How REvil Ransomware took away thousands of businesses at once
[ad_1]
Huge chain Friday’s reaction Ransomware has infected at least hundreds or even thousands of companies worldwide, Including hundreds of stores of the railway, pharmacy chain and Swedish Coop grocery store brand. Carried out by the notorious Russian REvil criminal group, this attack was a watershed. Ransomware And a so-called Supply chain attack. Now, it is becoming more and more clear how they do this.
Some details were known as early as Friday afternoon. In order to spread its ransomware to countless targets, the attackers discovered a loophole in the update mechanism used by IT services company Kaseya. The company develops software to manage business networks and equipment, and then sells these tools to other companies called “managed service providers.” In turn, MSP signs contracts with small and medium-sized enterprises or any organization that does not want to manage their IT infrastructure on their own. By seeding its ransomware using Kaseya’s trusted distribution mechanism, an attacker can infect MSP’s Kaseya infrastructure and then watch the domino collapse as these MSPs inadvertently distribute malware to their customers.
But by Sunday, security researchers had pieced together key details about how the attacker obtained and used the initial foothold.
“Interestingly, REvil uses trusted applications to access the target in each instance. Usually, ransomware attackers need to use multiple vulnerabilities at different stages to do this, or time on the network to discover Administrator password,” said Sean Gallagher, Sophos Senior Threat Researcher. Sophos release New discovery Related to Sunday’s attack. “This is a step above the usual ransomware attack.”
Trust practice
The key to this attack is to exploit an initial vulnerability in Kaseya’s automatic update system for its remote monitoring and management system called VSA. It is not clear whether the attacker has been exploiting the vulnerability in Kaseya’s own central system. More likely, they use a single VSA server managed by MSP and push malicious “updates” from there to MSP customers. REvil seems to tailor the ransom requirement based on the target-even some of their attack techniques, rather than adopting a one-size-fits-all approach.
The timing of this attack is particularly regrettable, as security researchers have identified potential vulnerabilities in Kaseya’s update system.Wietse Boonstra of the Netherlands Vulnerability and Disclosure Institute collaborates with Kaseya to develop and test patches defectThe fix will be released soon, but it has not been deployed when the REvil occurs.
“We did our best, and Kaseya did our best,” said Victor Gevers, a researcher at the Netherlands Institute of Vulnerability and Disclosure. “I think this is a loophole that is easy to find. This is probably why the attacker won the final sprint.”
Attackers use this vulnerability to distribute malicious payloads to vulnerable VSA servers. But this means that they also extend the VSA agent application that runs on the Windows devices of these MSP clients. The VSA “working folder” usually runs as a trusted walled garden in these machines, which means that malware scanners and other security tools are instructed to ignore whatever they are doing-providing valuable to hackers who damage them cover.
Once stored, the malware runs a series of commands to hide the malicious activities of Microsoft Defender, which is a built-in malware scanning tool in Windows. Finally, the malware instructs the Kesaya update process to run a legitimate but outdated and expired version of Microsoft’s “Anti-Malware Service”, which is a component of Windows Defender. Attackers can manipulate this outdated version to “sideload” malicious code and sneak it through Windows Defender, just like Luke Skywalker can sneak through the stormtroopers while wearing armor. From there, the malware begins to encrypt files on the victim’s machine. It even takes measures to make it more difficult for victims to recover from data backups.
[ad_2]
Source link