Saturday, July 24, 2021
HomeCybersecurity NewsKaseya supply chain hack 2 July 2021

Kaseya supply chain hack 2 July 2021

What is Kaseya?

Kaseya is a Miami, Florida-based Managed Service Provider (MSP). They offer a cloud-based platform that allows customers to manage patches and monitor their clients. According to Kaseya’s website, the company provides its customers “with best-in-breed technologies that allow them to efficiently manage, secure and backup IT under a single pane of glass.”

What is the Kaseya supply chain hack?

Similar to this year’s hack of SolarWinds, criminals breached Kaseya’s system using a variety of vulnerabilities in their IT management product. They then used that access to begin hacking as many of the company’s customers as possible in a fox-in-the-henhouse scenario.

As is often the case, the hackers acted on the Friday before the July 4th weekend. Cybercriminals will often make their moves when they anticipate understaffed or otherwise distracted workforces. Holidays are favored opportunities.

The result is that Kaseya’s clients, across around a dozen different countries, have been infected with ransomware. This number is subject to change as the story develops. Some sources, such as CNET, claim that at least 36,000 companies have been affected due to downstream effects of the hack and Kaseya telling all users of their product to shut down. Kaseya itself released a statement last Friday that claimed that “only 40” of their customers had been directly affected worldwide.

Kaseya was also quick to paint a picture of a very “sophisticated, weaponized attack.” According to Kaseya spokesperson Dana Liedholm, “this was not as simple as a single o-day exploit.”

It is currently unknown if the hackers have only encrypted the affected information or have also stolen data as well, possibly to sell at a later date.

Who is responsible for the Kaseya supply chain hack?

Russia-based cyber criminal group REvil, who also previously hacked JBS Foods, has taken credit for the Kaseya supply chain hack. In a post online, the group has demanded $70 million in exchange for a universal key that will decrypt the information.

What is REvil?

According to Wikipedia, “REvil (Ransomware Evil; also known as Sodinokibi) is a private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page ‘Happy Blog’ unless the ransom is received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products.

REvil has grabbed headlines a few times in recent years, both by claiming to have stolen information related to President Donald Trump in 2020, as well as for having connections to the exploit of Microsoft Server Exchange.

How could the hack of Kaseya been prevented?

According to the Dutch Institute for Vulnerability Disclosure, Kaseya had been prompted to fix the vulnerabilities that were used in the attack. The Institute also says that it was working on addressing the security weaknesses with Kaseya, but they were not able to act quickly enough. 

The Dutch organization said that Kaseya “showed a genuine commitment to do the right thing.”

“Unfortunately, we were beaten by REvil in the final sprint, as they could exploit vulnerabilities before customers could even patch.”

What is being done as a result of the Kaseya hack?

Kaseya is in the process of creating a patch that will fix the vulnerabilities in their product, but the reality is that the damage in that arena has been done. The incident is one of many attacks over the past year that have targeted third-party vendors in order to gain unauthorized access to their clients’ information. 

Kaseya has also said that they have teamed up with cybersecurity company FireEye to help navigate and mitigate the fallout of the attack. FireEye has gained notoriety recently due to their investigation into the SolarWinds hack.

President Joe Biden has also issued a statement in which he said that he has directed U.S. intelligence agencies to investigate the attack.

While it is not believed that REvil is directly affiliated with the Moscow, the attack comes almost directly on the heels of the Biden’s recent meeting with Russian President Vladimir Putin in which they discussed the critical nature of cybersecurity and the tenuous, to say the least, relationship between the two superpowers with regard to intelligence gathering, espionage, and cyber warfare.

Sources

Derek Walborn
Derek Walborn is a freelance research-based technical writer. He has worked as a content QA analyst for AT&T and Pernod Ricard.

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like

Stay Connected

Must Read

Related News