[Security Weekly] Kaseya Exploited by REvil for Supply-Chain Ransomware Attack, 1,500 Firms Breached
2nd Week of July 2021
1. Kaseya exploited by REvil for supply-chain ransomware attack, 1,500 firms breached
Kaseya–an IT management vendor that sells SaaS and on-premises software to managed service providers (MSP), who then use the software to provide IT management services to SMEs–became the entry point of the latest supply chain attack.
On July 2, the REvil ransomware gang exploited a zero-day vulnerability in Kaseya VSA, which allowed them to bypass authentication and run arbitrary command execution to deploy ransomware. Kaseya VSA is an on-premises Remote Monitoring and Management software used by MSPs to manage their clients’ networks.
Among 40,000 companies that use Kaseya’s products, 60 of them were breached in the attack, all of which were users of VSA. As a result, between 800 and 1,500 downstream companies were compromised, most of which were SMEs.
After detecting the attack, Kaseya immediately notified all its clients to shut down their VSA servers. As a preventative measure, Kaseya also shut down its cloud servers hosting its SaaS products. Many customers faced operation interruptions due to this massive shutdown. Swedish supermarket chain Coop had to close 500 stores after its cash registers stopped functioning.
REvil claimed to have encrypted over 1 million systems and openly demanded a $70 million ransom for a universal decryption key for all victims. Kaseya announced that a patch to the exploited vulnerability would be ready by July 11, and warned all VSA customers to keep their servers offline until the patch gets installed.
2. Morgan Stanley discloses breach of customer data at third-party vendor
Investment banking giant Morgan Stanley disclosed a data breach in a letter sent to the Attorney General of New Hampshire on July 2, stating that sensitive data belonging to its customers were compromised when its third-party vendor Guidehouse was breached due to the Accellion FTA vulnerability.
Guidehouse provides account maintenance services to Morgan Stanley’s StockPlan Connect, a digital investment platform where customers can manage their equity portfolios. As such, Guidehouse holds the account-related data of the equity holders, and uses Accellion FTA to store and share them. Even though the data were encrypted, the attackers appeared to have stolen the decryption key as well by exploiting the Accellion FTA vulnerability.
Stolen data included the names, dates of birth, addresses, social security numbers (SSN), and company names of StockPlan Connect users. A notification letter was sent to all those affected.
Even though the attack took place back in January, Guidehouse only discovered the intrusion in March, and took another two months to investigate and find out exactly which files were compromised, before finally notifying Morgan Stanley on May 20.
3. NSW Department of Education hit by cyberattack as new semester begins
On July 8, Australia’s New South Wales Department of Education disclosed a cyberattack incident that forced it to shut down all IT systems.
This attack happened less than a week before all schools were scheduled to start a new semester online. As a result, teachers were unable to prepare for online classes. Servers for emails, calendars, and video conferencing tools were kept offline. COVID-19 guidelines were inaccessible. The entire education system of the state was in a “state of paralysis”.
The Department is currently working with cybersecurity experts to restore its operations. It remains unclear whether this was a ransomware attack.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security