https://urgentcomm.com/wp-content/themes/ucm_child/assets/images/logo/footer-new-logo.png
  • Home
  • News
  • Multimedia
    • Back
    • Multimedia
    • Video
    • Podcasts
    • Galleries
    • IWCE’s Video Showcase
    • IWCE 2022 Winter Showcase
    • IWCE 2023 Pre-event Guide
  • Commentary
    • Back
    • Commentary
    • Urgent Matters
    • View From The Top
    • All Things IWCE
    • Legal Matters
  • Resources
    • Back
    • Resources
    • Webinars
    • White Papers
    • Reprints & Reuse
  • IWCE
    • Back
    • IWCE
    • Conference
    • Special Events
    • Exhibitor Listings
    • Premier Partners
    • Floor Plan
    • Exhibiting Information
    • Register for IWCE
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Terms of Service
    • Privacy Statement
    • Cookie Policy
  • Related Sites
    • Back
    • American City & County
    • IWCE
    • Light Reading
    • IOT World Today
    • Mission Critical Technologies
    • TU-Auto
  • In the field
    • Back
    • In the field
    • Broadband Push-to-X
    • Internet of Things
    • Project 25
    • Public-Safety Broadband/FirstNet
    • Virtual/Augmented Reality
    • Land Mobile Radio
    • Long Term Evolution (LTE)
    • Applications
    • Drones/Robots
    • IoT/Smart X
    • Software
    • Subscriber Devices
    • Video
  • Call Center/Command
    • Back
    • Call Center/Command
    • Artificial Intelligence
    • NG911
    • Alerting Systems
    • Analytics
    • Dispatch/Call-taking
    • Incident Command/Situational Awareness
    • Tracking, Monitoring & Control
  • Network Tech
    • Back
    • Network Tech
    • Interoperability
    • LMR 100
    • LMR 200
    • Backhaul
    • Deployables
    • Power
    • Tower & Site
    • Wireless Networks
    • Coverage/Interference
    • Security
    • System Design
    • System Installation
    • System Operation
    • Test & Measurement
  • Operations
    • Back
    • Operations
    • Critical Infrastructure
    • Enterprise
    • Federal Government/Military
    • Public Safety
    • State & Local Government
    • Training
  • Regulations
    • Back
    • Regulations
    • Narrowbanding
    • T-Band
    • Rebanding
    • TV White Spaces
    • None
    • Funding
    • Policy
    • Regional Coordination
    • Standards
  • Organizations
    • Back
    • Organizations
    • AASHTO
    • APCO
    • DHS
    • DMR Association
    • ETA
    • EWA
    • FCC
    • IWCE
    • NASEMSO
    • NATE
    • NXDN Forum
    • NENA
    • NIST/PSCR
    • NPSTC
    • NTIA/FirstNet
    • P25 TIG
    • TETRA + CCA
    • UTC
Urgent Communications
  • NEWSLETTER
  • Home
  • News
  • Multimedia
    • Back
    • Video
    • Podcasts
    • Omdia Crit Comms Circle Podcast
    • Galleries
    • IWCE’s Video Showcase
    • IWCE 2023 Pre-event Guide
    • IWCE 2022 Winter Showcase
  • Commentary
    • Back
    • All Things IWCE
    • Urgent Matters
    • View From The Top
    • Legal Matters
  • Resources
    • Back
    • Webinars
    • White Papers
    • Reprints & Reuse
    • UC eZines
    • Sponsored content
  • IWCE
    • Back
    • Conference
    • Why Attend
    • Exhibitor Listing
    • Floor Plan
    • Exhibiting Information
    • Join the Event Mailing List
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Terms of Service
    • Privacy Statement
  • Related Sites
    • Back
    • American City & County
    • IWCE
    • Light Reading
    • IOT World Today
    • TU-Auto
  • newsletter
  • In the field
    • Back
    • Internet of Things
    • Broadband Push-to-X
    • Project 25
    • Public-Safety Broadband/FirstNet
    • Virtual/Augmented Reality
    • Land Mobile Radio
    • Long Term Evolution (LTE)
    • Applications
    • Drones/Robots
    • IoT/Smart X
    • Software
    • Subscriber Devices
    • Video
  • Call Center/Command
    • Back
    • Artificial Intelligence
    • NG911
    • Alerting Systems
    • Analytics
    • Dispatch/Call-taking
    • Incident Command/Situational Awareness
    • Tracking, Monitoring & Control
  • Network Tech
    • Back
    • Cybersecurity
    • Interoperability
    • LMR 100
    • LMR 200
    • Backhaul
    • Deployables
    • Power
    • Tower & Site
    • Wireless Networks
    • Coverage/Interference
    • Security
    • System Design
    • System Installation
    • System Operation
    • Test & Measurement
  • Operations
    • Back
    • Critical Infrastructure
    • Enterprise
    • Federal Government/Military
    • Public Safety
    • State & Local Government
    • Training
  • Regulations
    • Back
    • Narrowbanding
    • T-Band
    • Rebanding
    • TV White Spaces
    • None
    • Funding
    • Policy
    • Regional Coordination
    • Standards
  • Organizations
    • Back
    • AASHTO
    • APCO
    • DHS
    • DMR Association
    • ETA
    • EWA
    • FCC
    • IWCE
    • NASEMSO
    • NATE
    • NXDN Forum
    • NENA
    • NIST/PSCR
    • NPSTC
    • NTIA/FirstNet
    • P25 TIG
    • TETRA + CCA
    • UTC
acc.com

Cybersecurity


Partner content

Attacks on Kaseya servers led to ransomware in less than 2 hours

Attacks on Kaseya servers led to ransomware in less than 2 hours

  • Written by Robert Lemos / Dark Reading
  • 8th July 2021

Sometime after 14:30 UTC on Friday, July 2, network traffic combining three vulnerabilities started compromising scores of Internet-connected Kaseya Virtual System Administrator (VSA) servers hosted by managed service providers. The attackers’ code synchronized to a specific time and then hibernated.

At 4:30 p.m. UTC, all within the same second, the compromised servers woke up and ran a command script that disabled a variety of security controls and sent malicious payloads to every system managed by those servers, according to an analysis conducted by Huntress Labs. While security firms are still sifting through the data, reverse engineering has revealed that the attack — from the first packets exploiting dozens of VSA servers, to the deployment of ransomware on the endpoints of hundreds to thousands of MSP customers — took less than two hours.

The speed of automation gave managed service providers and their customers only a very narrow window in which to detect attacks and block them, says John Hammond, a senior threat researcher for Huntress Labs. Companies would have to run frequent monitoring and alerts to have caught the changes, he says.

“Unfortunately, this form of hyperactive logging and detection is rare — managed service providers often don’t have the resources, let alone the personnel to frequently monitor massive components of their software and stack,” Hammond says. “With that said, the efficacy and potential for human-powered threat hunters is never something to be left out of the equation.”

The quick turnaround of the attack underscores the compressed timeline for defenders to respond to automated attacks. The REvil group and its affiliates, who are thought responsible for the attack, scanned for Internet-connected VSA servers and, when found, sent the initial exploit, which chained three vulnerabilities.

At 14:48 UTC on Friday, July 2, the first packets started hitting on-premise Kaseya VSA servers, according to logs collected from affected MSPs by Huntress Labs. The exploited flaws included an authentication bypass, an arbitrary file upload, and a command injection. The activity continued, until the hibernating processes reactivated at 16:30 UTC, and antivirus firms suddenly started seeing spikes in detections of the ransomware payload.

In the hour after the attack’s activation, between 16:30 and 17:30 UTC, antivirus firm Sophos detected a massive spike in blocked ransomware activity on its endpoints.

“We started seeing telemetry immediately as the client systems started getting hit,” says Sean Gallagher, senior threat researcher at Sophos. “The telemetry spiked all at one time, in a very small time window.” After that, the attack most went quiet, he says.

Because Kaseya VSA manages other systems, the software not only has higher privileges — usually administrator privileges — on other systems but also often has exclusions in place so that antivirus software does not flag its activity as malicious. The command-line script that executed at 16:30 UTC on Friday ran a PowerShell script, disabling many security measures, loading in certificates, and running a malicious executable disguised as a certificate, agent.crt.

To read the complete article, visit Dark Reading.

 

Tags: Alerting Systems Analytics Applications Companies Critical Infrastructure Cybersecurity DHS Enterprise Federal Government/Military Incident Command/Situational Awareness News Policy Public Safety Regional Coordination Security Software State & Local Government Subscriber Devices System Design System Installation System Operation Test & Measurement Tracking, Monitoring & Control Training Partner content

Most Recent


  • IWCE 2023
    Safer Buildings Coalition annual meeting held at IWCE 2023
    A common theme ran through the Safer Buildings Coalition’s annual meeting Monday night during IWCE 2023 at the Las Vegas Convention Center—strength through collaboration. “The perception is that the challenge is ‘out there,’ and someday, maybe the challenge will come here,” said Billy Bob Brown Jr., executive assistant director for emergency communications within the Cybersecurity […]
  • Attacks on Kaseya servers led to ransomware in less than 2 hours
    IWCE speakers debate state of public-safety interoperability
    LAS VEGAS—Achieving comprehensive interoperability for mission-critical communications used by U.S. public-safety agencies continues to be an elusive goal, according to speakers addressing the topic during a Monday session at the IWCE 2023 event in Las Vegas. Some view interoperability as the technical ability for one person to communicate with another, no matter what device or […]
  • UK competition watchdog delays Airwave-Motorola Solutions ruling until April
    The Competition and Markets Authority (CMA) in the UK today announced that it plans to issue its final decision in April as part of an investigation of the Airwave TETRA network—a ruling that could investigation that could cost Motorola Solutions more than $1 billion in projected revenue during the next several years. CMA made the […]
  • AT&T claims LTE coverage edge, FirstNet build more than 99% done
    AT&T claims a 250,000-square-mile coverage advantage and that the planned five-year deployment of the FirstNet public-safety broadband network operating on the 700 MHz Band 14 spectrum licensed to the FirstNet Authority is more than 99% complete as a contractual deadline approaches this week. AT&T—the contractor responsible for building and maintaining the FirstNet public-safety broadband system—made […]

Leave a comment Cancel reply

To leave a comment login with your Urgent Comms account:

Log in with your Urgent Comms account

Or alternatively provide your name, email address below:

Your email address will not be published. Required fields are marked *

Related Content

  • IWCE: Nicole Perlroth discusses cyberthreat landscape, impact on critical infrastructure
  • Security 101: The 'PrintNightmare' flaw
  • Attacks on Kaseya servers led to ransomware in less than 2 hours
    Newscan: Ransomware group REvil demands $70 million in Kaseya supply-chain attack
  • AT&T clarifies that Microsoft 5G cloud deal does not impact FirstNet service, security

Commentary


Updated: How ‘sidelink’ peer-to-peer communications can enhance public-safety operations

  • 1
27th February 2023

NG911 needed to secure our communities and nation

24th February 2023

How 5G is making cities safer, smarter, and more efficient

26th January 2023
view all

Events


UC Ezines


IWCE 2019 Wrap Up

13th May 2019
view all

Twitter


UrgentComm

Gallery: More presentations as IWCE enters second day dlvr.it/Sldj1c

29th March 2023
UrgentComm

Safer Buildings Coalition annual meeting held at IWCE 2023 dlvr.it/SldfdR

28th March 2023
UrgentComm

The Future of Interoperability for Dispatch Console Solutions dlvr.it/Slcp33

28th March 2023
UrgentComm

RT @IWCEexpo: A look in at the Panel Session of Interconnected Critical Networks - Voice, Video and Data Interoperability... #IWCE23 http…

28th March 2023
UrgentComm

RT @IWCEexpo: Wildfires are a growing concern, but technology can offer solutions. Fantastic panel moderated by @FirstNetGov this morning a…

28th March 2023
UrgentComm

IWCE speakers debate state of public-safety interoperability dlvr.it/SlcZ5L

28th March 2023
UrgentComm

UK competition watchdog delays Airwave-Motorola Solutions ruling until April dlvr.it/SlcNxN

28th March 2023
UrgentComm

Gallery: IWCE 2023 kicks off in Las Vegas dlvr.it/SlZlk4

28th March 2023

Newsletter

Sign up for UrgentComm’s newsletters to receive regular news and information updates about Communications and Technology.

Expert Commentary

Learn from experts about the latest technology in automation, machine-learning, big data and cybersecurity.

Business Media

Find the latest videos and media from the market leaders.

Media Kit and Advertising

Want to reach our digital and print audiences? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • American City & County
  • IWCE
  • Light Reading
  • IOT World Today
  • Mission Critical Technologies
  • TU-Auto

WORKING WITH US

  • About Us
  • Contact Us
  • Events
  • Careers

FOLLOW Urgent Comms ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.