On the 3rd of July, US president Joe Biden directed American Intelligence agencies to investigate a “sophisticated ransomware attack” that hit hundreds of American businesses. This latest attack on Kaseya, a Miami-based IT firm that provides software tools for IT outsourcing and handling back-office work to companies that are too small or modestly resourced to have their own IT departments. The hackers struck on Friday by hijacking a very widely-used management software developed by Kaseya.
This attack comes in line with a lot of other high-profile ransomware attacks such as the Colonial Pipeline attack, which prompted a temporary shutdown and a shortage of gas across the entire East Coast. During a public appearance in Michigan, President Biden was quoted saying that the authorities are still not sure about the original source of the attack and even though the initial thinking was not the Russian Government, they aren’t sure. Biden later stated that if the ransomware attack was determined to originate from Russia, the US would respond accordingly.
The Kaseya ransomware attack
On the eve of the 4th of July holiday weekend, hundreds of American businesses were hit by a major ransomware attack. This attack was first detected by a US-based cybersecurity firm, Huntress Labs. On Friday, Huntress stated, via their website, that 200 American businesses were hit after an incident at Kaseya. One of the products that Kaseya offers is Virtual Storage Architecture (VSA) which is a system used by IT professionals to manage servers, desktops, printers, and most importantly, network devices.
As per a statement issued by Kaseya, they claimed that they were investigating a “potential attack” against the VSA which has been limited to a “small number” of on-premise customers only. They also said that even though they were investigating the incident, all companies using the VSA should shut it down immediately. They stated that this should be the immediate course of action since attackers shut off administrative access immediately after gaining access. The CEO of Kaseya, Fred Voccola, also posted an update stating that the company’s response team has taken swift action to put all the precautions in place.
“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running… Today’s actions are a testament to Kaseya’s unwavering commitment to put our customers first and provide the highest level of support for our products.”via the statement issued by Fred Voccola.
Huntress Labs’ report
John Hammond, a senior security researcher from Huntress, reported that VSA servers were compromised by the hackers by “exploiting an arbitrary file upload and code injection vulnerability”. He said that they were tracking over 30 managed service providers (MSPs) across the United States, Australia, Europe, and Latin America.
Huntress Labs have also created a subreddit where all the details about the attack have been mentioned in great detail. The cybersecurity firm believes that the Russia-linked REvil ransomware group is behind this “colossal and devastating supply chain attack”. REvil is the same ransomware group that is the FBI’s suspect for the JBS and Colonial Pipeline attacks.
With incidents relating to ransomware attacks exploding in number in the past year because of more work-from-home conditions, and the rise of cryptocurrency making ransom payments easy. Major corporations such as Fujifilm are also being targeted with such attacks.
President Biden has already made it clear that US authorities have taken a more serious stance on ransomware attacks at the recent G7 summit. With such ransomware attacks being on the top of the cybersecurity agenda, it is yet to be seen how things will unfold next.