John Anthony Smith
(John Anthony Smith, president of the fast-growing Conversant Group on the Southside, advises on Internet security).
Similar in some ways to the global SolarWinds breach that occurred last year, threat actors have once again breached another system used for monitoring, patching, and remote administration.[1] On Friday, it became publicly known that Kaseya, a well-known player in Remote Monitoring and Management (RMM) tools, had succumbed to a supply chain compromise. Kaseya’s RMM, known as VSA, is commonly used by Managed Service Providers to manage, monitor, and patch their customers’ infrastructures.
REvil Group was able to breach Kaseya’s VSA system and use that system to destroy backups and subsequently encrypt over 200 organizations’ data. Kaseya VSA by the nature of how its system works has highly privileged access to the infrastructures in which it is deployed, as it is used to monitor, manage, and patch systems. Thus, REvil was able to orchestrate this malicious attack nearly unthwarted by security controls. On Friday, Kaseya sent out a warning of a potential attack and urged customers to shut down their servers running the service. According to Kaseya’s web site, more than 40,000 organizations use their products.
REvil is demanding $50,000 in ransom from smaller companies and $5 million from larger ones.[2] REvil is a Russian speaking hacking group that is highly active, and they are the same group of threat actors that successfully collected an $11 million ransom from JBS Meats. It is widely believed that REvil operates from Russia, and this recent compromise comes on the heels of President Joe Biden’s meeting with Russian President Vladimir Putin in Geneva. It is obvious that Biden’s conversation has invoked little action, at least thus far, in reigning in REvil’s continued attacks.
Ransomware attacks have spiked in the past 1.5 years with $412 million in ransom payments being paid last year alone, and this estimate is likely understated since many ransomware events go unreported.
We know, from our own experiences at Conversant Group, that REvil prefers to strike when IT coverage and monitoring may be at its weakest, such as on weekends and holidays. It is no coincidence that this happened on the Friday before July 4th.
There are ways to mitigate these types of attacks, and organizations must be ever vigilant in vetting all its vendors and ensuring that controls are in place to thwart (or at least recover from) these types of threat actor activities.
[1] https://www.wsj.com/articles/technology-provider-kaseya-warns-of-cyberattack-11625266350
[2] https://www.washingtonpost.com/technology/2021/07/02/kaseya-ransomware-attack/
* * *
John Anthony Smith can be reached at:
|
|
|
|
|
1513 Cowart Street
Chattanooga, TN 37408
|
|