SAN FRANCISCO, Aug. 3 (Reuters) – A ransomware attack in July that crippled up to 1,500 organizations by compromising the engineering management software of a company called Kaseya sparked a race among criminals to find similar vulnerabilities cybersecurity experts said.
An affiliate of a Russian-speaking ransomware gang known as REvil used two gaping flaws in Florida-based Kaseya’s software to penetrate around 50 managed service providers (MSPs) that were using its products, said investigators.
Now that criminals see how powerful MSP attacks can be, “they’re already busy, they’ve already moved on and we don’t know where,” said Victor Gevers, director of the Dutch Institute for Disclosure of the nonprofit vulnerabilities, which warned Kaseya of the weaknesses before the attack.
“It will happen again and again.”
Gevers said its researchers have found similar vulnerabilities in more MSPs. He declined to name the companies because they still haven’t addressed all of the issues.
Managed service providers include companies such as IBM (IBM.N) and Accenture (ACN.N) offering cloud versions of popular software and specialist companies dedicated to specific industries. They typically serve small and medium-sized businesses that lack in-house technology capabilities and often increase security.
But MSPs are also an effective vehicle for ransomware as they have wide access inside many of their customers’ networks. Kaseya’s software serves many MSPs, so attacks escalated before Kaseya could notify everyone, quickly encrypting data and demanding ransoms of up to $ 5 million per victim. Read more
MSP activity has exploded during the coronavirus pandemic alongside the rapid increase in remote working.
“This is where you will find reliable access to customer systems,” said Chris Krebs, chief executive officer of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which has made ransomware a priority. absolute. “It’s a much more economical approach to launch a breakout attack. And it is difficult for the client to defend himself. “
Bugcrowd Inc, one of many platforms where researchers can report vulnerabilities, also found security vulnerabilities as severe as Kaseya’s, said Ashish Gupta, CEO of Bugcrowd, possibly because MSPs have grown so quickly.
“Time to market is such a high requirement, and sometimes speed becomes the enemy of safety,” Gupta said.
Service providers have already been targeted – most dramatically by suspected Chinese government hackers who preyed on big tech companies in a series of breaches known as Cloud Hopper.
REvil hit more than 20 Texas municipalities through a shared provider two years ago, but only demanded a total ransom of $ 2.5 million, said Andy Bennett, then state official responsible for the answer.
As the REvil extortionists demand a record $ 70 million to repair all the damage Kaseya has done, he said, “their aspirations are clearly greater now and their approach is more measured.” It is not known how much ransom was ultimately paid or how many businesses were affected.
An increase in ransomware attacks has led US President Joe Biden to warn Russian President Vladimir Putin that the US will act alone against the worst pirate gangs operating on Russian soil unless the authorities stop them.
On July 22, Kaseya said that a security company had developed a universal decryption key without paying the criminals, which sparked speculation that Putin helped or that US agencies hacked REvil.
CISA is trying to get the word out to MSPs and their clients about the risks and what to do about them, said Eric Goldstein, executive deputy director for cybersecurity.
Less than two weeks after the attack on Kaseya on July 2, the CISA released best practice guidelines on both sides of the equation. CISA also offers free risk assessments, penetration tests and network architecture analyzes.
“Organizations need to review the security of their MSPs,” Goldstein said. “The broader consideration here is the importance for organizations large and small to understand the relationships of trust they have with entities that have connections to their environment. “
Reporting by Joseph Menn; edited by Grant McCool
Our Standards: Thomson Reuters Trust Principles.