A cyberattack on the US tech provider Kaseya has been named one of the most significant ransomware attacks. Cybersecurity expert Stel Valavanis regards that Kaseya has dealt with the attack much better than SolarWinds did, but there’s still a lot to learn.
Friday’s ransomware attack scrambled the data of hundreds of small businesses worldwide, including many in the United States. REvil, a prolific, Russia-linked cybercrime syndicate, took credit for the breach.
“It was a long long 5 days for us. I want to express my sincere apologies that VSA is not accessible for you to serve your customers, to serve internal IT folks, and to make your lives easier. We recognize as I said before, this sucks. We take this very seriously,” Kaseya CEO Fred Voccola said in a video message to customers.
Stel Valavanis, CEO of Chicago-based onShore Security, believes Kaseya dealt with the cyberattack better than SolarWinds did.
“Kudos to Kaseya for having discovered the vulnerability prior to the attack and reporting quickly. Many targets were spared as a result, and their disclosure and quick work should raise confidence, unlike SolarWinds, who seemed to be in denial for much of the time. We still need to change how we think about cybercrime and work together more than we have,” he told CyberNews.
Hackers are suspected of having stolen companies’ desktop management tool VSA, which allowed them to infect the tech management provider serving thousands of businesses worldwide.
Among the first to feel the fallout of the attack was the Swedish Coop grocery store chain, forced to close all 800 of its stores since the attack prevented the company from using its cash registers.
Valavanis, like many other cybersecurity experts, draws a parallel between the Kaseya and SolarWinds cyberattacks.
“Even though it seems like the Kaseya attack was not a yearlong dwelling of source code compromise, I still want to draw a direct comparison to the SolarWinds attack. Yes, it’s a juicy target because Kaseya is used to manage many networks centrally. Then there are other similarities to the SolarWinds attack, such as exploiting an update mechanism and utilizing “living off the land” existing trusted software,” he said.
“As with the SolarWinds incident, this latest attack uses a two-step malware delivery process sliding through the back door of tech environments,” ESET researchers claim.
What was so special about this recent attack?
“But, think about this. The software had to be trusted to be exploited. This is true about the update mechanism, the executables, and Microsoft’s defense tools too. Apparently, the attackers ran an old version of MS Defender to run payloads undetected. Then, of course, the Kaseya folders are tagged not to be scanned. This is the similarity with SolarWinds that I want to point out because we need to get past it,” he said.
He highlighted that no code can be trusted and that machines “are dumb” and criminals can find a way to trick them.
“To me, this is man versus machine. Maybe it’s too complicated to cooperate with anti-malware companies to permit zero-trust scanning. Where are all those lovely behavioral analytics tools we employ, and how did they allow old versions of software to run? How is it that we allow many thousands of those customer server updates to go on automated inserting malicious payloads? Maybe we just can’t yet see that no code can be trusted. Maybe the cathedral (paradigm of programming) has run its course. My point is that machines are dumb. They can be fooled. They can be manipulated. They can’t be trusted. Humans will find ways to trick them and bash them around. I once heard To err is human. To really screw things up requires a machine,” he said.
The US president Joe Biden said that the ransomware attack on Kaseya seems to have inflicted “minimal damage” on American business.
The president’s comments follow a statement from Kaseya that the attack never posed a threat to critical US infrastructure, which Biden declared off-limits during a summit with Russian President Vladimir Putin last month, Reuters reported.
But the attack was another illustration of how cybercriminals believed to be operating from Russia are running amok in the United States. Biden has sought to push Putin to bring Russian cybercriminals to heel, so far to little visible effect.
Last month, REvil extorted an $11 million ransom out of meatpacker JBS after snarling its supply chain. In May, an intrusion by another Russia-linked group at major U.S. fuel transporter Colonial Pipeline led to panic buying, price spikes, and gasoline shortages up and down the East Coast.
More great CyberNews stories:
Subscribe to our newsletter