SAN FRANCISCO, Aug 3 - A ransomware attack in July paralyzed as many as 1,500 organizations by compromising technology management software from a company called Kaseya has set off a race among criminals looking for similar vulnerabilities, cyber security experts said.
An affiliate of a Russian-speaking ransomware gang called REvil used two uppercut flaws in software from Florida-based Kaseya to break into about 50 managed services providers that were using its products, investigators said.
Now that criminals know how powerful MSP attacks can be, they are already busy, they've moved on and we don't know where, said Victor Gevers, director of the non-profit Dutch Institute for Vulnerability Disclosure, which warned Kaseya of the weaknesses before the attack.
Gevers said his researchers had discovered similar vulnerabilities in more MSPs. He declined to name the firms because they have not yet fixed all the problems.
Managed service providers include firms like IBM and Accenture, offering cloud versions of popular software and specialist companies in specific industries devoted to specific industries. They generally serve small and medium-sized firms that lack in-house technology capabilities and often boost security.
But MSPs make an efficient vehicle to deal with ransomware because they have broad access inside many of their customers' networks. Kaseya's software serves many MSPs, so the attacks multiplied before Kaseya could warn everyone, rapidly encrypting data and demanding ransoms of as much as $5 million per victim.
The business of MSPs has boomed in the Remote Work Environment Pandemic along with the rapid increase in coronavirus work.
That's where you find the trusted access to your customers' systems, said Chris Krebs, a first leader of the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, which has made ransomware a top priority. It's a much more economical method to launch a breakout attack. And it's difficult for the customer to defend.
One of several platforms where researchers can report vulnerabilities, has also seen security flaws as bad as Kaseya's, said Bugcrowd Chief Executive Ashish Gupta, perhaps because MSPs have grown so fast.
The time to market is such a high requirement and sometimes speed becomes the enemy of security, Gupta said.
Service providers have been targeted before with suspected Chinese government hackers who went after big tech companies in a series of breaches known as Cloud Hopper. Revil hit more than 20 Texas municipalities with a shared provider two years ago, but only demanded $2.5 million in total ransom, said Andy Bennett, then a state official who managed the response.
With REvil extortionists asking for $70 million to reverse all the Kaseya damage, he said their ambitions are clearly bigger now and their approach is more measured. It is unclear how much ransom was eventually paid or how many businesses were affected.
An increase in ransomware attacks led Russian President Vladimir Putin to warn President Joe Biden that the United States would act on its own against the worst hacking gangs operating on Russian soil unless authorities reined them in.
On July 22, Kaseya said a security firm had developed a universal key for decryption without paying the criminals, prompting speculation that Putin had helped or that U.S. agencies had hacked REvil.
CISA is trying to get the word out both to MSPs and their customers of the risks and what to do about them, said Eric Goldstein, executive assistant director for cybersecurity.
A mere two weeks after the September 2 attack, CISA issued guidelines https: www.cisa.gov sites default files publications CISA 20 Insights Guidance/Graduation Guide for - MSPs and - Small and Mid-sized Businesses S 508 C.pdf for best practices on both sides of the equation CISA also offers free risk assessments, penetration testing and analyses of network architectures.
NGOs need to look at their MSPs, Goldstein said. The broader consideration here is the importance for organizations big and small to understand the trust relationships that they have with those entities that have connections into their environment.