The hackers behind a mass ransomware attack exploited a previously unknown vulnerability in IT management software made by Kaseya Ltd., the latest sign of the skill and aggressiveness of the Russia-linked group believed responsible for the incidents, cybersecurity researchers said Sunday.
Marcus Murray, founder of Stockholm-based TrueSec Inc., said his firm's investigations involving multiple victims in Sweden found that the hackers targeted them opportunistically. In those cases, the hackers used a previously unknown flaw in Miami-based Kaseya's code to push ransomware to servers that used the software and were connected to the internet, he said.
The Dutch Institute for Vulnerability Disclosure said it had alerted Kaseya to a vulnerability in its software that was then used in the attacks, and that it was working with the company on fixes when the ransomware was deployed.
Kaseya "showed a genuine commitment to do the right thing," the Dutch organization wrote. "Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch," it added, referring to the Russia-based hacking group.
REvil was accused of being behind the May 30 ransomware attack of meatpacking giant JBS SA.
The findings differentiate the latest incident -- which cybersecurity firm Huntress Labs Inc. said affected more than 1,000 businesses -- from other recent assaults on the software supply chain. For instance, an attack the U.S. blamed on Russia's foreign intelligence service, disclosed in December, involved altered software updates from another provider of IT management software, Austin, Texas-based SolarWinds Corp. Ultimately, nine federal agencies and at least 100 companies were infiltrated via SolarWinds and other methods.
A representative for Kaseya didn't immediately respond to a request for comment on the latest findings. The company has previously said its VSA product was the victim of a "sophisticated cyberattack" and that it had notified the FBI. Kaseya said it has identified fewer than 40 customers affected by the attack. The company said its cloud-based services weren't affected.
The U.S. Cybersecurity and Infrastructure Security Agency said it was continuing to respond to the recent attack, which it said leveraged a "vulnerability in Kaseya VSA software against multiple managed service providers and their customers."
Kaseya's customers include companies that provide remote IT support and cybersecurity services for small- and medium-sized businesses.
By infecting IT support organizations, the malicious software was passed to their customers as well, multiplying the impact.
Murray, of Sweden's TrueSec, said that because of Kaseya's central role in managing security and IT, victims could have longer recovery times than in typical ransomware incidents.
There are victims in 17 countries so far, including the U.K., South Africa, Canada, Argentina, Mexico and Spain, according to Aryeh Goretsky, a researcher at cybersecurity firm ESET.
President Joe Biden said Saturday that he had ordered ordered a "deep dive" from the intelligence community about the incident, which came just weeks after Biden implored Russian President Vladimir Putin at a summit on June 16 to curb cyberattacks against the U.S. Biden said "we're not sure" that Russia is behind the attack.