It was probably inevitable that the two dominant cybersecurity threats of the day— supply chain attacks and ransomware – would combine to wreak havoc. This is precisely what happened on Friday afternoon, when the notorious criminal group REvil managed to encrypt the files of hundreds of companies in one fell swoop, apparently thanks to compromised IT management software. And that’s just the very beginning.
The situation is still evolving and some details, the most important, how the attackers infiltrated the software in the first place, remain unknown. But the impact has already been severe and will only get worse given the nature of the targets. The software in question, Kaseya VSA, is popular among managed service providers, who provide IT infrastructure for businesses that prefer to outsource these kinds of things rather than run them themselves. Which means if you successfully hack into an MSP, suddenly you have access to its clients. It’s the difference between breaking safes one by one and stealing the bank manager’s master key.
So far, according to security firm Huntress, REvil has hacked eight MSPs. The three Huntress works with directly represent 200 companies that found their data encrypted on Friday. It doesn’t take much extrapolation to see how much worse it gets from there, especially given how ubiquitous Kaseya is.
“Kaseya is the Coca-Cola of remote management,” says Jake Williams, chief technology officer for incident response company BreachQuest. “Because we’re entering a holiday weekend, we won’t even know how many casualties there are until Tuesday or Wednesday of next week. But it’s monumental.
The worst of both worlds
MSPs have long been a popular target, especially nation-state hackers. Hitting them is a terribly effective way to spy, if you can handle it. As a 2018 Justice Department indictment showed, Chinese elite APT10 spies used MSP compromises to steal hundreds of gigabytes of data from dozens of companies. REvil has also targeted MSPs before, using its presence at a third-party IT company to hijack 22 Texas municipalities at a time in 2019.
Supply chain attacks have also become increasingly common, especially in the SolarWinds devastating campaign last year which gave Russia access to several US agencies and countless other victims. Like MSP attacks, supply chain hacks also have a multiplier effect; tainting a software update can kill hundreds of people.
You can then begin to understand why a supply chain attack that targets MSPs has potentially exponential consequences. Add crippling ransomware to the system and the situation becomes even more untenable. It is reminiscent of the devastating NotPetya attack, which also used a supply chain compromise to spread what initially appeared to be ransomware, but was actually a nation-state attack carried out by Russia. A more recent Russian campaign also comes to mind.
“It’s SolarWinds, but with ransomware,” said Brett Callow, threat analyst at antivirus company Emsisoft. “When a single MSP is compromised, it can impact hundreds of end users. And in this case, it looks like several MSPs have been compromised, so… ”
Williams of BreachQuest says REvil appears to be asking victimized businesses the equivalent of about $ 45,000 in the Monero cryptocurrency. If they don’t pay during the week, the demand doubles. BleepingComputer Security News Site reports that REvil demanded $ 5 million from some victims for a decryption key that unlocks “all PCs on your encrypted network,” which can specifically target MSPs rather than their customers.
“We often say that MSPs are the mother ship of many small and medium-sized businesses and organizations,” says John Hammond, senior security researcher at Huntress. “But if Kaseya is what gets hit, the bad actors just compromised all of their motherships.”