An attack on outsourced services brings businesses to a halt
On the morning of Saturday, July 3rd, many customers showing up at Coop supermarkets in Sweden were unable to do their weekend grocery shopping as more than half of the company’s 800 stores were affected by a cyberattack that disabled point-of-sale tills and self-service checkout stations. As a Coop spokeswoman said in a statement to the BBC, “We first noticed problems in a small number of stores on Friday evening around 6:30pm so we closed those stores early. Then overnight we realised it was much bigger and we took the decision not to open most of our stores this morning so that our teams could work out how to fix it.”
This cyber attack like many others was set off as the weekend was beginning, timed to create maximum havoc. The disruptions were caused by an attack on the organization’s Managed Service Provider (MSP), Kaseya. MSPs are a service by which organizations can outsource their IT needs, usually including things like IT infrastructure, cybersecurity, and providing managed hardware outsourcing, among many others. Coop was just one of many organizations suffering coming under an REvil ransomware attack as a result of this breach, which according to Kaseya’s critical bulletin on July 3rd ultimately affected “fewer than 60 Kaseya customers” and “fewer than 1,500 downstream organizations”.
Affected customers used the cloud-based management and monitoring platform Kaseya VSA (Virtual System Administrator) to deploy software and automate IT-related tasks, which is what allowed bad actors to deploy enterprise systems at such a high level of privilege. In their July 3rd bulletin, Kaseya advised that all users running Kaseya VSA on-premises shut down their servers and await further instruction, as well as the shutdown of their SaaS and hosted servers (though they did not believe them to be affected). The attack was spread through Kaseya’s auto-update system. Kaseya VSA downloaded malware labeled as a ‘hotfix’ that would then disable security features, extract an agent, and begin the encryption process. With Kaseya’s hard work it took about nine days to restore normal functionality.
Once ransomware encrypts data, operations are disrupted for several days at minimum. Fortunate organizations have data backups that can be used for restoration, but even that will cause significant delays. Some stakeholders might choose to pay ransoms in exchange for their hackers’ promise that they’ll delete data and not release it to the public or in an attempt to rescue their business. TXOne’s threat researchers recommend against this – the REvil ransomware group in particular has a history of receiving one payment to delete stolen sensitive information and then coming back later to extort another.
While the web site that REvil used to host their announcements, payment portal, extortion page, and chat function went offline on July 13th, make no mistake: the ransomware itself remains at large and no less of a threat to operations. Trend Micro researchers even identified an attempt to piggyback onto this attack in the form of spam e-mails from fake IT company employees offering a “Kaseya patch” of remote access software deviously labeled ‘SecurityUpdates.exe’.
Point-of-sale terminals like those brought to a stop in this attack often run on legacy OSes, like Windows Embedded XP, and have difficulty running traditional anti-malware defenses. TXOne Networks’ ICS endpoint protection solution StellarEnforce is tailor-made for legacy systems, and secures them against ransomware, including REvil, with the use of trust list-based lockdown. Systems running StellarEnforce can only execute applications and services that are trust listed, allowing minimized impact to system resources while requiring no internet connection, periodic updates, or regular scans.
TXOne Networks’ threat researchers recommend the use of lightweight lockdown software StellarEnforce to secure fixed-use and legacy assets.