Cyber Blurbs: REvil Demands $70M in Kaseya Ransomware Attack

In this week’s Cyber Blurbs Roundup, we cover a vulnerability in Microsoft’s software, a massive ransomware demand against Kaseya, and the NSA’s decision to disclose Russian hacking methods.

Microsoft Vulnerability

Windows users are receiving warnings of an existing vulnerability that could potentially provide hackers with a significant amount of remote privileges. The issue resides within Microsoft’s Windows Print Spooler service, and is said to allow attackers to gain system-level privileges to execute code remotely. For the non-tech readers, that’s akin to allowing somebody to unlock your phone, access your Instagram account with posting privileges.

While the vulnerability itself has likely prompted a few headaches over at Microsoft HQ, the manner in which they were disclosed may have a few execs fuming as well. Security researchers at Sangfor developed a proof-of-concept exploit — essentially a non-harmful attack on a system designed to simply create awareness of the vulnerability. These sorts of exploits are, under ideal circumstances, typically provided to the original developers first. The patch is usually deployed prior to the POC going public. 

But that’s not what happened. The folks over at Sangfor — for reasons unknown — published and then quickly deleted the writeup on GitHub, essentially placing a spotlight on the vulnerability for the world to see. Though deleted, the repository was forked (copied) before it disappeared. 

Microsoft recently patched other vulnerabilities related to its Print Spooler, which may have led to some confusion with the POC in question. 

According to BleepingComputer, Microsoft has started warning users that the flaw is being actively exploited. The company has provided some procedures on how to disable the service while it continues to develop a permanent solution. You can read more about the short-term solution here

NSA Discloses Russian Hacking Methods

The US National Security Agency, along with its counterpart from across the pond, released details of the methods used by Russian hackers who have attempted to exploit government agencies across the globe. 

Describing them as “brute force” methods, the NSA released an advisory statement highlighting the tactics used by organizations linked to the GRU, the Russian military intelligence agency. The agency has previously been linked to attacks against the 2016 and 2020 presidential elections, among other major attacks. 

The methods include exploiting weak login credentials by password spraying, which involves using a handful of commonly used passwords (like “password123”) to try and gain access to otherwise restricted accounts. 

The NSA also says GRU-linked operatives have used Kubernetes, a tool developed by Google originally designed to manage cloud services. 

Russia’s Embassy in Washington has since “strictly” denied the country’s government from any involvement in the attacks on US government agencies. 

“We hope that the American side will abandon the practice of unfounded accusations and focus on professional work with Russian experts to strengthen international information security,” the embassy wrote in a Facebook post.

For a more detailed story, check out the official release from the NSA.

Ransomware Attackers Demand $70M From Kaseya

I think we can safely say it was not a long and stress-free weekend for IT management company Kaseya. On July 2, Kaseya suffered a ransomware attack, with hackers claiming to have compromised more than 1 million computers. REvil, a group of hackers gaining more notoriety by the day, is demanding $70 million (in bitcoin). 

The group is said to have deployed a malicious attack via software update, though the extent of the attack has been questioned thus far. 

Kaseya CEO Fred Voccola took to YouTube to address the attack.

While Kaseya is downplaying the significance of the attack, researchers at Sophos Labs don’t appear to agree. 

“This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen,” Sophos Vice President Ross McKerchar said in a statement. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”

Voccola says the modular nature of the company’s security infrastructure prevented the attack from being as harmful as it could have been, though that hasn’t stopped REvil from demanding a hefty sum of cryptocurrency for its troubles. 

Kaseya’s SaaS cloud servers remain offline as of publication, with the company expecting an updated timeline soon. 

For more detail, check out Sophos’ detailed write-up here

RECENT POSTS