SCB YouTube
  • Login
  • Subscribe
  • Logout
  • My Profile
  • LOGISTICS
    • Air Cargo
    • All Logistics
    • Express/Small Shipments
    • Facility Location Planning
    • Freight Forwarding/Customs Brokerage
    • Global Gateways
    • Global Logistics
    • Last Mile Delivery
    • Logistics Outsourcing
    • LTL/Truckload Services
    • Ocean Transportation
    • Rail & Intermodal
    • Reverse Logistics
    • Service Parts Management
    • Transportation & Distribution
  • TECHNOLOGY
    • All Technology
    • Artificial Intelligence
    • Cloud & On-Demand Systems
    • Data Management (Big Data/IoT/Blockchain)
    • ERP & Enterprise Systems
    • Forecasting & Demand Planning
    • Global Trade Management
    • Inventory Planning/ Optimization
    • Product Lifecycle Management
    • Sales & Operations Planning
    • SC Finance & Revenue Management
    • SC Planning & Optimization
    • Sourcing/Procurement/SRM
    • Supply Chain Visibility
    • Transportation Management
  • GENERAL SCM
    • Business Strategy Alignment
    • Education & Professional Development
    • Global Supply Chain Management
    • Global Trade & Economics
    • HR & Labor Management
    • Quality & Metrics
    • Regulation & Compliance
    • SC Security & Risk Mgmt
    • Supply Chains in Crisis
    • Sustainability & Corporate Social Responsibility
  • WAREHOUSING
    • All Warehouse Services
    • Conveyors & Sortation
    • Lift Trucks & AGVs
    • Order Fulfillment
    • Packaging
    • RFID, Barcode, Mobility & Voice
    • Robotics
    • Warehouse Management Systems
  • INDUSTRIES
    • Aerospace & Defense
    • Apparel
    • Automotive
    • Chemicals & Energy
    • Consumer Packaged Goods
    • E-Commerce/Omni-Channel
    • Food & Beverage
    • Healthcare
    • High-Tech/Electronics
    • Industrial Manufacturing
    • Pharmaceutical/Biotech
    • Retail
  • THINK TANK
  • WEBINARS
    • On-Demand Webinars
    • Upcoming Webinars
    • Webinar Library
  • PODCASTS
  • VIDEOS
  • WHITEPAPERS
Home » Mass Ransomware Hack Used IT Software Flaws, Researchers Say

Mass Ransomware Hack Used IT Software Flaws, Researchers Say

Ransomware
Photo: Bloomberg
July 5, 2021
Bloomberg

The hackers behind a mass ransomware attack exploited multiple previously unknown vulnerabilities in IT management software made by Kaseya Ltd., the latest sign of the skill and aggressiveness of the Russia-linked group believed responsible for the incidents, cybersecurity researchers said Sunday.

Marcus Murray, founder of Stockholm-based TrueSec Inc., said his firm’s investigations involving multiple victims in Sweden found that the hackers targeted them opportunistically. In those cases, the hackers used a previously unknown flaw in Miami-based Kaseya’s code to push ransomware to servers that used the software and were connected to the internet, he said.

The Dutch Institute for Vulnerability Disclosure said it had alerted Kaseya to multiple vulnerabilities in its software that were then used in the attacks, and that it was working with the company on fixes when the ransomware was deployed.

Kaseya “showed a genuine commitment to do the right thing,” the Dutch organization wrote. “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” it added, referring to the Russia-based hacking group. REvil was accused of being behind the May 30 ransomware attack of meatpacking giant JBS SA.

The findings differentiate the latest incident — which cybersecurity firm Huntress Labs Inc. said affected more than 1,000 businesses — from other recent assaults on the software supply chain. For instance, an attack the U.S. blamed on Russia’s foreign intelligence service, disclosed in December, involved altered software updates from another provider of IT management software, Austin, Texas-based SolarWinds Corp. Ultimately, nine federal agencies and at least 100 companies were infiltrated via SolarWinds and other methods.

‘Attack Chain’

Regarding the most recent attack, Frank Breedijk, head of the Dutch institute’s computer security incident response team, emphasized the hackers’ high skill level in exploiting the Kaseya software.

“The big point behind this is someone was willing, determined and had the resources to build this attack chain, and it’s not a trivial chain to build,” he said in an interview. “You have to know what you’re doing to make an attack like this work.”

Kaseya spokesperson Dana Liedholm confirmed in an email that the incident involved multiple vulnerabilities in the company’s products and called it a “sophisticated weaponized attack with ransomware.” “This was not as simple as a single 0-day exploit,” Liedholm said, using an industry term for vulnerabilities in software that hackers are aware of but that the makers of that code are not.

REvil has demanded $70 million in Bitcoin for a universal decryptor, said two cybersecurity experts who reviewed an announcement on the group’s website. Daniel Smith, the head of research at cybersecurity firm Radware, said he has observed REvil asking for $45,000 per infected system in the past.

The $70 million is “considerably less than the $45 billion they would ask to unlock the 1 million systems they claim to have encrypted,” said Brett Callow, a threat analyst at cybersecurity firm Emsisoft who confirmed the ransom demand.

Kaseya said its VSA product was the victim of a “sophisticated cyberattack” and that it had notified the FBI. Kaseya has identified fewer than 40 customers impacted by the attack, adding that its cloud-based services weren’t impacted. In a later statement Sunday, the firm said it’s working with FireEye Inc. and other security companies to help manage the fallout.

Not Difficult

The U.S. Cybersecurity and Infrastructure Security Agency also said it was continuing to respond to the recent attack, which it said leveraged a “vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers.”

Kaseya’s customers include companies that provide remote IT support and cybersecurity services for small- and medium-sized businesses.

In the latest attack, the hackers had to target machines individually. That’s not complicated. Hackers and security researchers have access to many of the same basic tools for scanning the internet looking for computers that are vulnerable to attack. But by infecting IT support organizations, the malicious software was passed to their customers as well, multiplying the impact.

One of the known victims — Swedish grocery chain Coop — said Saturday that most of its more than 800 stores couldn’t open because the attack led to a shutdown of their payment terminals. Others include managed service providers, which provide IT services to other businesses, meaning their infections may have spread to their customers.

One of the MSPs affected was Avtex LLC, which said it detected the ransomware attack on Friday morning that appeared to have originated through Kaseya. “Avtex’s security engineers immediately alerted Kaseya to the severity of the issue and proceeded to activate proactive and precautionary measures to safeguard its clients and its infrastructure,” Avtex said in a statement, adding that its systems are all fully operational and it has seen no evidence of any data breach.

Clever Targeting

Murray, of Sweden’s TrueSec, declined to identify any of his firm’s clients. He said because of Kaseya’s central role in managing security and IT that victims could have longer recovery times than in typical ransomware incidents.

“The tool these organizations are using normally for patching and IT support and recovery is Kaseya,” he said. “It’s a big undertaking when someone takes away all your ability to do the maintenance.”

“From a criminal standpoint it’s a brilliant supply-chain target to take away the tool that’s needed to recover from the threat,” Murray added. “They’re not only encrypting the systems but they’re also taking the recovery tool out of the equation.”

Ross McKerchar, vice president and chief information security officer at the cybersecurity firm Sophos, said the hack was “one of the farthest reaching criminal ransomware attacks Sophos has ever seen.”

“At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations,” he said in a statement. “We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”

There are victims in 17 countries so far, including the U.K., South Africa, Canada, Argentina, Mexico and Spain, according to Aryeh Goretsky, a researcher at cybersecurity firm ESET.

President Joe Biden said Saturday that he had ordered ordered a “deep dive” from the intelligence community about the incident, which came just weeks after Biden implored Russian President Vladimir Putin at a summit on June 16 to curb cyberattacks against the U.S. Biden said “we’re not sure” that Russia is behind the attack. The president said he expects to know more about the attacks on Sunday.

“The initial thinking was, it was not the Russia government, but we’re not sure yet,” he said.

RELATED CONTENT

RELATED VIDEOS

Data Management (Big Data/IoT/Blockchain) Technology Supply Chain Security & Risk Mgmt
  • Related Articles

    Researchers Discover Two Major Flaws in the World’s Computers

    Hack Turns LG Smart Home Machines Into Spies, Researchers Show

    Implantable Medical Devices Can Be Hacked to Harm Patients, Researchers Say

Bloomberg

FedEx to Cut Management Jobs by More Than 10%, CEO Says

More from this author

Subscribe to our Daily Newsletter!

Timely, incisive articles delivered directly to your inbox.

Popular Stories

  • DOCUMENTS BEARING THE INSIGNIA OF US CUSTOMS AND BORDER PROTECTION LIE ON A TABLE

    New CBP Regs Call for Greater Diligence by Brokers in Reporting Security Breaches

    Freight Forwarding/Customs Brokerage
  • A WORKER IN A WAREHOUSE, SUPERIMPOSED WITH GRAPHICS SHOWING SUPPLY NETWORK

    Enabling Intelligent Visibility With Supply Chain Analytics

    Data Management (Big Data/IoT/Blockchain)
  • A GROUP OF WORKERS RANGED IN AN OFFICE, OF DIVERSE RACE, GENDER, AGE AND PHYSICAL ABILITY

    Podcast | The Supply Chain Workforce of the Future Is Already Here

    HR & Labor Management
  • A HAND TURNS A LARGE, LIGHTED DIAL WITH THE WORD RISK ON IT iStock-NicoElNino-1364371014.jpg

    Measuring KPIs and KRIs for Comprehensive Supplier Performance Management

    Technology
  • INSIDE A WAREHOUSE, TWO HANDS HOLD A TABLET COMPUTER SHOWING A MAP OF THE WORLD

    Five Ways to Increase Supply Chain Visibility

    Data Management (Big Data/IoT/Blockchain)

Digital Edition

Scb nov 2022 sm

2022 Supply Chain Innovator of the Year

VIEW THE LATEST ISSUE

Case Studies

  • New Revenue for Cloud-Based TMS that Embeds Orderful’s Modern EDI Platform

  • Convenience Store Client Maximizes Profit and Improves Customer Service

  • A Digitally Native Footwear Brand Finds Rapid Fulfillment

  • Expanding Apparel Brand Scales Seamlessly with E-Commerce Technology

  • How a Global LSP Scaled its Security Program and Won More Business

Visit Our Sponsors

Orderful Yang Ming Alithya
Barcoding Blue Yonder BNSF Logistics
CoEnterprise Data Capture Deposco
E2open GAINSystems Generix
Geodis GEP GreyOrange
Here Honeywell Intelligrated IFM
Infor Inmar Keelvar
Kinaxis Korber Lean Solutions Group 2H
Liberty SBF Locus Robotics Logility
LogistiVIEW Lucas Systems MCA Connect
MPO Nvidia Old Dominion
OpenText ORTEC Overhaul
Parsyl PMMI QIMA
Redwood Logistics Ryder E-commerce by Whiplash Saddle Creek Logistics
Schneider Dedicated Setlog Holding AG Ship4WD
Shipwell Tecsys TGW Systems
Thomson Reuters Tive Trailer Bridge
Vecna Robotics Verity
Verusen
  • More From SCB
    • Featured Content
    • Video Library
    • Think Tank Blog
    • SupplyChainBrain Podcast
    • Whitepapers
    • On-Demand Webinars
    • Upcoming Webinars
  • Digital Offerings
    • Digital Issue
    • Subscribe
    • Manage Your Subscription
    • Newsletters
  • Resources
    • Events Calendar
    • SCB's Great Supply Chain Partners
    • Supplier Directory
    • Case Study Showcase
    • Supply Chain Innovation Awards
    • 100 Great Partners Form
  • SCB Corporate
    • Advertise on SCB.COM
    • About Us
    • Privacy Policy
    • Contact Us
    • Data Sharing Opt-Out

All content copyright ©2023 Keller International Publishing Corp All rights reserved. No reproduction, transmission or display is permitted without the written permissions of Keller International Publishing Corp

Design, CMS, Hosting & Web Development :: ePublishing