Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Fintech at SaaS Speed
Webinar: Navigating scale and security challenges
Encrypted Traffic Strategies
Webinar: Best practices for enterprise net traffic
Omdia's On-Demand Webinars
Omdia's On-Demand Cybersecurity Webinars
// // //
7/8/2021
11:00 AM
Don Tait
Don Tait
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

Kaseya Hacked via Authentication Bypass

The Kaseya ransomware attack is believed to have been down to an authentication bypass. Yes, ransomware needs to be on your radar -- but good authentication practices are also imperative.

Last Friday, just before the extended American Independence Day holiday, it was announced that Kaseya, an American software company, was hacked. The malicious actors were able to distribute ransomware by exploiting several vulnerabilities in Kaseya's Vector Signal Analysis (VSA) software, which gave the attackers the ability to infect multiple organizations via what is known as a supply chain attack.

From Omdia's perspective, supply chain cybersecurity is hugely complex, and many organizations have not paid it sufficient attention. Organizations can have hundreds or even thousands of suppliers digitally connected, and the risks are rarely quantified, and even when they are, it is frequently a manual process.

The attack is suspected to be the work of REvil (Ransomware Evil; also known as Sodinokibi), a ransomware gang with relative impunity operating out of Russia, where authorities frequently turn a blind eye to such gangs. REvil has demanded $70 million in Bitcoin in return for a universal decryptor that it claims will unlock the files of all victims. It is believed that REvil used an authentication bypass in the Web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection.

The attack highlights growing concern in the cybersecurity world about supply chain attacks; there are hundreds or thousands of potential victims by attacking a single supplier. The number of companies affected by this attack is unclear and will likely increase. For example, security company Huntress, which was one of the earliest sources to detect the attack, estimates "30 MSPs across the US, AUS, EU, and LATAM" have been breached and that over 1,000 organizations have been infected with ransomware as a result. Moreover, as a result of this attack, around 500 Coop stores in Sweden were also forced to shut.

Rest assured, this isn't the last of the supply chain attacks we will see this year, or perhaps even this month. Recommendations from the USA's Cybersecurity and Infrastructure Security Agency (CISA) for mitigating this particular attack include getting VSA servers offline, enforce multifactor authentication (MFA) as soon as possible, ensure that backups are in order and stored in air-gapped systems, and that remote monitoring and management tools be limited to communication among known IP address pairs.

Organizations must be less trusting of their supply chains and increase focus on understanding and reducing the associated risks.

Don Tait supports and specializes in Omdia's identity, authentication and access intelligence service. Previous research areas where he has published reports includes: blockchain, fintech, Identity and Access Management (IAM), fraud protection in payments, smart cards, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2838
PUBLISHED: 2022-08-16
In Eclipse Sphinxâ„¢ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.
CVE-2022-35734
PUBLISHED: 2022-08-16
'Hulu / ????' App for Android from version 3.0.47 to the version prior to 3.1.2 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app.
CVE-2022-36293
PUBLISHED: 2022-08-16
Buffer overflow vulnerability in Nintendo Wi-Fi Network Adaptor WAP-001 All versions allows an attacker with an administrative privilege to execute arbitrary code via unspecified vectors.
CVE-2022-36344
PUBLISHED: 2022-08-16
An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed wit...
CVE-2022-36381
PUBLISHED: 2022-08-16
OS command injection vulnerability in Nintendo Wi-Fi Network Adaptor WAP-001 All versions allows an attacker with an administrative privilege to execute arbitrary OS commands via unspecified vectors.