Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024, with groups targeting sectors like Construction and Healthcare, often exploiting weak VPN credentials.
As the dust continues to settle on the Kaseya situation, we have learned that the initial premise of a “supply chain attack” was not accurate.
After what has been a particularly busy week in the world of threat response, Corvus continues to monitor the REvil ransomware group’s attack that targeted Managed Service Providers (MSPs) who leverage the on-premise Kaseya VSA solution, as well as fallout from the zero-day discovery known as PrintNightmare (skip to end of this article if you just want to read about this more recent vulnerability). Corvus alerted policyholders to each of these attacks within hours of discovery, but as the situation unfolds we are learning more.
As the dust continues to settle on the Kaseya situation, we have learned that the initial premise of a “supply chain attack” — which this attack was widely reported as being, in its first several days — was not accurate. Rather than an attack against Kaseya’s environment, the attack leveraged potential zero-day vulnerabilities, weaknesses that have not yet been publicly known and patched, to gain remote access and control over on-premise VSA servers in customer environments.
As far as ransomware attacks go, this is one of the first coordinated multi-company distributions, and it serves as a clear escalation in the attack tactics ransomware groups have used to extort victims.
While the number of suspected companies encrypted in total is estimated to be below 1,500, the MSPs that were attacked via the on-premise Kaseya VSA server vulnerability is estimated to be fewer than 60. This is a classic example of a “one to many” type attack (similar to a supply chain attack) where a threat actor can gain access to a single point that then leads to access to many more companies. This is why MSPs are often targeted in ransomware attacks as the threat actor can often inflict greater pain to a larger audience in an attempt to collect a higher ransom.
In the latest opportunistic approach, threat actors have begun sending phishing emails purporting to be Kaseya VSA patches in an attempt to lure new victims into clicking on a malicious attachment and installing the CobaltStrike backdoor malware on the system.
Remediation of the on-premise Kaseya VSA servers only applies if you manage a VSA server in your environment. This will be most relevant for MSPs and less so to customers of MSPs. (At the time of initial publication, the patch was expected on Sunday, July 12th).
When leveraging MSPs inquire about how they access and manage your systems and ensure that access to their tools is secure and follow best practices, such as requiring MFA for access.
Corvus recommends implementing a Web Application Firewall (WAF) to help protect against web-based attacks that target weaknesses in the code-base of the application.
Attackers will attempt to ride the publicity wave of Kaseya to entice users to click on malicious links or launch malicious attachments.
On and after July 6, 2021, Microsoft issued an urgent out-of-band security patch to fix a critical vulnerability, CVE-2021-34527, in the Windows Print Spooler service that impacts all Windows Operating Systems.
The Windows Printer Spooler software manages printing as both the client (user requesting the print job) and server (system managing print jobs for multiple users). Microsoft is observing active exploitation of this vulnerability in the wild, meaning it’s particularly critical to patch against the vulnerability immediately.
Worryingly, a threat actor could leverage the PrintNightmare vulnerability either locally or remotely to execute arbitrary code with the highest level privileges on a given system. This would effectively provide the attacker the ability to install programs, view, change or delete data, and create new local accounts with full user rights. There are some mitigating factors as well that make this eventuality less likely for certain organizations, depending on their setups, which we review in detail in our Alert article. However, given how catastrophic the worst-case outcome is, we strongly recommend immediate action.
The Microsoft security bulletin recommends patching all systems with the latest out-of-band security patches issued in July 2021 to fix the identified vulnerability. This is especially important on critical servers such as Domain Controllers.
For additional remediation items and links to further guidance, read our Alert article.