The Kaseya Ransomware Attack SME Breakdown, DOD Data Left Unprotected, Morgan Stanley Data Breach & Email Exploitation
1. Kaseya Ransomware Attackers Demand A $70 Million Ransom
- An affiliate of the notorious REvil ransomware gang compromised Kaseya’s virtual systems administrator (VSA) software. The Russian-linked attackers compromised the backend architecture of the IT infrastructure management tool. They used its notification capability to send a malicious update to VSA servers running on client environments. Thus, installing a ransomware code onto all connected systems.
- Following the initial compromise, the attackers requested a $5 million ransom in exchange for a decryptor key. However, when the attackers realized the scale of the incident, they then offered a master decryptor key in exchange for a ransom payment of $70 million. This master decryptor key could, allegedly, unlock all impacted systems.
- While the FBI is currently investigating the magnitude of this attack, it is unlikely that every impacted company would receive direct support from the federal government due to over-stretched resources. However, within 48 hours, this ransomware incident has forced a major Swedish grocery chain to shut down most of its 800 stores due to the impact on their payment systems.
Expert Commentary: This year’s widespread ransomware attacks show that threat actors are leveraging the remote access capability of software tools as a conduit to compromise critical infrastructures. According to the CEO of Kaseya, 70% of the victims were MSPs. Due to their proximity to critical data, MSPs will likely continue to be victims of large-scale ransomware attacks. Additionally, the REvil ransomware gang and its affiliates prefer to launch their ransomware attacks during significant holidays to slow down any mitigation activities. As a result, most small to midsize companies impacted by this ransomware attack will experience significant recovery challenges.
2. Threat Actors Leverage Kaseya Ransomware Attack to Spread Malware
- As organizations scramble to fortify their IT infrastructure against ransomware activities associated with the Kaseya VSA compromise, threat actors employ social engineering and mal-spamming tactics to deploy malicious security updates.
- According to security researchers, threat actors are injecting executable files laced with Cobalt Strike payload. These boobytrapped security updates include an attachment named “SecurityUpdate.exe,” designed to create a backdoor in a victim’s network.
- If successfully deployed within a target’s IT infrastructure, this malicious campaign gives an attacker persistent remote access. Although Kaseya has released a detection tool to discover ransomware activities linked to its VSA software, the patch for on-premise users is delayed.
Expert Commentary: Although Cobalt Strike is a legitimate security tool, threat actors have circumvented its network vulnerability broadcasting capabilities to exploit network weaknesses. Generally speaking, most threat actors are opportunistic in nature. Thus, such a nature is one of the driving forces behind the ransomware attack model. While the REvil ransomware gang launched the initial ransomware attack against Kaseya, low-tier threat actors will continue to piggyback off of REvil’s spoils by leveraging human error and poor security best practices, including an inconsistent patch management lifecycle.
3. U.S. Defense Technology Plans Left Unsecured on A Pentagon Computer
- Security researchers discovered that several 3D printing plans for U.S. military combat artifacts were left exposed on a computer in the Pentagon. The uncovered 3D printing plans include blueprints for military protective body armors, tactical military vehicles, weapons systems brackets, etc.
- The U.S. Department of Defense was unaware that the systems in a Pentagon office were connected to local networks and the world wide web via unauthorized systems miscategorization and removable media introduced into the otherwise secure Pentagon network.
- Following an in-depth analysis, it appears that of the 46 computers attached to the 3D printing technology, 35 had not been updated or patched in more than five years. In addition, Pentagon officials overlooked basic security configurations on systems, including failing to fix a 2-year-old vulnerability that could have allowed an attacker to infiltrate the network and perform privilege escalation.
Expert Commentary: This incident is a perfect example of a continuous risk assessment protocol crucial in a computer environment. By doing so, organizations will detect security gaps that could otherwise be buried in the systems architecture. To ensure that secure networks remain so, it is crucial that organizations also monitor removable media entering into the network perimeter.
4. Morgan Stanley Suffers a Data Breach
- The investment banking firm, Morgan Stanley, reported that its systems were infiltrated, and sensitive data were exfiltrated. According to the investment bank, threat actors hacked into the Accellion FTA server of a third party (Guidehouse) and stole the personally identifiable information (PII) belonging to customers.
- Although some of the stolen files were encrypted on Guidehouse’s Accellion FTA server, the attackers successfully stole the data encryption keys during the attack.
- After a thorough forensic investigation, Morgan Stanley disclosed that access credentials were not stolen during the attack. However, the stolen files contained customers’ date of birth, social security numbers, stock plan participants’ names, etc.
Expert Commentary: In today’s threat landscape, most organizations that use third-party IT management software will become victims of a supply chain security incident at least once. Therefore, the compromise of Accellion FTA servers impacted more than 300 global organizations across multiple industries. Additionally, threat groups that continue to leverage the Accellion attack include the Clop ransomware gang and the FIN11 cybercrime gang.
5. Email Fatigue Leaves Users Vulnerable to Cybercriminal Exploitation
- While the remote work culture has relied on email as the primary means of communication, users have to sift through hundreds of emails per day. Therefore, critical business operations are being shared between email servers more than ever before.
- Email is the first vector of attack that threat actors use to compromise an IT infrastructure. In fact, in the last two years, email phishing accounts for about 80% of all reported security incidents, and 95% of all cyberattacks that impact enterprise systems occur due to spear-phishing.
- Hence, cybercriminals have taken advantage of the exhausting and time-consuming nature of present-day email operations to improve attack tactics, techniques, and procedures (TTPs), such that 94% of email-based attacks tend to be successful.
Expert Commentary: Cybercriminals often rely on impersonation tactics, whereby the emotion of victims are leveraged to complete an attack. As a rule of thumb, cybercriminals focused on the ransomware-as-a-service attack model are experts in exploiting chaos within a human-based environment. Therefore, to reduce the daunting tasks associated with email communication, organizations must leverage email process automation. In addition, consistent security awareness training will help to reinforce a user’s malware detection abilities.
Share This Story, Choose Your Platform!
Get Updates Right In Your Inbox