Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Networking

World's Single-Biggest Ransomware Attack Hit 'Thousands' in 17 Countries (apnews.com) 142

It's now being called "the single biggest global ransomware attack on record," with thousands of victims in at least 17 different countries breached with ransomware Friday, reports the Associated Press, citing new details provided by cybersecurity researchers.

An affiliate of the Russia-linked gang REvil deployed the ransomware "largely through firms that remotely manage IT infrastructure for multiple customers." A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported... The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit. In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported...

CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that." Voccola said in an interview that only between 50-60 of the company's 37,000 customers were compromised. But 70% were managed service providers who use the company's hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks...

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a "zero day," the industry term for a previously unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing. "The level of sophistication here was extraordinary," he said. When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn't just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software...

Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.

The attacks may have been timed to exploit America's three-day weekend celebrating the nation's founding, according to experts interviewed by the Associated Press. America's National Security advisor is now urging all who believed they were compromised to alert the FBI.

"The attack comes less than a month after Biden pressed Russian President Vladimir Putin to stop providing safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat."

UPDATE: Bleeping Computer notes the exploited vulnerability "had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before they rolled it out to customers."

In a statement today, DIVD posted that "During the last 48 hours, the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2,200 to less than 140 in our last scan today... A good demonstration of how a cooperative network of security-minded organizations can be very effective during a nasty crisis."
This discussion has been archived. No new comments can be posted.

World's Single-Biggest Ransomware Attack Hit 'Thousands' in 17 Countries

Comments Filter:
  • This is the overall issue, it seems to me: People with no understanding of software or computers are buying software from companies that are not competent.

    A quote from the Slashdot story:

    "The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled."

    It would certainly be easy to write cash register software so that data could not possibly be corrupted.

    The quality of the news reporting is very poor. T
    • That sounds like they outsourced their accounting/till/inventory so the registers can't scan items. Which means they were cost cutting to the 'cloud' rather than keeping control of core business systems.
      • by bn-7bc ( 909819 )
        Well this is a prime example of a business thinking IT js nor cor to our buisness ( ie we are not an it shop sho why have the staff), they probably see their cor business as supply chain and stock + shelf space managment
      • Which means they were cost cutting to the 'cloud'....

        This is the predictable (and widely predicted) outcome of aggregating a lot of companies' business operations to a large, common provider. The large, common provider becomes a large, common target for attacks just like these.

        Cloud Computing is the most dangerous thing to happen to computing since the worldwide infection of computing hardware with the "Windows" virus.

    • by gweihir ( 88907 )

      Indeed. One reason why you have to have your own competent IT experts is because otherwise you are incompetent as a buyer!

    • In the biological world, this idea of one company like Kaseya looking after everything would be considered crazy. I'm told by veterinarian friends that Western countries ban a single supplier owning the food chain (farms, slaughter houses, storage, delivery etc etc) because pathogens will only face one enemy. That is, the single supplier will employ the same sanitation techniques everywhere from farm to kitchen table for reasons of efficiency. This favors the pathogen that happens to be the most resistant to them.

      The same natural selection process is true in the digital world.

      "The quality of the news reporting is very poor"

      People want simple stories simply told. Anybody who works in IT security knows that attribution is incredibly hard and often impossible. This is why you find wording that comes with plausible deniability. From the Slashdot blurb: "An affiliate of the Russia-linked gang..." How freakin' vague can you be? But for the average Jo Schmo who knows nothing about the industry and the people who are trying to sell their services to CEOs, this is all that's needed.

    • Really sounds hard to me. Well if you want up to date prices, inventory management, etc you need to talk to a server, if that server goes down you are now stuck. Sure you could keep local copies until it comes back up, but that is extra development, and testing, time to market. Even then what if the server, or cash register sends malicious data, e.g. changes prices of items, how does the cash register know. A simple cash register where the staff enter the price, or the prices are loaded should be quite safe

  • by Arnonyrnous Covvard ( 7286638 ) on Monday July 05, 2021 @12:39AM (#61551898)
    As long as you keep paying, people will get ransomed.
    • These gangs are doing us all a favour. They are highlighting our sloppy security and focusing CEOs on fixing it.

      If there is ever serious trouble with China, these ransoms will be insignificant compared to the damage a well funded malicious state could do.

      • These gangs are doing us all a favour. They are highlighting our sloppy security and focusing CEOs on fixing it.

        This Corona Virus is doing us a favor. It's highlighting our sloppy emergency planning and focusing politicians on fighting about election laws and not fixing anything.

        I don't know. I personally find it hard to be a cheerleader for cyberterrorists or argue in favor of cybercrime with the tired "that which does not kill you makes you stronger" theology.

        If there is ever serious trouble with Chi

      • by rtb61 ( 674572 )

        Depends who you think the biggest suspects are. For me, computer security companies are always going to be the number one suspects. Either companies doing badly, companies set up specifically to do that and operating at a loss to gain customers. Companies attacking the customers of their competitors to get them to change security systems suppliers. Companies looking to spur demand. Companies contracting to business. Companies interested in insider trading, steal data to trade ahead of the market at a profit

        • Number one suspects should always be computer security companies, size not an indicator of honesty. Especially going forward. To be one in the USA they should be forced to register with say the DHS and be audited for security fitness and personal upon a regular basis because of the amount of harm they can cause.

          Your paranoia is breathtaking - I wish I didn't find it so damned plausible.

          Unfortunately, when your mistrust reaches that level, how can you trust even government agencies? I guess none of them has ever been caught fomenting havoc and false-flagging in order to advance their own agendas? Oh, wait...

      • No, CEOs will not focus on fixing things. Why? Because you can even buy randomware insurance these days. *That* is what they will do. They'll pay the ransom, file a claim (which might even cover lost revenue) and the one people who will actually suffer are the customers (like people who needed gas to get to work a couple of months ago). Companies won't change because they don't have to.
        • " randomware insurance these days."

          Good, I'm tired of programs that crash and act up in random, unpredictable ways.

        • The electrical infrastructure in your building is pretty safe, FAR safer than it was several decades ago. Your house and your office comply with fire codes, which have vastly improved fire safety.

          Electrical and fire safety is driven primarily by two organizations. UL, which tests, certifies, and lists electrical products. You don't put anything into the electrical system of a building until it's tested by UL. UL stands for Underwriters Laboratories. Underwriters means insurance companies. The insurance comp

    • But our data! Our backups were useless! The gummint must do something!
      • Erh... that's essentially what the GP suggests. The gubment makes it illegal for you to pay the ransom.

        Be afraid, your wish may be granted...

    • As long as you keep paying, people will get ransomed.

      Going to take quite a bit of effort with international law change when you consider the planet has been outsourced to the planet.

      And making this illegal in one country, would tend to make it a different type of target with a spotlight on it; the kind of target you want to permanently destroy.

      Changing business behavior with regards to risk mitigation, is about as easy as convincing a CEO that good insourced IT staff, are worth it. Hell, we can't even get people to do backups properly, highlighted by the su

    • Someone will always pay. It's a complete fantasy that if people stopped paying that this crime will disappear. In other news 99.999% of people don't send Nigerian princes any money either.

  • Demonstration (Score:5, Interesting)

    by Bert64 ( 520050 ) <bert@NOSpaM.slashdot.firenzee.com> on Monday July 05, 2021 @12:48AM (#61551912) Homepage

    In a statement today, DIVD posted that "During the last 48 hours, the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2,200 to less than 140 in our last scan today... A good demonstration of how a cooperative network of security-minded organizations can be very effective during a nasty crisis."

    Or more likely a demonstration of what happens when devices are compromised and hit with ransomware - they go offline.

    • by gweihir ( 88907 )

      My thought as well. These installations will have been switched off in an attempt to close the barn door after the horse has bolted. (Still the right thing to do.)

      • by Bert64 ( 520050 )

        Most likely not intentionally switched off, just down because the ransomware has broken them.

        • by gweihir ( 88907 )

          Most likely not intentionally switched off, just down because the ransomware has broken them.

          Probably a mix of both.

  • by Opportunist ( 166417 ) on Monday July 05, 2021 @02:20AM (#61552038)

    Security costs money and doesn't bring in any. Guess what gets skimped on.

    The state of IT security in most companies is, in one word, shoddy. In a less nice word, utter crap. And we're not just talking about any companies where you could say "yeah, how should they know?" because security isn't exactly their core business. I do penetration tests for a living. Mostly in the vicinity of finance and banking software. You'd think that software and appliances in this field are built with security in mind, right?

    Without breaking NDAs, because I sure as hell am not going to tell a huge secret here: HA!

    Security is treated as sunk cost, which is to be avoided. Security is that pesky, useless thing we have to do to appease some laws or regulations, or something we have to pretend to have so we can do business with certain companies like card payment systems. Here it's mostly a game for lawyers to figure out how to do the least amount of work to fulfill that requirement or be compliant, to get that check in the all-important box to be checked off for another year. We have to do pentests for compliance? Ok, but it doesn't say how in-depth they have to be, right? Yeah, well, then you have a week to test an appliance that runs pretty much our complete core system. Anything more would mean you could actually find something which would mean that we'd have to fix it, and that again costs money!

    I have to admit, I enjoy this. I really do. I enjoy watching those fuckers soak in their own sweat now because the shit finally did hit the fan. Even though I already know who gets the blame. After all, you did do a pentest of it, why didn't you find it?

    And no, "becuase you gave me 3 days for a 3 weeks job" isn't the answer they want to hear.

    • by Bongo ( 13261 )

      Yes, and one question. Whilst it isn't practical/possible to prove code is correct, and so everything has holes/zero days, are we as an industry just producing a lot of crap full of bugs which could have been prevented with care and effort? And then companies run their systems with equally bad negligence? I.e. is it that the technology -- writing code -- is inherently imperfect and always will be, or is it that we're just too damned negligent, and systems aren't 90% correct but barely 5% correct?

      • Pay peanuts, get monkeys.

        If you want bespoke software development but are unwilling to pay more than 4 digits for it, don't expect it to be made by people who can do more than copy/paste from Stackexchange, usually without even having the foggiest idea why the code they just cribbed does what it should. But it compiles, ship it.

        • by gweihir ( 88907 )

          Pay peanuts, get monkeys.

          If you want bespoke software development but are unwilling to pay more than 4 digits for it, don't expect it to be made by people who can do more than copy/paste from Stackexchange, usually without even having the foggiest idea why the code they just cribbed does what it should. But it compiles, ship it.

          Indeed. Also the state of IT qualifications is to blame as well. If these people were required to be actual engineers (expensive), they would be liable if they screw up to badly. We need that. All other tech field have it. because anything else is hugely expensive in the long run.

          • I don't disagree conceptually with the idea of requiring more actually engineering qualifications for software development.

            However, the economist in me wonders how much more expensive *everything* would be if we did require it. One part of the increased expense would be the software itself -- from covering the increased labor cost to just more expensive development cycles, as better engineering takes more time and testing. The other would probably be just less software period, as the increased costs would

            • You pay for that one way or another. Either your engineers or your blackmailer.

            • by sjames ( 1099 )

              Something people here are forgetting, these aren't random failures, they ware the result of someone expending considerable effort to cause a failure. How long do you suppose your house will resist a determined attempt at unauthorized entry? How about your car? If you had to define "grand theft auto" for your local police when making a report and they weren't really sure what a car is, how long do you think it would last in the parking lot when you go to work? Would the best solution to that situation really

            • by gweihir ( 88907 )

              Well, the question is valid, but _all_ other engineering fields have gone that way and that is essentially because it is the cheapest version if you have a bit of a strategic view. And there are fields that produce things that are as complex. If you cannot rely on technology to work as expected, that comes with significant cost too. Sure, engineers still screw up occasionally and also get overruled by management occasionally (see, e.g. the Challenger catastrophe for a nice example of that). But non-engineer

        • Pay peanuts, get monkeys.

          This must explain the issues with code from Microsoft [theverge.com], and Cisco [securityweek.com], and Adobe [securezoo.com], and Broadcom [arstechnica.com], to name just a few. They pay their programmers peanuts.

          At least Linux has an excuse [theregister.com]. They don't pay anyone.

          • With these companies, the root cause is actually something else. Mostly rooted in ancient code that must not be touched by mortal hands, lest they could break something where the last person who actually had at least heard of the person who originally wrote it left the company about a decade ago and the documentation is curiously lacking.

            Also, please add management requests that a certain feature (or antitrust bullcrap) has to be baked into the software, preferably a day before shipping.

        • From what I have seen salary has very little to do with it. It is the constant drive to get features out the door, and the fear making any major change because the terrible code that you previously wrote may break, because it was written with the attitude of getting features out the door. Code quality and invisible features like security are always the first to go because customers don't see them.

          I know that you have to balance features with quality but that balance is weight far to much on the "oh look, sh

      • by gweihir ( 88907 )

        The problem is that code is not produced by engineers. In all other tech-fields, producing any custom design always comes with a requirement of "engineer", unless there is no risk of it doing real damage. Engineers do not only understand their field, they believe deeply in redundancy. And redundancy works for software as well. It is usually called "defense in depth", and it means things like doing privilege-separation with careful input validation and privilege reduction in all components for _any_ internet

      • by AmiMoJo ( 196126 )

        A lot of these bugs won't be found by normal code analysis means. No compiler warnings, static analysis says it's okay, passes all unit tests etc.

        It needs someone skilled in finding these flaws, who knows how to fuzz and interface and how to exploit a tiny crack to open the whole thing wide up. Such people are expensive and in very limited supply and most companies don't even know that they need one. Others just set up a paltry bug bounty and hope someone will do the work for free.

      • If you're going to build any kind of physical structure, such as a building or a bridge, a number of different people are involved. The architect and engineer design the building. For a large one, they may consult with specialists in particular fields.

        Then the contractors manage the project, making sure things are done in the proper order, the right information and supplies get to the right people at the right time, etc.

        Master electricians, master carpenters, etc supervise the laying of wires and all the d

        • I honestly don't know how many people there are with my particular skills set. But judging from my paycheck I dare say that the combination of IT security, finance and law seems to be rare.

          The thing is, though, that this is not required for most jobs out there, and you don't need to be a master electrician to build a safe and secure electrical setup for a house. There are appliances that you can use and treat as black boxes that pretty much deal with the "dangerous" parts of electricity, all you have to do

          • With electrical equipment, the manufacturer has the components independently tested, makes the modules according to the safety spec, and marks each one with the appropriate markings to indicate what kind of use is safe. Builders (standard electricians) can replace one certified component with another when it's time for replacement
            They look up in a table which wire gauge to use.

            None of that happens for software.

            The regular electricians that do maintenance work do NOT design the electrical system of y

    • Because they think about "civilians" the way you think about your clients?

      • I'd like to protect them if they only let me?

        • If you think about it, that it is pretty much spot-on about what cops are thinking.

          Looking at your sig, you can also put yourself into the frame of mind of what people are thinking about the police.

    • Security costs money and doesn't bring in any. Guess what gets skimped on.

      Same could be said for toilet paper. As a "sunk cost" I recommend doing away with it.

    • Security costs money and doesn't bring in any. Guess what gets skimped on.

      Insurance costs money and doesn't bring any in. Guess what every business pays for anyway?

  • .. he said in an interview https://www.youtube.com/watch?... [youtube.com]
  • There is no good reason I can conceived to have this shit be internet facing, lots of bad reasons though.

    Service providers which went down because they had this shit internet facing should be sued for gross negligence.

    • by gweihir ( 88907 )

      People have no clue how things actually work, because "management" does not hire experts and engineers, but cheap IT "technicians" that cannot hack it.

      That is why patches do not get installed or get installed very late, a lot of things are internet-facing that have absolutely no business to be, cloud containers are not secured and everybody can copy the date, and, you know, MS crap is on so many desktops and servers. Actual engineers would tolerate nothing of this, because they face liability if they do not

      • is that they are not "hip" in their use of the Broad Anglo Saxon, especially when making recommendations to clients and customers.

      • by dskoll ( 99328 )

        Ironically, part of the selling point of Kaseya and SolarWinds software was that they would help keep your systems patched. That's like painting a giant red bullseye telling attackers what software to target.

        • by gweihir ( 88907 )

          Ironically, part of the selling point of Kaseya and SolarWinds software was that they would help keep your systems patched. That's like painting a giant red bullseye telling attackers what software to target.

          Pretty much. It also shows that believe in a "magic tool" that will fix your problems, like, say, patching, is entirely misplaced.

    • I'm not even that sure they knew it was internet facing.

      What's likely is that they hired the cheapest hacks as network admins that at least knew that TCP isn't the Chinese secret service who then configured the firewall by tinkering with it 'til it allowed the connection they needed, without any consideration whatever else was possible now.

  • by lgftsa ( 617184 ) on Monday July 05, 2021 @03:57AM (#61552194)

    There's a writeup of the apparent exploit that was used, which stated with "dl.asp" and then used several others to infect the server.

    https://www.scmagazine.com/kas... [scmagazine.com]

    I just did a google search for "dl.asp" and the first hit is from Kaseya's community forum site in 2010, discussing the fact that it has no security restrictions. I can't see the original page, as the server's not responding, but google is offering a cached copy of the page, as does the wayback machine.

    Here's the links:

    http://community.kaseya.com/xs... [kaseya.com]

    http://webcache.googleusercont... [googleusercontent.com]

    https://web.archive.org/web/20... [archive.org]

  • They will obviously escalate the scale of their attacks until they get stopped. That makes them greedy and stupid, because eventually they will get stopped and then there will be hell to pay. If they had kept this on a small burner they could have done this forever.

    • May be it goes that way. But there will be others. The example has been made and just like you cannot unthink a thought you can not wipe the lesson out that these supply chain hacks have given to countless potential adepts.

      Changing laws. G7 passing a strong-worded resolution, closing some holes after they were used - that won't really help against the thread. The whole structure of IT outsourcing has opened numerous vulnerabilities. And it's still Windows everywhere.

      Those attacks are possibly pushing for ch

      • by gweihir ( 88907 )

        Well, one thing we will see is more regulation. And real penalties for CEOs and CTOs that skimped on security and then get hit. Whether this will be criminal penalties or just personal liability because of what is obviously gross negligence will remain to be seen. But this half-assed way a difficult ans still evolving engineering discipline is handled almost everywhere has to stop.

  • by bumblebees ( 1262534 ) on Monday July 05, 2021 @07:32AM (#61552398)
    I think in these situations its pretty ok to do some victim blaming and shaming. Put the same amount of resources as the CEO's salary and you will be pretty ok. And stop putting everything on the internet! Some devices really don't belong there even if its cool and convenient!
    • I commend you for admitting that this is blaming and shaming. Generally, blaming and shaming crime victims is yet another thing most people hate about the police "Yes, all of your belongings are ransacked and you lost your grandmother's diamond ring, but you had a weak jamb on your front door and you left a radio playing too loud, tipping off the burglars no one was in the house."

      It is also why most people think IT security dudes are dweebs.

    • Re:Honestly (Score:4, Insightful)

      by Tony Isaac ( 1301187 ) on Monday July 05, 2021 @10:14AM (#61552724) Homepage

      Most victims were small offices, like dentists or doctors, who hired a company to manage their computer systems. These people know nothing about computer security, they were relying on those service providers to worry about that. How would they even know what questions to ask, when selecting a service provider? "Are you using Kesaya?" Why would that be a red flag to them? Kesaya has been well-respected and used by many, for years. No, the victims are not to blame, this is all on the criminals.

    • Some devices really don't belong there even if its cool and convenient!

      Like which devices? No really I'm keen to know which industry you personally want to send back to the 1980s ignoring the fact that putting things on the internet costs actual money and is therefore done for a reason.

      • Well sure. Put pipelines and critical infra on the internet but don't cry when you can't get fuel out of the pump when someone thought it was a good idea to turn them off. Im sure we dont need to send anyone back to the 1800's just because its more convenient to have it on the internet than atleast a very secure private network with no access to the internet from the connected computers. The techies can read the news on their phone instead of the monitoring station.
    • But by putting it in the cloud we managed to cut cost by 200%!

    • I think in these situations its pretty ok to do some victim blaming and shaming.

      The victims are clients of a Managed Service Provider. Blaming them is like saying it's your fault if you put your money in a bank and the bank gets robbed.

  • UPDATE: Bleeping Computer notes the exploited vulnerability "had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before they rolled it out to customers."

    Vendors move slowly.. Once they find out about the vulnerability, it takes them quite some time to validate the patch and make it available.
    Corporates move slow, by the time a patch is released it takes quite some time before its deployed.
    Hackers move quickly. As soon as they have an exploit, they'll be scanning looking for vulnerable systems. The tiny address space of legacy IPv4 makes it especially easy, and within a few hours anything vulnerable has already been exploited.

    Hackers aren't slow, if you want to run at a glacial pace they will run rings around you.

  • mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that."

    Oh ... so not "off limits [reuters.com]" then. All is well!

  • Want to stop this and make companies take security seriously ? Put a 400% tax on all payments for Ransomware. Then maybe companies will get serious.

Swap read error. You lose your mind.

Working...