[ad_1]
Massive chain reaction on Friday ransomware has infected at least hundreds and probably thousands of businesses worldwideincluding a railroad, a pharmacy chain and hundreds of branded Swedish Coop grocery stores. Conducted by the famous criminal group REvil in Russia, the attack is a common moment ransomware and the so-called supply chain attack. Now, it’s clearer how exactly they came out.
Some details were known on Friday evening. To spread its ransomware to a large number of targets, the attackers found a vulnerability in the update mechanism used by the IT services company Kaseya. The company develops the software it uses to manage business networks and devices, and then sells those tools to other companies called “managed service providers”. MSPs, on the other hand, contract with small and medium-sized enterprises or any organization that does not want to manage its own IT infrastructure. By growing their ransomware using Kaseya’s trusted distribution mechanism, attackers can infect MSP’s Kaseya infrastructure and then watch the dominoes fall while these MSPs inadvertently distribute malware to their customers.
But until Sunday, security investigators gathered critical details on how the attackers got and took advantage of the initial base.
“Interestingly, REvil used trusted instances in all instances to access targets. Typically ransomware actors need multiple vulnerabilities to do this on different networks over time or to find time for administrator passwords,” says Sophos threat researcher Sean Gallagher. Published by Sophos new discoveries related to Sunday’s attack. “This is a step above what ransomware attacks usually are.”
Trust Exercise
The attack was based on exploiting an initial vulnerability in Kaseya’s automatic update system for a remote control and management system called VSA. It is not yet clear whether the attackers exploited the vulnerability throughout the Kaseya central systems. It seems likely that MSP-managed individual VSA servers will be exploited and malicious “updates” will be pushed from there to MSP clients. It seems that REvil has adapted the rescue requests — as well as some of their attack techniques — based on the target, instead of taking a sudden approach.
The timing of the attack was particularly unfortunate, as security investigators had already identified an underlying vulnerability in the Kaseya update system. Wietse Boonstra was working with Kaseya to develop and test patches for Dutch Vulnerability error. The repairs were close to release, but by the time REvil hit they hadn’t yet expanded.
“We did the best we could and Kaseya did the best we could,” says Victor Gevers, a researcher at the Dutch Institute for Revealing Vulnerability. “It’s a vulnerability that’s easy to find, I think. That’s probably the reason the attackers won the last sprint. “
The attackers took advantage of the vulnerability to distribute a malicious load to the most vulnerable VSA servers. This means that these MSPs have also hit VSA agent applications running on Windows devices. VSA “work folders” typically function as a reliable wall garden within these machines, which are ordered by malware scanners and other security tools to ignore what they are doing, providing valuable cover to hackers who put themselves at risk.
Once the deposit was made, the malware executed some commands to hide the harmful activities from Microsoft Defender, a malware scanning tool built into Windows. Eventually, the malware ordered the Kesaya update process to run Microsoft’s “Antimalware Service,” a legitimate but outdated and outdated version of a component of Windows Defender. Attackers can manipulate this outdated version to “load the malicious code to the side,” passing it through Windows Defender if Luke Skywalker is wearing weapons in front of Stormtroopers. From there, the malware began encrypting the files on the victim’s machine. The victim took steps to make it difficult to recover from data backups.
[ad_2]
Source link
