REvil, a Russian-affiliated hacker group, has infected some 200 companies with ransomware. It concerns a supply chain attack that may have started at Kaseya, a supplier of management software for ICT applications. Customers using VSA, a product to remotely manage computers and mobile devices, are advised to disable the program.
This has come from Bloomberg news agency based on reports from cybersecurity company Huntress Labs.
The number of victims is likely to rise quickly
Huntress Labs has identified eight so-called managed service providers or service providers that have been affected by ransomware. What they have in common is that they all use VSA. The security company says that about 200 companies that are customers of these ICT service providers have been affected by the attack.
George Demou, CEO of Avtex LLC, one of the service providers affected by the ransomware attack, told Bloomberg that “hundreds of IT service providers” worldwide have been affected by the supply chain attack. Huntress Labs expects the number of victims to rise quickly.
“This is one of the largest non-state attacks we have ever seen. It seems purely [the hackers’] intention to make money,” Andrew Howard of the Swiss Kudelski Security told Bloomberg. According to him, it is one of the most effective ways to spread malware through the supply chain of trusted IT service providers.
NCSC: ‘Turn off VSA’
While it is not certain that VSA is the source of the attack, Kaseya in a press release advises companies and organizations that use this software to disable it immediately. The National Cyber Security Center (NCSC) will adopt this advice, at least until more information is known. “The NCSC advises customers who use VSA agents to contact their management organization for further instructions,” the advisory body wrote in a press statement.
Russian hacker group REvil responsible for a supply chain attack
According to cybersecurity firm Huntress Labs, REvil is behind the cyber attacks. This is a hacker group operating out of Russia. The group, also known as Sodinokibi, has claimed many victims. Last year, the Travelex currency exchange and the Brown-Forman Corporation, known for spirits like Jack Daniel’s, were targeted by REvil. Acer and Quanta Computer were victims of the Russian hackers earlier this year.
REvil’s most notorious target is JBS, the world’s largest meat producer. At the end of May, hackers managed to penetrate the corporate network of the largest meat producer in the world and install ransomware. As a precaution, the company decided to temporarily close a number of branches in Australia, Canada and the US. She also took part of the IT network off the air. A few days later, the fire master was signalled and the production process was restarted.
JBS says no company sensitive data was stolen. Still, the company paid $11 million in ransom. “It was a very difficult decision to make for our company and me personally. However, we felt we had to make this decision to avoid any risk to our customers,” chief executive Andre Nogueira said in a statement.
The Incident is reminiscent of a supply chain attack on SolarWinds
It is not the first cyberattack on a supply chain. The supply chain attack on SolarWinds caused a lot of commotion late last year and early this year. After hackers managed to infiltrate SolarWinds’ corporate network, they abused Orion Network Management Tools, software the company provides to monitor corporate networks, databases, servers, and web applications. By adding a backdoor to this software (also known as Sunburst), hackers were able to infiltrate political institutions, local governments and businesses.
The New York Times reported in January that more than 250 organizations had been affected, including the US Departments of the Treasury, the Interior, Homeland Security, Commerce, Justice and Defense. A senior Security Council official advising the White House nuanced this, saying that nine federal government agencies and 100 private sector companies were affected by the supply chain attack on SolarWinds.
In May, SolarWinds said “less than a hundred” customers were affected by Sunburst. That’s because most customers have downloaded the update to close this backdoor. Another part of the customers used the update on servers that were not connected to the internet. This made it impossible to provide these computers with a backdoor.
Catch up on more articles here
Follow us on Twitter here