[Updated] Huge cyberattack is happening right now, up to 1000 companies might be affected worldwide

[Master Disaster]

Just seen it popped up on the BBC, details are quite thin ATM

 

Huntress Labs, a security research firm are saying that 200 US business have just been hit by an attack being orchestrated by a Russian cyberattack group known as REvil.

Quote

About 200 US businesses have been hit by a "colossal" ransomware attack, according to a cyber-security firm.

 

Huntress Labs said the hack targeted Florida-based IT company Kaseya before spreading through corporate networks that use its software.

 

Kaseya said in a statement on its own website that it was investigating a "potential attack".

 

Huntress Labs said it believed the Russia-linked REvil ransomware gang was responsible.

The US Cyberattack Agency has acknowledged the attack and has said they're working to address it.

Quote

The US Cybersecurity and Infrastructure Agency, a federal agency, said in a statement that it was taking action to address the attack.

 

The cyber-breach emerged on Friday afternoon as companies across the US were clocking off for the long Independence Day weekend.

Its currently unknown what the attack is or which businesses are affected. See update 2

 

Update 1 - Looks like its an exploit in a piece of software called Kaseya KSA, Kaseya are telling anyone using the software to shut off their servers immediately and keep them off until further notice.

https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

 

Update 2 - Bleeping computer have released a pretty in depth breakdown of the attack vector, looks like its a supply chain attack that is delivered through VSAs autoupdate feature, it drops a file into a folder on the VSA server then lauches powershell to certutil the .crt file and to extract a fully signed EXE which then runs and encrypts the entire server. Some companies are reporting politically charged changes to registry keys, in one example the default admin user was renamed to DTrump4Ever

 

Ouch.

https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/

Thanks @Grand Admiral Thrawn

 

Update 3 - Huntress posted an update sometime throughout my night, looks like the attack hit 30+ MSPs and has now affected upto 1000 businesses in the US, EU, Australia and Latin America.

 

Kaseya have identified and replicated the exploit internally. Still no word on a patch yet.

Update 4

REvil have release a statement on the dark web, they claim to have infected millions of systems and for $70M in BTC they will publicly release a decryption tool. I'm not sure how they expect millions of users from around the globe to collaborate and gather that much BTC though

 

https://www.bbc.co.uk/news/world-us-canada-57703836

 

I'll post updates throughout the day as more details become available

[Oshino Shinobu]

Caused a bunch of trouble for the company I work for already. Not directly affected but an ISP that hosts some major services is having issues, which in turn is affecting our systems since last night.

[Tieox]

Zero day or a known exploit being used?

 

If it's known then the companies should be fined heavily, patch your damn software.

[tikker]

2 hours ago, Master Disaster said:

cyberattack group known as REvil.

REvil -> RE Village -> Capcom starting a new side-business?

 

Well hopefully they can figure it out soon.

[Master Disaster]

56 minutes ago, Tieox said:

Zero day or a known exploit being used?

 

If it's known then the companies should be fined heavily, patch your damn software.

If I had to guess I'd say 0 Day but right now, no one seems to be saying (or they don't know).

[Tieox]

34 minutes ago, tikker said:

REvil -> RE Village -> Capcom starting a new side-business?

 

Well hopefully they can figure it out soon.

[Master Disaster]

32 minutes ago, Grand Admiral Thrawn said:

Here is some in-depth analysis for those interested in details https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/

Cheers for this, added to OP

[Fasterthannothing]

Wow this week has not been good in the cyber security world and I fear it's going to keep getting worse. First we had Dell and the remote exploit then Windows with the Print spooler exploit and now this.

[TheReal1980]

Huge attack in Sweden as well, some grocery stores can not accept any customers because the payment system has been compromised.

[Master Disaster]

34 minutes ago, TheReal1980 said:

Huge attack in Sweden as well, some grocery stores can not accept any customers because the payment system has been compromised.

Its more of a by proxy side effect than a direct attack., the software that has been compromised is used VERY widely in large datacenters and as a result said DCs have had to shut down huge chunks of their networks, this has had a knock on effect to everything else with routes being either VERY congested or, in some cases, not available at all.

 

The attacks have been solely directed at US companies, at least AFAWK so far. The attacks started on Friday afternoon 2 days before July 4th, the exact time everyone gets to go home early from work for the holiday weekend.

[StDragon]

Whatever criminal syndicate was behind this was stupid. Hitting all at once is a sure way to not keep a low profile. But with the added political trolling mixed in, the hubris makes it all the more telling.

[Quackers101]

#TooPolitical

54 minutes ago, TheReal1980 said:

Huge attack in Sweden as well, some grocery stores can not accept any customers because the payment system has been compromised.

What kind of attack? As in attacking the devices or the payment system to credit cards?

[StDragon]

56 minutes ago, Quackers101 said:

#TooPolitical

What kind of attack? As in attacking the devices or the payment system to credit cards?

In theory, CC information should be safe as the transaction is (or should be) encrypted end-to-end from the card/chip scanner to the gateway processing service. But nonetheless it's still an issue because if the POS (Point of Sales) terminal was running Windows as typically the case, it would be down. That means business is down.

[cj09beira]

must have forgotten to add those to the list of "off limits" 

[TetraSky]

Do we have a list of potentially affected companies?

[leadeater]

50 minutes ago, TetraSky said:

Do we have a list of potentially affected companies?

That would be too huge to bother, a notable list would be more useful but you will not find any companies wanting to broadcast that they have it right now or typically at all anyway.

[Master Disaster]

2 minutes ago, leadeater said:

That would be too huge to bother, a notable list would be more useful but you will not find any companies wanting to broadcast that they have it right now or typically at all anyway.

Any of your systems use VSA?

[leadeater]

1 minute ago, Master Disaster said:

Any of your systems use VSA?

Nope 

 

But I know plenty that do, most IT service providers so RIP them and their customers.

[tkitch]

6 minutes ago, leadeater said:

Nope 

 

But I know plenty that do, most IT service providers so RIP them and their customers.

My previous MSP switched to kaseya exclusively for /ALL/ their clients a few years ago.

 

I'm SOOOOOO glad I'm not there right now.

[Kisai]

7 hours ago, SlidewaysZ said:

Wow this week has not been good in the cyber security world and I fear it's going to keep getting worse. First we had Dell and the remote exploit then Windows with the Print spooler exploit and now this.

That's because a lot of security is an after-thought, and especially with companies outsourcing to companies who have no loyalty to their client or country.

 

eg, (big company) - outsources to *** , who uses their offices in a cheaper-labor country, which in turn outsources back to a local company in the country and that company in turn outsources to a small company in the city the big company operates in.

 

Like there is so many middle-men involved that ultimately the Big company doesn't know how many people have access to their systems. With the pandemic, things got absolutely weird as the "teams" that *** would send somewhere, couldn't go, so they had to ship everything piecemeal and then hire various local companies do do specific steps.

 

What would fix that, would require changes in regulations regarding who can touch what. For example, if !!!! contracted *** to manage their IT systems, *** should be required to only hire and use IT staff in the same state, so that the people who touch things are all subject to the same laws of the country and state they are working in. All consumer data likewise should not leave the state. Customers in Florida should not be subject to Laws in California any more than Customers in Canada should be subject to laws in the US.

 

Right now what happens is that someone drops the ball, and *** can just cancel their subcontractors contracts and blame them for dropping the ball rather than take any responsibility for their own lapses in security.

 

The issue with Dell earlier, is something that Dell could fix if DELL was actually managing the hardware, they could just push an update and every affected machine would be updated before the issue is exploited. But that's not typically how it works. There maybe two or more layers of IT companies in the way of doing so.

 

The more there are, the slower it takes. So perhaps Microsoft and Apple are right, maybe updates should be automatic and not allow the user to opt-out, not even enterprise users. If something breaks due to an update, roll it back and report the rollback and what it broke. 

 

[Forbidden Wafer]

*Never heard of this company and started searching*

 

There goes their IPO.

Quote

Voccola is confident that Kaseya's growth will continue even as COVID-related restrictions on businesses lift in the coming months. One factor is the massive SolarWinds hack that compromised major businesses and the highest levels of US government.

 

While SolarWinds is a Kaseya competitor, Voccola stopped short of criticizing the company: "I'm not going to say they suck because of this."

 

 

https://www.businessinsider.com/2-billion-kaseya-planning-ipo-in-2021-pandemic-spurs-business-2021-1

 

 

[Master Disaster]

1 hour ago, Kisai said:

That's because a lot of security is an after-thought, and especially with companies outsourcing to companies who have no loyalty to their client or country.

 

eg, (big company) - outsources to *** , who uses their offices in a cheaper-labor country, which in turn outsources back to a local company in the country and that company in turn outsources to a small company in the city the big company operates in.

 

Like there is so many middle-men involved that ultimately the Big company doesn't know how many people have access to their systems. With the pandemic, things got absolutely weird as the "teams" that *** would send somewhere, couldn't go, so they had to ship everything piecemeal and then hire various local companies do do specific steps.

 

What would fix that, would require changes in regulations regarding who can touch what. For example, if !!!! contracted *** to manage their IT systems, *** should be required to only hire and use IT staff in the same state, so that the people who touch things are all subject to the same laws of the country and state they are working in. All consumer data likewise should not leave the state. Customers in Florida should not be subject to Laws in California any more than Customers in Canada should be subject to laws in the US.

 

Right now what happens is that someone drops the ball, and *** can just cancel their subcontractors contracts and blame them for dropping the ball rather than take any responsibility for their own lapses in security.

 

The issue with Dell earlier, is something that Dell could fix if DELL was actually managing the hardware, they could just push an update and every affected machine would be updated before the issue is exploited. But that's not typically how it works. There maybe two or more layers of IT companies in the way of doing so.

 

The more there are, the slower it takes. So perhaps Microsoft and Apple are right, maybe updates should be automatic and not allow the user to opt-out, not even enterprise users. If something breaks due to an update, roll it back and report the rollback and what it broke. 

 

Wouldn't help in this case since it was a chain attack, they took control of the software's automatic update repository and seeded the malware to everyone using it. The users figured it was a normal update and let it go and everything was signed on the users end so there was no suspicion, as soon as they allowed the update to run they effectively infected their own servers.

 

If it was me I'd have set a timebomb, start seeding the update when they did but have the payload wait for 24 hours before triggering. They could have caused global chaos.

[Sarra]

47 minutes ago, Master Disaster said:

Wouldn't help in this case since it was a chain attack, they took control of the software's automatic update repository and seeded the malware to everyone using it. The users figured it was a normal update and let it go and everything was signed on the users end so there was no suspicion, as soon as they allowed the update to run they effectively infected their own servers.

 

If it was me I'd have set a timebomb, start seeding the update when they did but have the payload wait for 24 hours before triggering. They could have caused global chaos.

omg man, don't give them ideas!

[RoseLuck462]

This morning I noticed my snapchat notified me of a log in from Turkey, I changed that password fast...

[StDragon]

According to Huntress Labs posting on Reddit

 

Quote

"We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress assesses with high confidence that cybercriminals exploited a vulnerability to gain access into these servers. Huntress assesses with moderate confidence that the web interface was not directly used by the attackers."

They later followed up that they've found the attack vector and attempting to plug the hole.