In the previous installation, we delved into the history of the primary victim, Kaseya and the bad actors, REvil. From previous exploits to the final and most devastating one, REvil is and will continue to be a force to reckon with due to their advanced ransomware tactics designed to completely encrypt their victims’ data. This installation will be a deep dive into how the attack took place and the steps forward for both the US government and the individual victims.
How REvil utilised a potent malware
The malware which is known by the name Sodinokibi is not a new form of ransomware. In fact, it was used by a separate group of attackers to extort money from Apple back in April 2021. The malware was found in several laptops manufactured by one of Apple’s business partners.
Sodinokini uses different delivery methods to carry out the attack. The most common form is through phishing emails that house malicious and downloadable links containing an obfuscated Javascript file. Once downloaded, the malware then carried out its attack infecting the server and hence, other systems as well.
The reason why the attack spread so easily, in this case, is because of two reasons. Firstly, the Kaseya VSA software is quite common and is bought by many organizations. All the systems that have the software are connected to a network. This brings us to the next reason. The vulnerabilities of the network management software.
In the eyes of a hacker, network management software is a very inconspicuous place to hide a back door or an entry point. This is because the system usually has broad access and is used to perform many tasks simultaneously. Thus, monitoring each task becomes hard making it easy for suspicious activity to go unchecked. In addition to this, the servers belonging to the client companies usually ran upstream contrary to that of the malware which flowed downstream.
In addition to this, the malware also allowed hackers to receive access to millions of files with every single device that was compromised. Systems that belonged to administrators proved to be an even bigger gold mine as the servers connected to these systems are extensive, creating a larger “blast radius”.
The Kaseya VSA servers were hacked because of a SQL injection attack. This kind of attack allows an attacker to interfere with the queries that an application makes to a database. The attacker can do so by using a malicious SQL code to manipulate the backend database. In fact, this vulnerability was even reported to the Kaseya who were working alongside a team at DIVD.nl to develop a patch and eradicate it. However, the hackers were much too quick with their attack.
The aftermath of the attack
In the wake of the attack, US President Joe Biden addressed the press stating that the number of companies that fell victim to the attack is not yet confirmed. However, several small businesses like dentists’ offices and accountants would have felt the effects of cyberattacks. The US clients were not affected as much as Kaseya’s European clients.
One company that was dealt the worst blow during this attack was a Swedish supermarket chain known as Coop. The attack caused all the chains to temporarily close their doors as the cash registers were no longer operative. For the aforementioned schools in New Zealand, online classes were disrupted as the attack forced the software, they were using at the time to go offline.
Other high-profile victims included towns like North Beach and Leonardtown in Maryland. According to reports the ransomware had reached Leonardtown on the 2nd of July through an MSP. As a result, the entire town’s network was encrypted by the malware which could only be removed by the decryptor. However, the town officials stood their ground and restored their system with the help of backups.
At present, the price of the decryptor is said to be lowered to $50 million from the previous $70 million. The government continues to collect information regarding the victims of the hack through an open-source report. However, the victim count will continue to rise in the coming months as was the case with Accellion’s File Transfer Appliance cyberattack in December 2020.
Mitigating the attack
In an effort to stop the attack, the CISA and the Federal Bureau of Investigation released a statement for all MSPs. According to this statement, the customers and MSPs associated with Kaseya had to follow the guidelines given below:
- Get a hold of the Kaseya VSA Detection Tool. This tool can analyze the VSA server or a managed endpoint and determining if they have been compromised.
- The customers should then implement multi-factor authentication on every account that is present on the server. Therefore, there are no more entry points that are accessible to the malware.
- Introduce measures like allow listing to limit the communication between systems and remote monitoring and management or RMM capabilities
- Finally, a company will have to cover the administrative interfaces of RMM with the use of a virtual private network also known as a VPN. Companies can also opt to place a firewall to conceal an administrative network.
However, these guidelines will not do much for the customers who have already been compromised. For this reason, the guidelines also address the clients and MSPs who are unable to access the RMM service. The guidelines state that:
- Companies should ensure that there are backups which are up to date and placed in a location from where it can be retrieved easily. It should be “air-gapped” or disconnected from the network of the organization.
- The clients must utilize manual patch management processes and work towards installing new patches as soon as they come out.
- Implement data security safe practices like multi-factor authentication and create an effective identity and access management framework.
The prevalence of ransomware will continue to be a looming threat to both the private sector and the government. The Kaseya Ransomware Attack was just another reminder of how much devastation can occur when the attacks are successful. Therefore, the only way companies and individuals can protect themselves from such attacks is to follow the safe practices of data security to the best of their abilities.
So, the million-dollar question here is, do you have a dedicated team for I.T. security and support? Have you tested your systems recently by a cybersecurity firm? If not, there are chances that your security stance is absent. For the right network security, you need to conduct security audits on your systems by cyber security experts.
You can depend on Cybernetic Global Intelligence for all your technology and security requirements. We provide technology solutions that eliminate risks while reducing costs. So don’t leave your business or organization vulnerable anymore. Contact us today and boost your company’s security and success.
We are a leading Aussie cybersecurity firm with years of experience in providing outstanding cybersecurity services. You can call 1300 292 376 or email contact@cybernetic-gi.com for assistance.