REvil ransomware group targets MSPs on the eve of Independence Day
At 11am ET on Friday, 2 July, a major ransomware attack was launched at MSPs running RMM vendor Kaseya’s on-premises VSA servers. The issue is still evolving and figures for numbers of affected MSPs, customers and data are incomplete. Initially, Kaseya and Huntress Labs (which has worked with MSPs to research and remediate other attacks in recent years, including the SolarWinds Orion and ConnectWise Automate attacks) saw more than eight partners affected. As of 10pm ET on 4 July, Huntress has been tracking around 30 MSPs across the US, Australia, Europe and Latin America, where Kaseya VSA was used to infect well over 1,000 businesses. Overall, victims in more than 17 countries have been identified. Kaseya has informed companies running VSA to shut down their SaaS and on-premises servers and wait for a patch update, though it believes cloud servers have not been infected.
The latest information suggests these MSPs have been targeted by the REvil ransomware group based in Russia, which has posted a demand for US$70 million for access to a universal decryptor on its personal dark web site. The group claims to have targeted MSPs specifically and to have infected a million systems. This figure has not been independently verified, but is being tracked by Kaseya, FireEye, Huntress, the FBI and others.
The speed at which Kaseya has responded and worked with companies such as FireEye and Huntress to support affected MSPs around the world is encouraging. Kaseya is working on releasing patches and started trying to bring its data centers in APAC, the EU, the UK and North America back online at the end of 5 July.
Kaseya has already released a Compromise Detection Tool, which it has made available for download, which will help users analyze systems and determine whether they have been affected. Additional layers of security can be expected for all users, for both SaaS and on-premises customers, soon, though it is reasonable to assume the on-premises servers will take longer to update.
The REvil group was also behind a recent attack on the world’s largest meat company, JBS, which was forced to close plants for several days and ended up paying the equivalent of US$11 million in bitcoin to the ransomware group. One affected customer in the latest incident was the Swedish Coop retail chain, which first noticed its point-of-sale systems had stopped working toward the end of the day on Friday. In the end, only five of its more than 800 stores remained open over the weekend. The Swedish MSP, Visma, which has over a million customers, was reported to have been the threat vector. Visma had already been the subject of attacks in the past by a group linked to China’s Ministry of State Security in 2017 and 2018. Given the size of that company and its security spend, it is clear to see the size of the task facing much smaller MSPs in the face of these global threats.
The security landscape has been in major turmoil, worsened by the pandemic and the move to remote working. Since 2005, at least 55 billion data records have been compromised in 900 known breaches. 77% of these data records were compromised in the last two years alone, with 2020 being the worst year on record. Ransomware attacks have surged, with reported cases up nearly 60%. Groups have evolved their tactics during the year by first exfiltrating data from targets before encrypting the assets to pressure hacked organizations into paying ransom demands. This adds to the threat of publishing or auctioning stolen data online via leak sites for non-conforming victims. Maze, Conti, REvil, DoppelPaymer and Netwalker have been the most prevalent ransomware groups. 2021 has so far seen this trend accelerate.
US President Joe Biden has ordered a Secret Service investigation into the latest incident, though his statement on Saturday, 3 July said the Russian government was not initially believed to be involved. This latest incident comes just a few weeks after a meeting between The US and Russian Presidents in Geneva, where cybersecurity attacks by Russian actors was one of the key talking points.
This is only the latest in a long line of targeted attacks on software supply chains that have hit the MSP landscape for several years. As MSPs have access to millions of customers’ data records they will always be a target, but the increasing digitalization of global business will only make their jobs harder. In many ways, they face an impossible task. No matter how good their security processes are, there will always be a way to exploit systems and compromise data, through vulnerabilities in the underlying infrastructure and software.
As negative headlines continue to grow, MSPs will face further scrutiny from customers to show they are doing everything in their power to improve the safety of their customers’ data and operations. It is important for MSPs to do all they can to make sure their businesses are built on a security-first model. Following the SolarWinds attack at the end of 2020, Canalys released a free report, which gives MSPs a checklist of actions and approaches to achieve this.
Software and security vendors, too, will be looking to distinguish themselves through their credentials. The increasing security focus of RMM vendors, such as Kaseya, ConnectWise, Datto and SolarWinds, is a direct reaction to the issues they have all faced (and will continue to face) in their businesses. Firmware and patch management security providing continuous vulnerability assessments is going to be critical to address the rise in software supply chain attacks. For example, Microsoft, which is itself often a target of threat actors, recently acquired ReFirm Labs, a specialist in firmware security and analytics for devices such as servers and IoT hardware.
Cybersecurity vendors such as Huntress often find themselves working with MSPs to help them manage issues in the software supply chain, as has happened in this latest case. Many have focused on providing software that can protect MSPs and their customers before issues arise, through detection and exfiltration analysis tools, though their success depends on proper deployment and configuration. Of course, it is of strategic importance for these vendors to build communities of MSPs with greater security awareness, training and services.
Whether the threat actors responsible for this and other attacks are directly linked to governments or not, the growing tension between global powers is stoking fires and it is vital leaders come together to manage a situation that is harming businesses, not just in Europe and the US but worldwide. Whatever the case, while many in the US celebrated Independence Day at the weekend, it is clear none of us will be celebrating the end of cybersecurity attacks any time soon.