Posted: 6 Min ReadFeature Stories

Symantec Security Summary - July 2021

The REvil gang, ransomware and Rewards for Justice

Cyber security fireworks. The latest big ransomware attack may have affected between 800 and 1,500 companies around the world. The supply chain attack began with a supply-chain attack against Kaseya, an IT management software provider that caters to enterprise IT teams and managed software providers (MSPs). The attackers were reported to be the REvil Russia-linked hacking group responsible for other recent high-profile attacks such as the one on meat processor JBS. From what we know so far, the attackers leveraged a vulnerability in Kaseya’s VSA endpoint management, protection, and networking monitoring platform. Experts likened the incident to the SolarWinds supply chain ransomware hit, which impacted an entire ecosystem of companies using a Trojanized software update. The company urged VSA users to shut down their VSA servers to prevent them from being compromised—a move that initially affected at least 36,000 companies.

As new trends are showing, ransomware gangs will often take the time to steal data and delete backups before they encrypt victim’s devices, providing a stronger incentive to pay up to ensure restoration. In the Kaseya attack, the REvil gang eschewed these practices, exploiting a zero-day vulnerability in the VSA servers to automate the attack without accessing the individual victims’ networks. As a result, fewer companies might have felt pressure to pay up since they could restore their networks from backups. The tech site Bleeping Computer posited that only two companies paid a ransom out of an estimated 1,500 victims.

As new trends are showing, ransomware gangs will often take the time to steal data and delete backups before they encrypt victim’s devices, providing a stronger incentive to pay up to ensure restoration.

Meanwhile, the REvil gang has mysteriously dropped offline less than two weeks after the Kaseya attack. While there were no clear answers, researchers mulled several possible explanations. One is that the Kremlin bent to U.S. pressure and forced the gang to close up shop. Another is that U.S. officials had launched their own cyber attack in retaliation and took the group offline. Lastly, it’s possible that REvil’s operators simply decided to lay low for a while.

In the interim, Kaseya released urgent security updates to address the critical vulnerabilities in VSA exploited by REvil. The company also warned customers about an on-going phishing campaign targeting VSA customers through which spammers were using news about updates on the incident to send out emails with malicious links and/or attachments.

“Barely able to keep up.” With ransomware clearly established as a major national security threat this year, the cyber security industry and top cyber security executives are struggling to find enough capacity to man the battle lines. Cyber Seek, a project that tracks the cyber security industry sponsored by the federal National Institute of Standards and Technology (NIST), reports more than a half million cyber security jobs left unfilled despite demand and ample corporate cyber security budgets.

One idea being floated to address the gap is the creation of a Civilian Cyber Security Reserve. A group of bipartisan lawmakers have introduced legislation to design a National Guard type program that would exist under the Homeland Security and Defense departments to deal with the growing cyber security threats faced by the U.S. government. In addition, The U.S. government announced the “Rewards for Justice” program, an initiative offering up to $10 million for information that can help identify or locate malicious cyber criminals working for foreign governments that have U.S. infrastructure in the crosshairs.

Ransomware counterpunch. The government and industry are also escalating efforts to tackle ransomware attacks, which have been particularly prolific this year. The U.S. Cyber Security and Infrastructure Security Agency (CISA) released a new ransomware security audit self-assessment capability as a module for its Cyber Security Evaluation Tool (CSET). Called RRA, the tool is designed to help organizations discover how well they are equipped to defend and recover from ransomware attacks targeting IT or operational technology (OT) assets.

There’s also a new crowdsource project tracking ransomware payments and profits. Dubbed Ransomwhere, the website lets victims and security professionals upload copies of ransom notes and other pertinent information to build a better profile of attackers and their methods. The project was started by Stanford student Jack Cable, who is also a researcher at the Krebs Stamos Group.

With ransomware clearly established as a major national security threat this year, the cyber security industry and top cyber security executives are struggling to find enough capacity to man the battle lines.

Another interesting data point on the ransomware front: Expect some changes on the cyber insurance front based on new research from defense think tank Royal United Services Institute (RUSI). According to a RUSI research paper examining cyber insurance and cyber security challenges, the practice may be contributing to the growth of ransomware attacks by enabling the payment of ransom demands. Insurance carriers are also pushing up costs and requirements for coverage in response to surging demand. For example, many underwriters are demanding to see detailed proof of a company’s cyber security practices in order to secure a policy.

Infrastructure attacks loom large. The recent spate of cyber attacks has also raised concerns about infrastructure vulnerabilities—and for good reason. Train services in Iran were disrupted earlier this month after an attack on the computer systems of the country’s national railway, causing delays to both passenger and cargo trains.

At a more granular level, a remote code execution (RCE) vulnerability has been revealed that would make it easier for hackers to take control over Schneider Electric PLCs, which are heavily used in industrial equipment, from manufacturing floor equipment to critical infrastructure. Armis researchers discovered a flaw in Modicon PLCs, which are widely used in manufacturing, automation applications and energy utilities. Researchers warned the bug could be exploited for a variety of attacks, from deploying ransomware to altering commands to machinery. Schneider Electric is working on a patch.

Engineers targeted by Lazarus. A prominent North Korean hacking group has taken aim at engineers in its latest phishing campaign. Lazarus (aka Appleworm) is using fake job offers as a means of luring engineering job candidates and employees in classified roles to click on files that then install malicious malware onto recipients’ computers, according to AT&T Alien Labs. The group first used this tactic last year in a campaign called Dreamjob, whereby they targeted defense contractors.

Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence4 Min Read

Kaseya Ransomware Supply Chain Attack: What You Need To Know

Supply chain attack against MSP software used to deliver REvil ransomware to hundreds of organizations

Symantec Enterprise Blogs
You might also enjoy
Feature Stories6 Min Read

Symantec Security Summary - June 2021

Ransomware: Need we say more?

About the Author

Beth Stackpole

Journalist

Beth is a veteran journalist covering the intersection of business & technology for more than 20 years. She's written for most of the leading IT industry publications and web sites as well as produced custom content for a range of leading technology providers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.