Contributed by Edwin Doyle, Global Security Strategist, Check Point Software.
Jul 6–American Independence Day is one of the larges celebrations of the year, when most businesses provide a one day holiday to all their employees in anticipation of feeling patriotic.
However, a CISO never sleeps, let alone take a vacation & it was especially true this past July 4th weekend, when REvil notched up another successful breach of US based company, Kaseya, who develops SW for managing networks, systems & other information technology infrastructure across the world.
In yet another “most important cyber security event of the year,” this ransomware attack lists some unique features. It’s the first time a ransom of $70 million is demanded (yes, you read that correctly, a whopping $70,000,000.00). The threat actors have become more sophisticated in their demands: after hacking into Kaseya’s management systems, REvil pushed their own obfuscated SW updates to all of the customer systems under Kaseya’s management; so far, 1,500 businesses are victimized. From there, the ransomware disabled those computers & demanded a ransom of approx. $45,000 per system to unencrypt the machines (REvil claims they got about one million total computers, but are impertinently offering a bulk discount if all victims collectively decide to pay; hence the “reduced price” of $70 million in total ransom). And while it’s not new that warfare uses holidays & religious celebrations to increase the probability that less guardians will be on duty during those moments, REvil are surely thumbing their nose at American society when we observe that as of this writing, no former USSR country’s businesses have been threatened, reminding me of the Nuclear Exploit Kit, dismantled by cyber security firm, Check Point SW in 2016, where the most sophisticated exploit kit at the time, was hardwired to not breach any former USSR bloc country.
Earlier this year, I wrote about the then-most-important cyber security breach of the year, at insurance behemoth, CNA Insurance, where I postulated that threat actors might have been looking for data on insurance premiums to gauge their ransom price more effectively. Since then, we’ve had yet another “most important cyber security event of the year” in the Colonial Pipelines breach & now Kaseya. I’d also written about how CNA’s PR firm bungled the disclosure of the breach, basically telling their customers, ‘if we think you’ve been affected, we’ll let you know’; hardly the advice needed to shore up our defenses (incidentally, the PR firm also suppressed the fact that CNA paid the threat actors a massive $40 million to recover their files). Kaseya are to be praised however! Upon hearing of the breach, Kaseya’s CEO, Fred Voccola, immediately held a press conference & disclosed as much information as he could, demonstrating great strength of character & putting all of us on the path to stronger cyber security awareness.
While the impact of the breach is enormous, the mechanics of the breach are worthy of note…REvil has shown their expertise in deception, via subverting legitimate SW delivery from known vendors (like Kaseya), as a means to install ransomware on other computers (Kaseya’s customers & Kaseya themselves).
Given that supply chain attacks are the new sophisticated, high yielding, method of choice for cyber crime syndicates, imagine for a moment an attack against organizations controlling billions of devices? This would make the current ransoms pale in significance. A successful attack on a company like Apple, Microsoft or Google would disrupt entire global networks, including some infrastructure.
Our hearts go out to the many small businesses affected by this attack, who after a difficult year surviving lockdowns, are again locked out of their systems to do business.
As more information emerges, Cyber Talk will provide updates.