The Nightmare of Supply Chain Threats Becomes Real … Meet the Kaseya Attack

The Nightmare of Supply Chain Threats Becomes Real … Meet the Kaseya Attack

We must admit sometime, soon, that we are generally just not very good at cybersecurity. So while our core infrastructures are fairly well protected, it is often devices and systems at the edge of our networks that can provide a point of attack, a point of infection, and even a pivot point. Once behind a network firewall, there is often little in the way of detection and protection. The ultimate risk, though, is within our supply chain networks, as these infrastructures tend to interconnect and also are interdependent on other external entities. A malware infection in one part can thus affect other parts, and could bring down the whole infrastructure — like a house of cards.

Over the past few days, experts have been assessing the scope of the most recent large-scale ransomware attack (the Kaseya attack). As the core of this is the ransomware-as-a-service REvil infrastructure, and which provides an end-to-end service for affiliates. On a share of the profits, this service supports affiliates in the setup of a campain, the distribution of the malware, and in the collection of payments. Now an affiliate of the REvil network is demanding $70m ransom payment from the Kaseya attack in order to release thousands of victims — and millions of devices. It has managed to scale around the world, too, and has created infections in over 17 countries:

The source of the breach is a zero-day attack against the Miami-based Kaseya comany and who create software for managed dashboards (VSA). The VSA software automates software and secrurity updates, and also manages backups. This software is used by 10s of thousands of their customers. A great worry is that these customers could be running many interconnected devices, and which could re-infect other devices outside the controlled domain. To counteract the affect, over the weekend, Kaseya issued a malware dectection tool to their customers, and annouced that the threat was only focused on those companies which ran their own data centres (“on-premise”), and not the ones that run the software in their cloud infrastructure. Although, all of Kaseya services — were down over Sunday, 4 July 2021.

In Sweden, Coop closed around 800 stores for a few days due to their cash registers being down, along with this a pharmacy, the state railway and public broadcaster were also affected. The Cyber incident, in fact, has become a whole lot more political, with some US leaders are blaming state-sponsored agents in playing a key role in the infection.

For REvil, the attack has probably scale-up faster than could be imagined, and could continue to grow as interconnected systems are infected. It leads to a nightmare situation where the spread cannot be stopped. Thus, the an early closure and the release of the decryptor would probably be the best solution for the attackers. Insurance company may thus be calculating the longer-term damage against paying the ransom. For Kaseyam, it looks likely that the intruders did not break their core code, but exploited their system through third-party libraries. The target of this attack is on MSP (Managed Service Provider) and which manage the devices of customers. An attack on an MSP could propogate an infection from one customer to another, if there is not significant isolation and segmentation between them.

Overall, intelligence agencies have been keeping a close watch on ransomware payments within the Bitcoin network, thus the cybercriminals have asked for a Monero payment, as it supports fully anonymised transactions.

Conclusions

Solwarwinds was the first sign of a targeted attack against supply chains. The nightware scenario thus evolves, and where billions of insecure devices could be attacked and shutdown in an instance. Think about the damage that an attack on our traffic lights, our airline systems, our energy network, and our health care infrastructure might have, and a supermarket chain going down in Sweden will be the least of our problems. We thus need to secure devices in their design, and in building secure and trusted infrastructures. For just now, the Internet we have is much like the Internet we created in the 1980s. Unfortunately, our Internet infrastructure could topple like a house-of-cards.

Here’s a bit of background on how ransomware works: