"One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all."It is not uncommon to see zero-day elevation of privilege flaws patched during Patch Tuesday," Satnam Narang, a staff research engineer at Tenable, said, "these flaws are most valuable in post-compromise scenarios once an attacker has gained access to a target system through other means, in order to execute code with elevated privileges." A product manager at Rapid7, Greg Wiseman, said that CVE-2021-40449 was "likely being used alongside Remote Code Execution (RCE) and/or social engineering attacks to gain more complete control of targeted systems." MORE FROM FORBES Delete Your Windows 10 Password Now: Microsoft Suddenly Issues Security Update For Millions By null MysterySnail latest to 'burn a hole' in Microsoft Windows' pocket "MSPs are high-value targets - they have large attack surfaces, making them juicy targets to cybercriminals," said Kevin Reed, chief information security officer at Acronis.
#ZERO Z SERVER ATTACK SOFTWARE#
That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers."īy compromising a software supplier to target MSPs, who, in turn, provide infrastructure or device-centric maintenance and support to other small and medium businesses, the development once again underscores the importance of securing the software supply chain, while also highlighting how hostile agents continue to advance their financial motives by combining the twin threats of supply chain attacks and ransomware to strike hundreds of victims at once. "We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. "Less than ten organizations appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software," Barry Hensley, Chief Threat Intelligence Officer at Secureworks, told The Hacker News via email.
#ZERO Z SERVER ATTACK DOWNLOAD#
Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory, urging customers to download the Compromise Detection Tool that Kaseya has made available to identify any indicators of compromise (IoC), enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network. On-premises VSA servers will require the installation of a patch prior to a restart, the company noted, adding it's in the process of readying the fix for release on July 5.
Kaseya, which has enlisted the help of FireEye to help with its investigation into the incident, said it intends to "bring our SaaS data centers back online on a one-by-one basis starting with our E.U., U.K., and Asia-Pacific data centers followed by our North American data centers." At least 1,000 businesses are said to have been affected by the attacks, with victims identified in no less than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, according to ESET. More specifics about the flaws were not shared, but DIVD chair Victor Gevers hinted that the zero-days are trivial to exploit. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place.
The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. Amidst the massive supply-chain ransomware attack that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack.