While most of us were barbecuing and watching fireworks this past 4th of July weekend, cybercriminals were busy implementing a ransomware attack that has affected thousands of users. One report claims that over 1 million computers have been affected. When the dust finally settles, we will get a better idea of just how widespread the attack was but one thing we know is that fallout will be far-reaching.
What Happened
Criminals connected to the REvil cybergang claimed to have unleashed a massive cyber attack against software developer Kaseya. Kaseya’s RMM (Remote Monitoring and Management Software) is used by Managed Service Providers. The attack, considered to be one of if not the largest ransomware attacks on record, has affected banks, financial services providers, travel and leisure companies, and even public sector companies.
We have confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers. The brazen attack has drawn the attention of the FBI and CISA, who have reached out to the identified victims and offered support.
The attack came as researchers from the Dutch Institute for Vulnerability Disclosure (DIVD) revealed that they had also discovered the vulnerability in Kaseya’s software and were in the process of addressing it. The cybercriminals beat them to the punch and in a post on REvil’s “Happy Blog” made the claim that they have infected over a million devices and demanded $70 million in Bitcoin to publish the “decryptor” that would allow the affected parties to recover their files.
Who Was Affected by The Ransomware Attack?
One of the largest grocery store chains in Sweden was forced to close most of its 800 locations as the ransomware attack affected its cash registers, preventing them from opening and grinding operations to a halt. It is predicted that as most US businesses reopen today after the holiday weekend, more victims will be discovered.
Kaseya’s servers remain offline as of the time this article was written and the company says it will issue a timeline for restoration but this is of little comfort to the businesses that have been affected by this latest in a stream of ransomware attacks.
An Analysis of The Attack
Based on initial analysis, it is believed that the ransomware attackers deployed a malicious dropper via a PowerShell script that was executed via Kaseya’s software.
The script then disabled Microsoft Defender for Endpoint protection and then utilizedcertutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique (T1574.002)
Huntress has been hard at work to discern the source and method of this latest ransomware attack. Huntress has high confidence that the attackers utilized an authentication bypass in Kaseya VSA to obtain access to an authentication session. They then uploaded the original payload and executed commands via SQL injection. Huntress is actively analyzing the situation as it is believed that the attackers may have compromised a legitimate web server and utilized it as a launchpad for their attacks.
How CPT of Florida Utilizes Huntress to Protect you Against Similar Ransomware Attacks
CPT of Florida has partnered with Huntress to provide a best-in-class security platform.
Huntress finds and stops hidden threats that sneak past preventive security tools, so you can protect your customers from today’s determined cybercriminals. Huntress provides hands-on support and expertise needed to identify and stop advanced cyber attacks. The cyber-safety net deployed by Huntress is an essential tool in managed detention and will guard against ransomware.
You can trust that CPT of Florida will protect your customer’s valuable data, increase your operational efficiency, guard against ransomware attacks and provide industry-leading cybersecurity expertise.
Contact CPT of Florida for Best-in-Class Managed IT Services
At CPT of Florida, we are the premier managed service provider in Florida. Our clients depend on us to keep them secure online, so we take the fight to the attackers. When a threat is identified we jump into action by preparing a detailed plan of action that with one click can deploy automated actions that will allow you to respond to ransomware attacks as quickly as possible. Contact us today to speak to one of our cybersecurity specialists. Visit our contact us page or call us at 9549632775 today.