Over the weekend we have seen yet another report of a ‘colossal’ ransomware attack, hitting over 200 US businesses prior to Independence Day holiday.
According to an BBC article, this latest exploitation – believed to be the workings of Russia-linked REvil - targeted IT company Kaseya on Friday afternoon, just as people were leaving for a long weekend of celebrations, executing ransomware attacks on hundreds of companies across Kaseya’s customer network who use their software.
Every week there are media articles about large companies getting taken offline by cyber criminals, with some declared as a ‘national emergency’. The risk of an attack to any company is real and as Joe Tidy, Cyber reporter states ‘The two big things that are keeping cyber-security professionals up at night lately are ransomware and supply chain attacks.’
This latest example exploited both.
Cyber criminals have now found a new ‘sweet spot’ in supply-chain attacks. They are looking for easy access routes to cause maximum damage and offer the greatest return. This attack has certainly done that – targeting one company, has ‘taken down’ multiple, if not hundreds of companies across the US. According to IBM the average cost to a company of each attack is in excess of $3.9mn, so this one exploitation of a Kaseya’s digital vulnerability, may have has cost it’s customer-base hundreds of millions of dollars. Expect to see some substantial lawsuits!
Whilst we have seen several attacks over the previous months, this may be the most damaging by the sheer volume of Kaseya’s network impacted. Achieved by exploiting a single supplier in the attacked companies supply chain.
For so long, cyber security professionals have focussed their efforts on protecting inside the perimeter and making their own company water-tight. Equal effort should be made to ensure their supplier ecosystem is held to the same high standards.
If you would like to discover your entire supply chain's digital risk in seconds, please contact us today for a 15-min demo of our Vendor Risk Management Platform.