Russian hackers have hit at least 200 companies or more in one of the largest supply chain ransomware attacks to date, according to cyber security group Huntress Labs Inc.
The hackers breached security IT management software suppliers and managed to compromise the businesses that use their technology.
According to Huntress Labs, the perpetrator is REvil, the Russian group that recently hacked into beef supplier JBS’s computer systems.
This is the latest example of hackers getting into IT supply chains in order to compromise a larger number of victims through their client list. In 2020, the Russian state-backed hackers had attacked the SolarWinds IT software group and got access to the email networks of US federal agencies and corporations.
Kaseya, one of the affected IT service provider, estimates that around 40 of its direct 36,000 customers might have been affected by the attacks. It advised that customers using the compromised “VSA server” tool, which provides remote monitoring and patching capabilities, shut it down immediately. “We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly,” the company added.
Meanwhile, Huntress said that it was aware of at least eight compromised cloud service providers resulting in around 200 businesses falling victim to the ransomware attacks. The attack can be much larger as the total number of cloud services clients that are compromised has not been determined.
Two of the affected managed service providers include Synnex Corp. and Avtex LLC. Avtex president George Demou told Bloomberg News that “Hundreds of MSPs have been impacted by what appears to be a Global Supply Chain hack.” “We are working with those customers who have been impacted to help them recover,” he added.
Allan Liska of Recorded Future’s computer security incident response team said that small and medium businesses seek IT support from these service providers. The attacks highlight the risk of relying on third parties for system support.
“We’ve essentially handed over too much trust so that if something happens to them, it becomes a catastrophic event for your organisation through no fault of your own,” Liska said.
The Cybersecurity and Infrastructure Security Agency said that it was “taking action to understand and address the recent supply-chain ransomware attack”.
This is the latest example of hackers getting into IT supply chains in order to compromise a larger number of victims through their client list. In 2020, the Russian state-backed hackers had attacked the SolarWinds IT software group and got access to the email networks of US federal agencies and corporations.
In the past, ransomware groups often demand one bulk payment from a managed service provider instead of demanding payments from all its clients. But in this case, the REvil group has got into the systems of hundreds of managed service provides’ clients and is demanding payment from each one. “There’s no way the actors have the bandwidth handle each individual case at the same time,” said Jake Williams, chief technology officer at BreachQuest.
In May, America’s Colonial Pipeline systems were breached in a ransomware attack, affecting the computer systems controlling the outflow. The company was forced to pay 75 Bitcoin or $4million in ransom to get their systems up and running again. The government then promised to crack down strictly on such cyber hackers. At last month’s Geneva summit, president Joe Biden urged Russian president Vladimir Putin to rein in ransomware hackers.
