Search This Blog

Showing posts with label Kaseya. Show all posts

Master Key for Decryption of Kaseya, Leaked on Hacking Forum

 

The universal decryption key for Kaseya has been leaked on a Russian hacking forum by hackers. An Ekranoplan-named user shared the screenshot for REvil infected files that look to be a universal decrypter. The tweet was also retweeted by a security researcher titled pancak3. 

The Kaseya customers have been utilizing the tool for ransomware Universal Decryption to get files held hostage by the REvil. The very same media organization previously thought that all encrypted REvil files are the key works. The website has nevertheless reported that the other attacks of the renowned gang are not being carried out. The tool works rather only on the files of the Kaseya users. 

The REvil ransomware organization has infiltrated the zero-day vulnerability, which encrypted Documents of roughly 1,500 enterprises, in the cyberattack on the VSA remote management application of Kaseya. The major attack paralyzed Kaseya customers' operation. Kaseya is the software automation supplier for the information technology industry with remote management tools. 

The renowned ranking gang then asked for an incredible $70 million ransom to return the encrypted data through a universal decrypter tool. The key is to neutralize the threat actors' activities towards the victims by making the files available again. After this whooping demand, the gang suddenly disappeared. 

On the web, the organization had left no record, as of July 13. The group is said to be 42 percent behind the new ransomware attacks. 

It is important to mention that the abrupt disappearance of the renowned gang was carried out one day before the United States involving high authorities from the White House. and Russia discussed the surge in the ransomware cases. 

Meanwhile, on July 22, Kaseya eventually got the decryption tool, to reverse its customer file encryption. 

The Verge states that there are three ways in which Kaseya can get hold of the decryption tool: the US, Russia, or REvil itself. Nevertheless, these assumptions were neither confirmed nor denied by the IT business. Conversely, the Florida-based IT company said that it received the key from a "trusted third party." 

In addition, Kaseya has provided its customers with the universal decryption tool but there is a twist - the corporation requires its customers to sign a non-disclosure agreement. While NDAs are routinely employed in cyberattacks, incorporating them in this process makes the incident a complete secret.

Dutch Institute Exposes Flaws in Kaseya – VSA Platform

 

In the wake of the recent catastrophic attack on its VSA platform, Kaseya collaborated with scientists to fix a bug that hackers have been using to deliver ransomware to numerous firms. 

A group of researchers at the Dutch Institute of Vulnerability Disclosure published a couple of articles explaining how and when they discovered a series of vulnerabilities in the tools Kaseya provides to managed service providers (MSPs). As per the DIVD, one of the seven problems that the team had discovered in the Kaseya VSA software was the vulnerability known as CVE-2021-30116. 

The bypass authentication vulnerability was one of the two vulnerabilities exploited by cybercriminals when they got into the VSA service and utilized the affected site to distribute consumers a payload of REvil ransomware. The DIVD didn't indicate that attackers were using the second vulnerability. 

According to the report by DIVD, since April it was privately contacted by Kaseya in reporting the seven issues detected in the internet-facing services and apps of the MSP software provider. In April and May, some had already been patched, and others were in the process of fixing the attack on the VSA. 

In addition to CVE-2021-30116, the DIVD says the team has uncovered a SQL injecting flaw CVE-2021-30117 patched in May; CVE-2021-30118, remote code execution flaw patched in April; CVE-2021-30119, which has a patch underway; the CVE-2021-30120 by-pass, to be patched in the upcoming VSA release 9.5.7; a local file included vulnerability CVE-2021-30121, patched in May; and an XML external entity bug, CVE-2021-30201, patched in May. 

"When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands," Breedijk wrote. "After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA." 

Regrettably, in what Breedijk called the "worst-case scenario," flaws could not be addressed until criminal hackers could identify and use one of them, stated DIVD. The investigators noted that Kaseya responds to their reports and worked extremely hard to solve the problems. 

However, the confidentiality and hard labor ended up not being felt as the criminals launched their ransomware attack in return for the decryption key on July 2, asking for a $70 million cryptocurrency payment. 

The DIVD's recent research suggests that the attack could have resulted from a leak in the privacy process, especially if combined with the attackers' knowledge that specific VSA folders have been free from anti-virus protective measures.

Cobalt Strike Payloads: Hackers Capitalizing on Ongoing Kaseya Ransomware Attacks

 

Cyberattack actors are trying to monetize off the currently ongoing Kaseya ransomware attack incident by attacking probable victims in a spam campaign attack forcing Cobalt Strike payloads acting as Kaseya VSA security updates. Cobalt Strike is a genuine penetration testing software and threat detection tool which is also used by attackers for post-cyberattack tasks and plant beacons that lets them to gain remote access to hack into compromised systems. The primary goal of such attacks is either stealing data (harvesting)/exfiltrating sensitive information, or deploying second-stage malware payloads. 

Cisco Talos Incident Response (CTIR) team in a September report said that "interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans." The malware spam campaign discovered by Malwarebytes Threat Intelligence experts use two distinct approaches to plant the Cobalt Strike payloads. Emails sent as a part of this spam campaign comes with an infected attachment and an attached link built to disguised as a Microsoft patch for Kaseya VSA zero-day compromised in the Revil ransomware attack. 

Malwarebytes Threat Intelligence team said that a malspam campaign is taking advantage of the Kaseya VSA ransomware attack to drop CobaltStrike. It contains an attachment named 'SecurityUpdates.exe' as well as a link pretending to be a security update from Microsoft to patch Kaseya vulnerability, the report said. The hackers gain persistent remote access to attack systems after running malicious attachments/downloads and launching fake Microsoft updates on their devices. 

Bleeping Computer reports "just as with this month's malspam campaign, the June phishing campaign was also pushing malicious payloads designed to deploy the Cobalt Strike penetration testing tool, which would have allowed the attackers to compromise the recipients' systems. The payload download pages were also customized using the target company's graphics to make them appear trustworthy." These two campaigns highlight that threat actors in the phishing business keep track of the latest news for pushing lures relevant to recent events to boost their campaigns rates of success, said Bleeping Computers.

Russia's 'Cozy Bear' Breached the Systems of the Republican National Committee

 

According to two people familiar with the situation, Russian government hackers broke into the Republican National Committee's computer systems last week, at the same time a Russia-linked criminal group launched a huge ransomware attack. According to the sources, the government hackers were members of a group known as APT 29 or Cozy Bear. 

That organization has previously been linked to Russia's foreign intelligence service and has been suspected of hacking the Democratic National Committee in 2016 and a supply-chain cyberattack involving SolarWinds Corp., which infiltrated nine US federal organizations and was revealed in December. It is unclear what data the hackers accessed or took, if any. The RNC has denied being hacked on many occasions. “There is no indication the RNC was hacked or any RNC information was stolen,” spokesman Mike Reed said. 

Chief of Staff Richard Walters claimed in a statement released after this story was posted that the RNC learned over the weekend that a third-party provider, Synnex Corp., had been breached. “We immediately blocked all access from Synnex accounts to our cloud environment,” he said. “Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials, on this matter.”

Microsoft declined to disclose any additional information in a statement. A company spokeswoman responded, “We can’t talk about the specifics of any particular case without customer permission. We continue to track malicious activity from nation-state threat actors -- as we do routinely -- and notify impacted customers.” Dmitry Peskov, a spokesman for the Kremlin, denied that the Russian government was involved. “We can only repeat that whatever happened, and we don’t know specifically what took place here, this had no connection to official Moscow,” he said on a conference call. 

The RNC attack, combined with the recent ransomware incident, is a big provocation to President Joe Biden, who warned Russian President Vladimir Putin about cyberattacks at a summit on June 16. As agreed at the meeting, the two countries have been holding "some contacts" about cybersecurity, according to Peskov, who declined to disclose specifics or comment on whether the recent incident was discussed. 

It is unclear whether the RNC hack is linked to the ransomware strikes, which used a number of previously discovered flaws in software from Miami-based Kaseya Ltd.

1,500 Businesses Globally were Affected by Kaseya Cyberattack

 

Kaseya, a Miami-based software provider to over 40,000 businesses, reported on July 2 that it was looking into a possible hack. The IT solutions provider for managed service providers (MSPs) and enterprise clients revealed a day later that it had been targeted by a "sophisticated cyberattack." According to CEO Fred Voccola, the ransomware attack has hit between 800 and 1,500 organizations throughout the world. In an interview with Reuters, he said it was impossible to determine the exact impact of the hack because the firms affected were Kaseya's clients. 

REvil, a hacking organization linked to Russia, published a blog on the dark web on Sunday claiming its involvement in the attack. REvil sought $70 million for the data to be restored. REvil has become one of the most well-known ransomware creators in the world. In the last month, it demanded an $11 million payment from the U.S. subsidiary of the world's largest meatpacking company, a $5 million payment from a Brazilian medical diagnostics company, and launched a large-scale attack on dozens, if not hundreds, of companies that use IT management software from Kaseya VSA. 

Kaseya is a company that provides its comprehensive integrated IT management platform to other businesses. It also provides organizations with tools such as VSA (Virtual System/Server Administrator) and other remote monitoring and management solutions for network endpoints. Kaseya also offers compliance systems, service desks, and a platform for service automation. 

According to the FBI, a vulnerability in Kaseya VSA software was used against many MSPs and their clients in the recent supply-chain ransomware campaign. VSA allows a company to control servers and other hardware, as well as software and services, from a remote location. Large enterprises and service providers who manage system administration for companies without their own IT staff utilize the software. 

According to Kevin Beaumont, a security specialist, the REvil ransomware was distributed through an apparent automatic bogus software update in the product. Because the malware had administrator access down to client systems, the MSPs who were attacked were able to infect the systems of their clients.

The attacker quickly disabled administrator access to VSA, according to Beaumont, and then inserted a task called "Kaseya VSA Agent Hot-fix." This phoney update was then pushed out to the entire estate, including MSP client systems. The management agent update was actually REvil ransomware, and non-Kaseya customers were still encrypted. The ransomware allowed hackers to disable antivirus software and run a phoney Windows Defender app, after which the computer's files were encrypted and couldn't be viewed without a key.

Hackers Asking $70 Million in Ransom, Kaseya Confirmed

 

On Monday, U.S. information technology organization ‘Kaseya’ has reported a new ransomware attack that has targeted 800 to 1,500 businesses around the world. Florida-based company's CEO, Fred Voccola told the media that as of now, it is difficult to gauge the impact of the ransomware attack because those who have been targeted were mainly customers of Kaseya's customers. 

Reportedly, hackers got their way into the internal files of the system that gave them command over the system. It allowed them to successfully disable hundreds of businesses on all five continents. However, those who have been targeted were not necessarily affected adversely, it included dentists' offices or accountants. While, in some countries, disruption has been felt more severely such as in Sweden, where hundreds of supermarkets had to shut since their cash registers were inoperative, and in New Zealand schools and kindergartens ran offline. 

The group of hackers who asserted liability for the breach is asking $70 million ransom for restoring all the businesses' data that has been stolen. 

Alongside, the group has also shown readiness in person-to-person conversations with a cybersecurity expert and with Reuters. "We are always ready to negotiate," a representative of the hackers told Reuters earlier Monday. The spokesperson, who had dialogue via a chat interface on the hackers' website, has not disclosed their names. 

When Voccola was asked about this negotiation he directly refused to say anything. "I can't comment 'yes,' 'no,' or 'maybe'," he said when asked whether his company would talk to or pay the hackers. "No comment on anything to do with negotiating with terrorists in any way."

Kaseya Limited is an American software company that provides software for managing networks, systems, and information technology infrastructure. It also offers software tools to IT companies and its network monitor is used for observing the performance and various types of network assets like switches, Firewalls, routers, etc. 

A 'Colossal' Ransomware Attack Paralyzes Hundreds of US Companies

 

Ahead of the US Independence Day weekend, a ransomware attack crippled the networks of at least 200 American companies on Friday, according to cybersecurity firm Huntress Labs. Threat actors targeted Miami-based IT firm Kaseya by employing the technique of hijacking one piece of software to exploit hundreds of thousands of users at a time.

We are investigating a “potential attack” on Virtual System Administrator (VSA), a widely used tool to monitor and manage our customers' IT networks across America, reads the statement posted by Kaseya on its website.

“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business. This is a colossal and devastating supply chain attack. Such cyber attacks typically infiltrate widely used software and spread malware as it updates automatically,” John Hammond, a senior security researcher with Huntress said in a direct message on Twitter. 

In the statement, Kaseya said the tool offers to monitor and manage servers, desktops, network devices, and printers and that it may have been attacked. Such an attack can be particularly insidious to address, said Chris Grove, a security expert at the cybersecurity firm Nozomi Networks.

“Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem or is unavailable, it adds complexity to the recovery efforts,” Chris Grove added.

Kaseya also noted that it suspected REvil, a Russian-based hacking group of paralyzing the company’s network. It is the same group of actors blamed by the FBI for paralyzing meat packer JBS last month. It also added that having learned of the incident around midday on Friday, it immediately brought in forensic cybersecurity experts to begin a probe. 

As a precautionary measure, the IT firm also contacted the Federal Bureau of Intelligence as well as the Cybersecurity Infrastructure and Security Agency (CISA), a branch of the US Department of Homeland Security. Shortly after, the CISA issued its own advisory, also directing Kaseya's customers to shut down its VSA platform. 

Following the security breach, Kaseya said a small number of companies had potentially been affected. The company said it had shut down some of its infrastructure and was urging customers who used the tool on their premises to immediately turn off their servers. However, Huntress Labs said the number was greater than 200.

According to the analysis firm Chainalysis, ransomware gangs extorted more than $412 million in ransoms last year. A report from a task force of more than 60 experts said nearly 2,400 governments, healthcare systems, and schools in the country were hit by ransomware in 2020.