New worrying repercussions have emerged as a result of the large chain reaction that followed the Friday cyberattack, according to Wired. Among the organizations affected are the Swedish Coop, a pharmacy chain, and a railway operator.
Cybersecurity specialists are beginning to comprehend how cybercriminals were able to launch such a large-scale attack. It all started with a vulnerability discovered in Kaseya’s IT services’ updating process, a flaw that was just about to be patched.
Sean Gallagher, a senior threat researcher at Sophos stated, “What’s interesting about this and concerning is that REvil used trusted applications in every instance to get access to targets. Usually, ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords” […]“This is a step above what ransomware attacks usually look like.”
Following the exploitation of a critical vulnerability, a large number of devices can be infected
Hackers were able to disseminate their ransomware by compromising Kaseya’s trusted distribution mechanism, which resulted in the infection of MSP’s infrastructure and subsequently spread to end users. Simply put, VSA, Kasaya’s security system administered by MSPs, was compromised and the malicious updates were sent to the clients. For now, it’s unknown whether attackers accessed all the way to Kaseya’s central systems and vulnerabilities.
Malicious payloads were used to disseminate to vulnerable VSA servers. By extension, they also attacked the Windows-based VSA application deployments. In VSA working folders, security scanning tools are taught to ignore whatever they’re doing, offering a way to hide the threat. In this case, the malware would mask its destructive behavior from Microsoft Defender.
The virus then prompted the Kesaya update process to launch an outdated, expired version of Microsoft’s AntiMalware Service. Once inside, the malware proceeded to encrypt the data on the device. Moreover, it made it tougher for victims to get back their information from backups so that they can claim custom ransoms.
Kaseya has been delivering updates and assures users that all efforts have been shifted from analyzing the underlying cause and vulnerability mitigation to implementing the recovery plan.