Tag: “REvil” | Page 4

Kaseya was fixing zero-day just as REvil ransomware sprung their attack

July 4, 2021/in Internet Security

REvil

The zero-day vulnerability used to breach on-premise Kaseya VSA servers was in the process of being fixed, just as the REvil ransomware gang used it to perform a massive Friday attack.

The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before they rolled it out to customers.

However, in what can only be seen as a case of bad timing, the REvil ransomware gang beat Kaseya and used the same zero-day to conduct their Friday night attack against managed service providers worldwide and their customers.

“After this crisis, there will be the question of who is to blame. From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” said DIVD Victor Gevers in a blog post today.

“Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched.”

“They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Kaseya has confirmed with BleepingComputer that they are working closely with DIVD.

Little is known about the zero-day

The zero-day Kaseya vulnerability was discovered by DIVD researcher Wietse Boonstra and was assigned the CVE-2021-30116 identifier.

When questioned regarding how REvil learned of the vulnerability as it was being fixed, Gevers indicated in a tweet that the vulnerability was simple to exploit.

If I would show you the PoC, you would know how and why. Instantly.

— Victor Gevers (@0xDUDE) July 4, 2021

Gevers told BleepingComputer that the vulnerability disclosure was “within the industry-standard time for coordinated vulnerability disclosure,” and they would provide more information in a future advisory.

In our queries to…

Source…

John Anthony Smith: Russian Speaking REvil Group Is Actively Causing Widespread Cyber Terror

July 3, 2021/in Internet Security

(John Anthony Smith, president of the fast-growing Conversant Group on the Southside, advises on Internet security after an attack by a Russian criminal gang on a U.S. pipeline company that caused many gas stations to run dry for several days).

Similar in some ways to the global SolarWinds breach that occurred last year, threat actors have once again breached another system used for monitoring, patching, and remote administration.[1] On Friday, it became publicly known that Kaseya, a well-known player in Remote Monitoring and Management (RMM) tools, had succumbed to a supply chain compromise. Kaseya’s RMM, known as VSA, is commonly used by Managed Service Providers to manage, monitor, and patch their customers’ infrastructures.

REvil Group was able to breach Kaseya’s VSA system and use that system to destroy backups and subsequently encrypt over 200 organizations’ data. Kaseya VSA by the nature of how its system works has highly privileged access to the infrastructures in which it is deployed, as it is used to monitor, manage, and patch systems. Thus, REvil was able to orchestrate this malicious attack nearly unthwarted by security controls. On Friday, Kaseya sent out a warning of a potential attack and urged customers to shut down their servers running the service. According to Kaseya’s web site, more than 40,000 organizations use their products.

REvil is demanding $50,000 in ransom from smaller companies and $5 million from larger ones.[2] REvil is a Russian speaking hacking group that is highly active, and they are the same group of threat actors that successfully collected an $11 million ransom from JBS Meats. It is widely believed that REvil operates from Russia, and this recent compromise comes on the heels of President Joe Biden’s meeting with Russian President Vladimir Putin in Geneva. It is obvious that Biden’s conversation has invoked little action, at least thus far, in reigning in REvil’s continued attacks.

Ransomware attacks have spiked in the past 1.5 years with $412 million in ransom payments being paid last year alone, and…

Source…

Acer REvil Ransomware Attack: Status and Recovery Update

March 22, 2021/in Internet Security

by Joe Panettieri • Mar 21, 2021

REvil ransomware has attacked Acer and demanded a $50 million extortion from the PC giant, according to BleepingComputer. The attack may have exploited the recent Microsoft Exchange vulnerabilities, the report speculated, though that angle has not been publicly confirmed.

The details so far, according to BleepingComputer, include:

1. Acer’s Statement: The PC giant has not confirmed the REvil ransomware attack actually occurred. Acer told BleepingComputer: “There is an ongoing investigation and for the sake of security, we are unable to comment on details.”

2. Leaked Documents: The hackers leaked documents allegedly from Acer, including financial spreadsheets, bank balances, and bank communications.

3. Attack Timing: The attack started on March 14, 2021.

4. Hacker Demand: $50 million.

5. Discount Offer: The attackers offered a 20 percent discount if payment was made by March 17, 2021.

6. Exhange Server Vulnerability Exploited? The Revil gang recently targeted a Microsoft Exchange server on Acer’s domain.

7. Attack Impact: The report did not say which portion of Acer’s network was allegedly hit by the attack nor did it describe the alleged damage.

8. Earlier REvil Attacks: The hacker group auctioned off sensitive data in 2020 hijacked from companies in an arm-twisted move to force victims to pay up or else. Also, the group attacked two large food distributors in 2020.

9. Multiple Ransomware Attacks: Organizations that are also dealing with recent ransomware attacks include Buffalo Public Schools and Molson Coors Beverage Company.

10. How MSPs Can Mitigate Ransomware Attack Risks: To safeguard your MSP business and clientele from ransomware attacks, follow this tip sheet.

Source…

REvil member says gang targets organisations with cyber insurance for ransomware attacks

March 17, 2021/in Internet Security

Alleged REvil member claims they target companies with cyber insurance

An alleged member of the notorious ransomware gang REvil has divulged details about the group’s activity, including that they target companies with cyber insurance, prefer to remain apolitical, and also have access to nuclear power plants and ballistic missile launch systems.

The REvil representative, who uses the alias ‘Unknown’ on dark web forums, talked to Recorded Future expert Dmitry Smilyanets, in an interview that was conducted in Russian and then translated to English with the help of a translator.

The interview was also edited for clarity, according to Smilyanets.

REvil, also known as Sodinokibi or Sodin, is a ransomware gang that breaches companies networks using spam, exploits, exposed remote desktop services and hacked managed service providers (MSPs).

Like almost all other ransomware groups operating today, REvil also runs a ransomware-as-a-service (RaaS) operation, in which developers sell malware to affiliates who use it to encrypt the devices of the target organisations.

In the interview with Smilyanets, ‘Unknown’ said that the business of ransomware (or cybercrime) has always been lucrative – even when there were only winlockers and SMS.

The REvil member said that targeting organisations with cyber insurance is “one of the tastiest morsels” for REvil operators. ‘Unknown’ disclosed that the gang likes to hack insurers first, then, after working through their customer list, they return to hit insurers with a destructive attack.

‘Uknown’ acknowledged that the Covid-19 pandemic has impacted their operations to some extent with most targeted firms paying less than before.

Pharmaceutical firms are the exceptions, however, as they are doing good business during the pandemic.

“I think it is worth paying more attention to them. They are doing just fine,” ‘Unknown’ said.

The gang member also had some advice for corporate negotiators: don’t come in with too low an offer. If that happens, “We understand that the conversation with him is meaningless and we start publishing the data so that the owners of the network smack him upside the head for negotiating like that. And of course, after those kinds of…

Source…

Tag Archive for: “REvil”

Little is known about the zero-day