REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom Follow us        Subscribe to Newsletter  Home  Newsletter  Offers Home Data Breaches Cyber Attacks Vulnerabilities Malware Offers Contact    Resources THN Store Free eBooks Freebies RSS Feeds About Site About Us Our Team Jobs Advertise With Us Contact/Tip Us  Reach out to get featured—contact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! Follow Us On Social Media       RSS Feeds  Email Alerts  Telegram Channel REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom July 04, 2021Ravie Lakshmanan Amidst the massive supply-chain ransomware attack that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack. The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place. More specifics about the flaws were not shared, but DIVD chair Victor Gevers hinted that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks, with victims identified in no less than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, according to ESET. Kaseya VSA is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs), offering a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access via two-factor authentication. REvil Demands $70 Million Ransom Active since April 2019, REvil (aka Sodinokibi) is best known for extorting $11 million from the meat-processor JBS early last month, with the ransomware-as-a-service business accounting for about 4.6% of attacks on the public and private sectors in the first quarter of 2021. The group is now asking for a record $70 million ransom payment to publish a universal decryptor that can unlock all systems that have been crippled by file-encrypting ransomware. "On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour," the REvil group posted on their dark web data leak site. Kaseya, which has enlisted the help of FireEye to help with its investigation into the incident, said it intends to "bring our SaaS data centers back online on a one-by-one basis starting with our E.U., U.K., and Asia-Pacific data centers followed by our North American data centers." On-premises VSA servers will require the installation of a patch prior to a restart, the company noted, adding it's in the process of readying the fix for release on July 5. CISA Issues Advisory The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory, urging customers to download the Compromise Detection Tool that Kaseya has made available to identify any indicators of compromise (IoC), enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network. "Less than ten organizations [across our customer base] appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software," Barry Hensley, Chief Threat Intelligence Officer at Secureworks, told The Hacker News via email. "We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers." By compromising a software supplier to target MSPs, who, in turn, provide infrastructure or device-centric maintenance and support to other small and medium businesses, the development once again underscores the importance of securing the software supply chain, while also highlighting how hostile agents continue to advance their financial motives by combining the twin threats of supply chain attacks and ransomware to strike hundreds of victims at once. "MSPs are high-value targets — they have large attack surfaces, making them juicy targets to cybercriminals," said Kevin Reed, chief information security officer at Acronis. "One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all." Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. SHARE      Share Tweet Share Share  Share on Facebook Share on Twitter Share on Linkedin Share on Reddit Share on Hacker News Share on Email Share on WhatsApp Share on Facebook Messenger Share on Telegram Comments SHARE  Kaseya, Malware, ransomware, ransomware attack, supply chain attack Popular This Week A Critical Random Number Generator Flaw Affects Billions of IoT Devices IT Giant Accenture Hit by LockBit Ransomware; Hackers Threaten to Leak Data Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic Microsoft Releases Windows Updates to Patch Actively Exploited Vulnerability Comments Latest Stories Other Stories Stamp out poor coding practices for good Download 'The Changing Face of Software Security 2021' to find out how. Learn how organizations cultivates world-class secure developers Read a senior application security engineer's story of working on the front lines to maintain their enviable, first-class security program. How to Mitigate PrintNightmare Vulnerability – A guide for mitigating Microsoft's Print Spooler vulnerability - PrintNightmare - for Windows Learn to Code — 13 Online Courses Learn to Code — Get 2021 Master Bundle of 13 Online Courses @ 99% OFF Online Courses and Software Ethical Hacking - Practical Training 10 courses + 1,236 lessons on latest techniques, forensics, malware analysis, network security and programming. 1000+ Premium Online Courses With course certification, Q/A webinars and lifetime access. Cybersecurity Certification Training CISA, CISM, CISSP, PMI-RMP, and COBIT 5 certifications. CompTIA IT Certification Training Lifetime access to 14 expert-led courses. Cybersecurity Newsletter — Stay Informed Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily. Email Follow Us 725,300 Followers 1,985,000 Followers 240,100 Followers 18,100 Subscribers 125,500 Followers About About Us Advertising Editorial Team Contact Pages RSS Feeds Deals Store Privacy Policy Copyright Policy Deals Exclusives Hacking Development Android  RSS Feeds  Contact Us  Telegram Channel © The Hacker News, 2019. All Rights Reserved.