Cyber ​​attack on VSA server in 2021

from Wikipedia, the free encyclopedia

The cyber attack on VSA servers of various companies occurred on July 2, 2021. The criminal hackers penetrated the third-party servers by exploiting a vulnerability in the VSA software of the US IT service provider Kaseya . Data on the affected servers was encrypted with the help of ransomware . On July 5, a message on the Darknet was followed by a demand of 70 million US dollars for the decryption of the data. The criminals demand a five-figure ransom from individual companies affected - Amounts - we're talking about $ 45,000.

VSA

Kaseya is an information technology and IT security provider aimed at small and medium-sized businesses. The company sells, among other things, the remote maintenance software VSA (Virtual System Administrator). Using VSA servers, companies can control their networks from any desired workstation. Among other things, VSA is often used to simply import software updates . By manipulating this software, cybercriminals succeeded in encrypting the data on the computers of numerous customers. Kaseya management asked its customers to immediately shut down all VSA servers and wait for more information to be released.

The malware protection ESET NOD32 Antivirus was able to prevent the effects of the attack. The manufacturer ESET made the signatures of the ransomware used available for download as "w32.Filecoder.Sodinokibi.N" shortly before the attacks. The company was notified of the first infection on July 2 at 3:22 p.m.

When attacking with ransomware , hackers usually try to extort money. The first known incident of this kind ( “AIDS” ) occurred back in 1989. From around 2010 this form of computer crime became commonplace, favored by the cryptocurrencies that were establishing themselves and that enable simple and largely anonymous payment.

security breach

The remote maintenance software VSA could be attacked with a zero-day expolit due to poor software quality . Similar to 2014 in which serious programming errors heartbleed it was possible to introduce an Internet connection malicious code in the attacked systems because neither the used programming language is an implicit validation , nor the software developers at a safety-critical an explicit validation of the valid data length programming conducted. In the event of such type violations , pointers to a specific memory area are often passed to subroutines without checking how large the memory area is that can be accessed. This means that locations in the main memory outside the valid memory area can also be accessed in the event of an attack . When changing this extended memory area, data can be manipulated or even harmful program code can be smuggled in, and when reading out data worthy of protection may be spied out.

The ransomware that was introduced into the VSA software was used to encrypt data .

procedure

The hacker attack on the predominantly American corporate networks started on the evening of July 2, 2021 and soon also had an impact in Europe. The cyber criminals exploit a security flaw in the server software to gain access to the networks. Malware was then installed on the infiltrated computers in order to encrypt data. Kaseya had 36,000 customers at the time, an unknown number of whom were using VSA.

The computers ultimately affected, however, have a domino effect because the companies affected also included service providers who themselves have several customers and the blocked data is also relevant for them.

An IT security expert from ESET compared the approach to the cyber attack with the hacker attack on SolarWinds in 2019 , with the difference that the perpetrators in the current case have financial interests. "

Perpetrator

According to initial assessments by the New Zealand government's computer emergency team, a Russian hacker association called REvil was behind the cyber attack . The group is already accused of ransomware attacks from May 2021 against US companies as well as cyber attacks against government departments, authorities and companies. The US Federal Police FBI also blamed criminal hackers from Russia for these cyber attacks. US President Joe Biden ordered an investigation into the attack by the secret services . Two days after the cyberattacks, he said that the first impression was not the Russian government , but that was not yet certain. Among others interpreted the ransomware used, a new version of Sodinokibi - Trojans , on the group back.

On July 5, 2021, REvil published a letter of confession and their demands on the Darknet on the Happy Blog page . An amount of 70 million US dollars should be paid in the digital currency Bitcoin , it said in the group's blog entry. Then the data will be released again. The group also stated that "more than a million systems" were affected worldwide. A spokesman for the company Recorded Future , which specializes in IT security, said that the entry was probably real. The group has been running the blog since 2020.

Damage

According to initial estimates by Huntress Labs , which specialize in cybersecurity , more than a thousand companies should be affected. Towards the evening of the following day, the information was corrected significantly downwards, the media only wrote about 200, and later only about 40 companies affected. The number of computers affected is therefore uncertain. However, on June 6, it was reported that between 800 and 1,500 companies worldwide were affected by the incident. By then, companies from 17 countries had reported as affected.

The Swedish supermarket chain Coop , whose payment service provider Visma Esscom uses Kaseya's software, subsequently closed all 800 branches on July 3. The attack blocked the cash register systems, a company spokeswoman announced shortly afterwards. In addition, the railway company SJ , the petrol station chain St1 and the pharmacy chain Apotek Hjärtat were also affected in Sweden , as was the TV station SVT . In the Netherlands, the large IT service providers VelzArt and Hoppenbrouwers Techniek reported problems.

Only one affected company from Germany reported to the Federal Office for Information Security the following weekend. The extent of the damage was only gradually revealed at the beginning of the working week on July 5th. In addition to the USA, Germany, Great Britain, Canada and Colombia were particularly affected. The number of reports depends heavily on how widespread use of ESET Antivirus is in these countries.

See also

Web links

  • handelsblatt.com Cyber ​​attack in USA hits hundreds of companies - supermarket chain in Sweden closes almost all branches. July 3, 2021.

Individual evidence

  1. a b tagesschau.de Worldwide cyberattack Hackers demand 70 million ransom - July 3, 2021
  2. ^ A b Ransomware: Up to 1500 companies are blackmailed by »REvil«. In: Der Spiegel. Retrieved July 6, 2021 .
  3. a b c yahoo.com experts: More than 1000 companies may have been hit by a cyber attack on IT company Kaseya. July 3, 2021.
  4. spiegel.de Hackers paralyze cash register systems - cyber attacks on supermarket chains Coop and IT service providers. July 3, 2021.
  5. ^ A b Jakob Jung: Ransomware attack on German companies , ZDNet / Security / Cybercrime, July 5, 2021
  6. a b REvil Used 0-Day in Kaseya Ransomware Attack, Demands $ 70 Million Ransomware. Retrieved July 5, 2021 .
  7. Remote code execution in Kaseya VSA. Retrieved July 5, 2021 .
  8. CWE-20 - Improper Input Validation. Retrieved July 5, 2021 .
  9. CSE 341: Unsafe languages ​​(C) , Computer Science washington.edu, accessed on July 2, 2016.
  10. CWE - CWE-20: Improper Input Validation (4.4). Retrieved July 5, 2021 .
  11. a b c zdf.de IT service provider in the USA - Kaseya attack: consequences also in Germany. 4th July 2021.
  12. a b derstandard.de Around 40 companies affected by cyber attack on US IT company Kaseya. July 3, 2021.
  13. sophos.com REvil ransomware under the hood. June 18, 2021.
  14. sueddeutsche.de Swedish supermarket chain Coop has to close 800 branches. July 3, 2021.
  15. dw.com Kaseya cyberattack: Hackers want $ 70 million for decryption - July 5, 2021.