Ransomware gang closes physical shops!

Ransomware gang closes physical shops!
The Swedish supermarket chain Coop, one of the largest grocery stores in the country, had to close EVERY of its 800 branches on Saturday.
The cyber incident Friday after point-of-sale tills and self-service checkouts stopped working.
REvil ransomware gang targeted managed service providers (MSPs) and their customers in a massive supply-chain attack through US provider Kaseya VSA, a remote patch management and monitoring suite.

Read more:
https://debatepost.com/sporting/2021/07/04/sweden-800-supermarkets-suddenly-closed-after-a-hacker-attack-economy/
https://www.bbc.com/news/technology-57707530
https://thedigitalnews.org/2021/07/03/coop-supermarket-closes-500-stores-after-kaseya-ransomware-attack/
https://koliasa.com/coop-supermarket-closes-500-stores-after-kaseya-ransomware-attack/
https://www.bbc.com/news/technology-57707530
https://www.bleepingcomputer.com/news/security/coop-supermarket-closes-500-stores-after-kaseya-ransomware-attack/
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
https://www.aftonbladet.se/minekonomi/a/86bQQw/coop-butiker-stangs-efter-it-attack

17 Comments

  1. Tomi Engdahl says:

    REvil ransomware asks $70 million to decrypt all Kaseya attack victims https://www.bleepingcomputer.com/news/security/revil-ransomware-asks-70-million-to-decrypt-all-kaseya-attack-victims/
    REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files. Lisäksi:
    https://nakedsecurity.sophos.com/2021/07/05/kaseya-ransomware-attackers-say-pay-70-million-and-well-set-everyone-free/.
    Lisäksi:
    https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html.
    Lisäksi:
    https://therecord.media/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack/

    Reply
  2. Tomi Engdahl says:

    ISA, FBI share guidance for victims of Kaseya ransomware attack https://www.bleepingcomputer.com/news/security/cisa-fbi-share-guidance-for-victims-of-kaseya-ransomware-attack/
    CISA and the Federal Bureau of Investigation (FBI) have shared guidance for managed service providers (MSPs) and their customers impacted by the REvil supply-chain ransomware attack that hit the systems of Kaseya’s cloud-based MSP platform.

    Reply
  3. Tomi Engdahl says:

    Scale, Details of Massive Kaseya Ransomware Attack Emerge
    https://www.securityweek.com/scale-details-massive-kaseya-ransomware-attack-emerge

    Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.

    An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.

    REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency.

    Reply
  4. Tomi Engdahl says:

    IT Software Firm Kaseya Hit By Supply Chain Ransomware Attack
    https://www.securityweek.com/it-software-firm-kaseya-hit-supply-chain-ransomware-attack

    Supply chain cyberattack could have wide blast radius through compromised MSPs

    Software maker Kaseya Limited is urging users of its VSA endpoint management and network monitoring tool to immediately shut down VSA servers to prevent them from being compromised in a widespread ransomware attack.

    According to Kaseya, the attack began around 2PM ET on Friday. The company said that while the incident only appears to impact on-premises customers, SaaS servers have also been shut down as a precautionary measure.

    While the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had not yet issued an official alert as of early Saturday, the agency said late Friday that it was “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software.”

    Timing of the attack is certainly no coincidence, as IT and security teams are likely to be understaffed and slower to respond due to the 4th of July holiday weekend in the United States.

    “While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” the company said.

    Reply
  5. Tomi Engdahl says:

    https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-4th-2021

    Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only. 

    Reply
  6. Tomi Engdahl says:

    Kauppoja sulkeneen iskun vahingot alkavat selvitä – maailman kannattavin verkko­­hyökkäys? https://www.is.fi/digitoday/tietoturva/art-2000008105509.html

    Reply
  7. Tomi Engdahl says:

    Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly https://thehackernews.com/2021/07/kaseya-rules-out-supply-chain-attack.html
    While initial reports raised speculations that the ransomware gang might have gained access to Kaseya’s backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack. It has since emerged that a never-before-seen security vulnerability (CVE-2021-30116) in the software was leveraged to push ransomware to Kaseya’s customers. Lisäksi:
    https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident

    Reply
  8. Tomi Engdahl says:

    Global ransomware attack affecting a service platform for small and medium-size segment in Sweden https://www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2021/global-ransomware-attack-affecting-a-service-platform-for-small-and-medium-size-segment-in-sweden/
    On late afternoon Friday 2nd of July, a service platform for a small and medium-size segment of customers was subject to a ransomware attack which was related to the global criminal attack towards Kaseya.
    The Kaseya software is used by a local TietoEVRY operation unit in Sweden and hence a limited number of customers have been affected. The impact on consumers and general public has been narrow, even if the impact to the affected customers business may be serious.

    Reply
  9. Tomi Engdahl says:

    Swedish Supermarket Closed by Kaseya Cyberattack
    https://www.securityweek.com/swedish-supermarket-closed-kaseya-cyberattack

    Most of one of Sweden’s leading supermarket chains’ 800 shops remained closed on Monday, three days after they were indirectly affected by the cyberattack targeting US company Kaseya.

    Stressing that the situation was looking “positive compared to a few days ago”, Kevin Bell, press spokesman for Coop, told AFP that “a majority” of their stores were still closed.

    On Friday, a hacking attack indirectly hit the supermarket chain, paralysing all its cash registers and forcing the company to temporarily close nearly all its shops across the country.

    Bell said they had been able to reopen a few hundred stores by relying on alternative payment solutions — such as customers paying using their smartphones — and stores also allowed customers to shop online.

    Subcontractor Visma Esscom, where the problem originated, said it was linked to a major cyber attack on Friday on the US company Kaseya.

    Coop, which accounts for about 20 percent of the supermarket industry in the Nordic country with an annual turnover of almost 1.5 billion euros ($1.8 billion), filed a complaint with police on Sunday.

    Reply
  10. Tomi Engdahl says:

    Fake Kaseya VSA Security Update Drops Cobalt Strike https://threatpost.com/fake-kaseya-vsa-update-cobalt-strike/167587/
    A malware spam campaign is milking the Kaseya ransomware attacks against its Virtual System/Server Administrator (VSA) platform to spread a link pretending to be a Microsoft security update, along with an executable file that’s dropping Cobalt Strike, researchers warn.
    Lisäksi:
    https://www.bleepingcomputer.com/news/security/fake-kaseya-vsa-security-update-backdoors-networks-with-cobalt-strike

    Kaseya VSA Limited Disclosure
    https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
    Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities. Lisäksi:
    https://csirt.divd.nl/cases/DIVD-2021-00011/

    Reply
  11. Tomi Engdahl says:

    Wall Street Journal:
    A Dutch security researcher group says it had notified Kaseya in April about one of the flaws that was exploited in the devastating ransomware attack last week — President Biden is meeting officials to discuss recent attacks, including latest affecting hundreds of organizations around the world

    Software Firm at Center of Ransomware Attack Was Warned of Cyber Flaw in April
    https://www.wsj.com/articles/software-firm-at-center-of-ransomware-attack-was-warned-of-cyber-flaw-in-april-11625673291?mod=djemalertNEWS

    President Biden is meeting officials to discuss recent attacks, including latest affecting hundreds of organizations around the world

    Kaseya is still working to fully patch the cybersecurity flaw in its VSA software.

    WASHINGTON—The software company linked to a massive ransomware spree that began last week and has impacted hundreds of organizations across the globe was notified in early April of a cybersecurity vulnerability used in the attack, according to the Dutch security researcher group that discovered the issue.

    Kaseya Ltd., a Miami-based software supplier that helps technology-service providers manage computer networks, was told of a serious cybersecurity hole in its Kaseya VSA software on April 6, Victor Gevers, chairman of the Dutch Institute for Vulnerability Disclosure, said Wednesday. Mr. Gevers’s organization, which is a volunteer-run security group, discovered the flaw.

    “When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands,” Mr. Gevers said in a blog post. “After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do.”

    Kaseya VSA Limited Disclosure
    https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/

    07 Jul 2021 – Frank Breedijk
    English below
    Why we are only disclosing limited details on the Kaseya vulnerabilities

    Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities.

    Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and the disclosure timeline. In line with the guidelines for Coordinated Vulnerability Disclosure we have not disclosed any details so far. And, while we feel it is time to be more open about this process and our decisions regarding this matter, we will still not release the full details.
    Why the secrecy?

    As the ransomware attack using Kaseya VSA software has shown, the effects of a malicious actor knowing the full details of a vulnerability can be devastating. This immediately poses a dilemma to anybody that discovers a critical vulnerability in a critical piece of software, do we disclose the details or not?

    If the full details are made public, it is evident that many cars will get stolen very soon. If you inform the owners, this will likely happen too. The chances of the details remaining secret are slim if you inform a broad audience. Even if you limit the details to ‘a security issue involving the bumper’, you might tip off the wrong people. Telling the manufacturer there is a good chance that he comes up with a fix before large-scale car thefts are happening, and consider if you need to tell the owners to keep their car behind closed doors in the meantime.
    How does this relate to Kaseya VSA?

    When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands. After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA.

    As we stated before, Kaseya’s response to our disclosure has been on point and timely; unlike other vendors, we have previously disclosed vulnerabilities to. They listened to our findings, and addressed some of them by releasing a patch resolving a number of these vulnerabilities. Followed by a second patch resolving even more. We’ve been in contact with Kaseya ahead of the release of both these patches, allowing us to validate that these vulnerabilities had indeed been resolved by the patch in development.

    Unfortunately, the worst-case scenario came true on Friday the 2nd of July. Kaseya VSA was used in an attack to spread ransomware, and Kaseya was compelled to use the nuclear option: shutting down their Kaseya Cloud and advising customers to turn off their on-premise Kaseya VSA servers. A message that unfortunately arrived too late for some of their customers.

    We later learned that one of the two vulnerabilities used in the attack was one we previously disclosed to Kasya VSA.

    What can we tell?

    In this blogpost and DIVD case DIVD-2021-00011 we publish the timeline and limited details of the vulnerabilities we notified Kaseya of.
    Full disclosure?

    Given the serious nature of these vulnerabilities and the obvious consequences of abuse of Kaseya VSA we will not disclose the full details of the vulnerabilities until such time that Kaseya has released a patch and this patch has been installed on a sufficient number of systems, something for which we have the monitoring scripts. In the past few days we have been working with Kaseya to make sure customers turn off their systems, by tipping them off about customers that still have systems online, and hope to be able to continue to work together to ensure that their patch is installed everywhere

    Reply
  12. Tomi Engdahl says:

    Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours https://beta.darkreading.com/vulnerabilities-threats/attacks-on-kaseya-servers-led-to-ransomware-in-less-than-2-hours?
    Automation allowed a REvil affiliate to move from exploitation of vulnerable servers to installing ransomware on downstream companies faster than most defenders could react.

    Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/
    On July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site portal.kaseya.net was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.

    Reply
  13. Tomi Engdahl says:

    Emails Offering Kaseya Patches Deliver Malware
    https://www.securityweek.com/emails-offering-kaseya-patches-deliver-malware

    IT management software maker Kaseya is still working on patching the vulnerabilities exploited in the recent ransomware attack, but some cybercriminals are sending out emails offering the patches in an effort to distribute their malware.

    Reply
  14. Tomi Engdahl says:

    All Coop stores are open again
    https://tekdeeps.com/all-coop-stores-are-open-again/

    All of Coop’s stores are open again after Friday’s global IT attack, which knocked out the food chain’s checkout system. According to Coop, no extortion requirements have been directed specifically at the food chain. – We have not paid any money, says Coop’s CEO Magnus Johansson.

    Coop announces that from 15.00 on Thursday, all stores are finally open.

    – From now on, we have the opportunity to sell goods at all our Coop stores in Sweden, says Coop’s CEO Magnus Johansson to TT.

    About a hundred technicians have worked intensively to restart cash by cash manually, in store after store.

    – It is what has taken time, that we have had to physically send out technicians to all stores in the extensive store network that Coop has, says Johansson and continues:

    – We are often one of the few stores in some parts of Sweden and even the last store in the area. We apologize to our customers who were not able to shop.
    Have not paid

    Coop has reported the IT attack to the police, which forced the majority of the chain’s stores to close.

    According to Coop, no extortion requirements have been addressed specifically to the food chain.

    – We have not paid any money, says Magnus Johansson.

    There is no indication that the hackers came across the customers’ personal data and card details, according to Johansson.

    Global attack

    The extensive so-called ransomware attack began last Friday and was aimed at the Miami-based software company Kaseya, which sells IT services to customers globally. Hundreds, perhaps thousands, of companies around the world have been affected, among them Visma Esscom, which provides Coop and other Swedish companies with cash solutions.

    – We were one of the companies through a subcontractor who had the software. But it was not an attack on Coop, but an attack on society at large. And I think society and we will have to reflect on that after this.

    Both self-payment cash registers and staffed cash registers suddenly stopped working on Friday night. On Sunday, the food chain had managed to open around 300 stores for trade with an alternative payment solution.

    – Now we see the value of complementary digital payment solutions. Online shopping has also worked as usual. Now we are looking at having it as widely spread in Sweden as possible.

    The attack has hit Coop hard, which so far has focused on getting the trade started as soon as possible.

    – It is of course great economic values ​​that may have been lost.

    Reply
  15. Tomi Engdahl says:

    Coop, other ransomware-hit firms, could take weeks to recover, say experts
    https://www.reuters.com/technology/coop-other-ransomware-hit-firms-could-take-weeks-recover-say-experts-2021-07-05/

    STOCKHOLM, July 5 (Reuters) – Computer systems of several companies across the world, including 800 physical grocery stores of Sweden’s Coop, that were shut down after attacked by REvil ransomware could take weeks to recover, cyber security experts said.

    Hackers from the REvil cybercrime gang compromised systems of IT firm Kaseya and malware trickled down to its resellers and reached end customers such as Coop who used its software.

    The ransomware locked data in encrypted files and late on Sunday hackers demanded $70 million to restore the data. read more

    The REvil actors had claimed that a million machines were compromised, said Mark Loman, director of engineering at cybersecurity firm Sophos.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*