Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Fintech at SaaS Speed
Webinar: Navigating scale and security challenges
Encrypted Traffic Strategies
Webinar: Best practices for enterprise net traffic
Omdia's On-Demand Webinars
Omdia's On-Demand Cybersecurity Webinars
7/8/2021
11:00 AM
Don Tait
Don Tait
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
0%
100%

Kaseya Hacked via Authentication Bypass

The Kaseya ransomware attack is believed to have been down to an authentication bypass. Yes, ransomware needs to be on your radar -- but good authentication practices are also imperative.

Last Friday, just before the extended American Independence Day holiday, it was announced that Kaseya, an American software company, was hacked. The malicious actors were able to distribute ransomware by exploiting several vulnerabilities in Kaseya's Vector Signal Analysis (VSA) software, which gave the attackers the ability to infect multiple organizations via what is known as a supply chain attack.

From Omdia's perspective, supply chain cybersecurity is hugely complex, and many organizations have not paid it sufficient attention. Organizations can have hundreds or even thousands of suppliers digitally connected, and the risks are rarely quantified, and even when they are, it is frequently a manual process.

The attack is suspected to be the work of REvil (Ransomware Evil; also known as Sodinokibi), a ransomware gang with relative impunity operating out of Russia, where authorities frequently turn a blind eye to such gangs. REvil has demanded $70 million in Bitcoin in return for a universal decryptor that it claims will unlock the files of all victims. It is believed that REvil used an authentication bypass in the Web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection.

The attack highlights growing concern in the cybersecurity world about supply chain attacks; there are hundreds or thousands of potential victims by attacking a single supplier. The number of companies affected by this attack is unclear and will likely increase. For example, security company Huntress, which was one of the earliest sources to detect the attack, estimates "30 MSPs across the US, AUS, EU, and LATAM" have been breached and that over 1,000 organizations have been infected with ransomware as a result. Moreover, as a result of this attack, around 500 Coop stores in Sweden were also forced to shut.

Rest assured, this isn't the last of the supply chain attacks we will see this year, or perhaps even this month. Recommendations from the USA's Cybersecurity and Infrastructure Security Agency (CISA) for mitigating this particular attack include getting VSA servers offline, enforce multifactor authentication (MFA) as soon as possible, ensure that backups are in order and stored in air-gapped systems, and that remote monitoring and management tools be limited to communication among known IP address pairs.

Organizations must be less trusting of their supply chains and increase focus on understanding and reducing the associated risks.

Don Tait supports and specializes in Omdia's identity, authentication and access intelligence service. Previous research areas where he has published reports includes: blockchain, fintech, Identity and Access Management (IAM), fraud protection in payments, smart cards, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20828
PUBLISHED: 2021-09-17
Cross-site scripting vulnerability in Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions allows a remote attacker to inject an arbitrary script via unspecified vectors.
CVE-2021-20790
PUBLISHED: 2021-09-17
Improper control of program execution vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to execute an arbitrary command or code via unspecified vectors.
CVE-2021-20791
PUBLISHED: 2021-09-17
Improper access control vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to bypass access restriction and to exchange unauthorized files between the local environment and the isolated environment or settings of the web browser via unspecified vectors.
CVE-2021-20825
PUBLISHED: 2021-09-17
Cross-site scripting vulnerability in List (order management) item change plug-in (for EC-CUBE 3.0 series) Ver.1.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.
CVE-2020-21602
PUBLISHED: 2021-09-16
libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file.