DUBLIN, Ireland/MIAMI–The number of credit unions—if any--affected by the ransomware attack on companies and organizations that use Kaseya software continues to remain unknown even as up to one-million personal computers reportedly may have been infected.
In a statement to CUToday.info, NCUA declined to say anything other than, “This is a developing situation and we are monitoring the situation.”
While no credit union has been publicly identified as having been compromised by the attack, several national news outlets reported over the July 4 weekend that CUs are among the organizations hit by the ransomware.
As CUToday.info reported earlier, beginning on July 2 the Russia-based REvil ransomware group launched a crypto-extortion campaign using an exploit of Kaseya's VSA remote management service. This attack affects Managed Service Providers (MSP) that use the Kaseya VSA remote management service and the customers of the affected MSPs.
In a statement, Kaseya said it believes the breach has affected approximately 60 MSPs with approximately 1,500 downstream customers. The group is reportedly asking for $70 million to unlock all the encrypted machines.
Kaseya said it has met with US government agencies including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) and has also engaged with the White House and cybersecurity firm FireEye Mandiant.
The White House is urging companies that believe their systems were compromised in the ransomware attack that targeted Kaseya to immediately report it to the Internet Crime Complaint Center.
Not an ‘Anomaly’
“This is more of the same—and no longer is an anomaly,” Jim Stickley, CEO of Stickley on Security, told CUToday.info. “Ransomware is an everyday thing, and every organization should have a really solid plan in place for what it will do when this happens—not if it happens. This threat is no longer an ‘if.’”
An ‘Unusual Attack’
Brett Callow, a threat analyst at the security firm Emisoft, told CUToday.info, “What’s unusual in this case is that they didn’t directly attack the 1,500 companies, they attacked them via their outsourced IT providers—using Kaseya’s products. This isn’t unusual either, except in terms of scale…REvil probably doesn’t have the capacity to handle more than a thousand individual negotiations, so offering a universal decryptor—which would unlock all the computers belonging to all the impacted companies—would be the most streamlined option for them.
Callow noted REvil accounts for more than 10% of global ransomware incidents.
A ‘Good Reminder’
The CUSO Ongoing Operations, which does not use the Kaseya VSA remote management service, issued a statement saying it is working with its critical partners and vendors to confirm that this Kaseya software breach has not affected them.
Noting the Kaseya VSA remote management service is a commonly used software among MSPs, Ongoing Operations said, “Every credit union should assess their exposure to this vulnerability and the exposure of any vendor who handles member data.”
The most recent ransomware attack, said Ongoing Operations, is a good reminder to credit unions to:
- Ensure backups are up to date, are retrievable, and have one copy that is not accessible via normal network communication channels or with standard credentials.
- Implement MFA on management systems and remote access software.
- Ensure the principle of least privilege is applied to admin accounts.
Resources Available
Ongoing Operations also pointed credit unions to the following resources:
Helpful Links
CISA-FBI guidance
Kaseya's Updated Notice on the issue
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-3rd-2021
Kaseya Technical Information on the Incident
https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961
Kaseya VSA Detection Tool
https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40
Sophos Technical Description on How the Exploit Worked