Massive Ransomware Attack May Impact Thousands of Victims
Just weeks after President Joe Biden implored Vladimir Putin to curb cyber crime, a notorious, Russia-linked ransomware gang has been accused of pulling off an audacious attack on the global software supply chain.
REvil, the group blamed for the May 30 ransomware attack of
meatpacking giant JBS SA, is believed to be behind hacks on at least 20
managed-service providers, which provide IT services to small- and medium-sized
businesses. More than 1,000 businesses have already been impacted, a figure
that’s expected to grow, according to the cybersecurity firm Huntress Labs Inc.
Based on a combination of the service providers reaching out
to us for assistance along with the comments we’re seeing in the thread we are
tracking on our Reddit, it’s reasonable to think this could potentially be
impacting thousands of small businesses,” according to John Hammond, a
cybersecurity researcher at Huntress Labs.
Biden said he had ordered a “deep dive” by U.S. intelligence
officials on what happened in the attacks. At this point, he said “we’re not
sure” that Russia is behind them.
“I directed the intelligence community to give me a deep
dive on what’s happened and I’ll know better tomorrow,” Biden said, recalling
that he told Putin during their meeting in June that the U.S. would respond to
cyber transgressions. He added that he hasn’t called the Russian president
about the latest case.
Biden Says ‘Not Sure’ If Russia Is Behind Latest Cyberattack
“We’re not sure it’s the Russians,” he said. “The initial
thinking was, it was not Russian government, but we’re not sure yet.”
Attacking MSPs is a particularly devious method of hacking,
since it may allow the attackers to then infiltrate their customers as well.
Hammond said more than 20 MSPs have been affected so far.
In Sweden, most of grocery chain Coop’s more than 800 stores
couldn’t open on Saturday after the attack led to a malfunction of their cash
registers, spokesperson Therese Knapp told Bloomberg News.
There are victims in 17 countries so far, including the
U.K., South Africa, Canada, Argentina, Mexico and Spain, according to Aryeh
Goretsky, a distinguished researcher at cybersecurity firm ESET.
The ransomware attack is the latest in a string of
devastating hacks in recent months, making cybersecurity an increasingly
pressing national security issue for the Biden administration. At a summit on
June 16, Biden warned Russian President Putin that 16 types of critical
infrastructure -- including food and agriculture, emergency services and health
care -- were off limits to future attacks. It’s not yet known if the U.S.
victims of the latest ransomware attack fell within those sectors.
A software supply chain attack revealed in December included
nine U.S. agencies and about 100 businesses as victims. Russian-state sponsored
hackers were accused of the attack, where hackers implanted malicious code in
updates for popular software for SolarWinds Corp. Customers who downloaded the
updates inadvertently created a backdoor that the hackers could then exploit.
It was particularly sophisticated and highlighted the terrifying potential of
supply-chain hacks.
More recently, ransomware attacks on Colonial Pipeline Co.,
the operator of the nation’s largest fuel pipeline, and JBS have revealed
gaping security vulnerabilities in crucial U.S. businesses. Both Colonial and
JBS paid the hackers millions of dollars. The hackers behind the Colonial
attack, a group called DarkSide, have also been tied to Russia.
Friday’s attack appears to combine a supply-chain attack
with ransomware, vastly increasing the number of potential victims and
presumably, the payout. Ransomware is a type of attack in which hackers encrypt
computer files and then demand payment to unlock them.
Among the companies targeted was Kaseya Ltd., a Miami-based
developer of software for managed service providers, as a way to attack its
customers, according to cybersecurity experts.
“What makes this attack stand out is the trickle-down
effect, from the managed service provider to the small business,” Hammond said.
“Kaseya handles large enterprise all the way to small businesses globally, so
ultimately, it has the potential to spread to any size or scale business.”
In a statement, Kaseya said it has notified the FBI. The
company said it had so far identified less than 40 customers that were impacted
by the attack.
Allan Liska, a senior threat analyst at cybersecurity firm
Recorded Future Inc., said REvil was behind the attacks.
Eric Goldstein, the executive assistant director for
cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency said
the group is closely monitoring this situation.
“We are working with Kaseya and coordinating with the FBI to
conduct outreach to possibly impacted victims,” he said in a statement. “We
encourage all who might be affected to employ the recommended mitigations and
for users to follow Kaseya’s guidance to shut down VSA servers immediately. As
always, we stand ready to assist any impacted entities.”
Two of the affected MSPs include Synnex Corp. and Avtex LLC,
according to two people familiar with the breaches. Avtex President George
Demou told Bloomberg News in a text message on Friday night, “Hundreds of MSPs
have been impacted by what appears to be a Global Supply Chain hack.”
“We are working with those customers who have been impacted
to help them to recover,” he added.
A Synnex spokesperson didn’t immediately respond to requests
for comment. The Republican National Committee said it was alerted that its
vendor Synnex may have been affected.
“Today, Microsoft informed us that one of our vendors,
Synnex, systems may have been exposed,” said Mike Reed, a spokesman for the
RNC. “There is no indication the RNC was hacked or any RNC information was
stolen. We are investigating the matter and have informed DHS and the FBI.”
Comments
Post a Comment