How a supply chain attack closed one of Sweden’s largest supermarket chains

Share this post:

Last week, when heading out for some groceries, I was met with a note on the entrance to my local grocery store saying the store was closed due to IT problems. Working in IT security this immediately sparked my curiosity. What was going on? I quickly pulled up my mobile phone to check the news. I was staggered by what I saw. A ransomware attack had hit Coop in Sweden, one of Sweden’s largest supermarket chains, forcing them to temporarily close about 500+ supermarkets.

Thinking this must be more or less equivalent to the perfect storm for any IT security professional, I could only imagine what the teams at Coop and its vendors were going through in order to manage and respond to the situation. However, this also raised a million questions with me. How did this happen? How did the ransomware manage to get into Coop’s systems? Could this have been stopped and what can we learn from this?

How did it all start?

As more and more information come into light, we can begin to piece things together. It turns out that there has been quite a lot going on and that Coop was far from the only victim of this malicious cyberattack. Organizations across the globe has reported seeing similar kinds of behaviour on various systems. But how did it start? Well much of it comes down to a cyber threat actor called REvil and a supply chain attack involving a zero-day vulnerability. 

This zero-day vulnerability, a sort of previously unknown security flaw, was affecting VSA, a remote system monitoring and management software made by a company called Kaseya. The vulnerability allowed an outsider to execute commands and gain access to VSA servers’ internet facing management portals. The VSA software is used globally by many MSPs (managed service providers) to manage their client’s various systems. One of these MSPs was Visma Esscom in Sweden which is a MSP used by Coop.

The treat actor behind this is a group called REvil, who managed to exploit this zero-day vulnerability to conduct what is known as a supply chain attack against target organization. A supply chain attack is a cyber-attack, where the adversary compromises a vendor whose software or services is in turn used by other organizations. In the case of the Coop attack, we kind of saw a double supply chain attack where the supplier of the management software, which was used by Coop’s MSP, was compromised. From a cyber criminal’s perspective, a supply chain attack is very desirable. Since the supplier’s software or services are already used and trusted by organizations, compromising one supplier is an easy way to in turn compromise its customers. We have seen attacks using similar means in the recent Sunburst incident involving SolarWind’s Orion software.  

By gaining access to the MSPs VSA server, REvil managed to distribute their malicious software, in the form of a hot-fix software update, to the VSA agents used on the managed systems. This malicious hot-fix update (encoded as agent.crt decoded as agent.exe) also contained an older version of Windows Defender (msmpeng.exe) together with a malicious .dll file (mpsvc.dll). This older Windows Defender version had a side-loading vulnerability allowing the attackers to load malicious code (Sodinokibi ransomware) into the otherwise trusted and well-known process. Agent.exe then executed the benign Windows Defender process on the target systems, loading the .dll file which executed the ransomware attack. The sneaky yet interesting thing about distinguishing the ransomware attack as a benign Windows Defender process is that it becomes harder to detect. This due to Windows Defender being a process which is expected to scan and touch multiple files across a system. 

All in all, this was clearly a highly sophisticated attack, and at the same time very efficient in both how it was distributed and how it avoided detection. Now the question is; what could have been done differently? And can we learn anything form this incident? 

What can we learn from attacks like these?

Supply chain attacks are tricky as they utilize software or services that we trust. Because of this, defence is not trivial. As more becomes known regarding this attack, we will hopefully learn more, but at this point in time it is hard to say whether or not anything could have been done differently, in order to prevent the attack. However, in general there are some good practises involving common security hygiene such as prevention, detection and response that can be applied to at least reduce the risk of an attack.

Preventive measures aim to reduce the likelihood or impact of cyber incidents. This could include for example application control, network segmentation, multi-factor authentication, as well as working with partners and suppliers regarding security policies and practises. Continuous patch management is also essential to remove known vulnerabilities from systems. However, this is of course not possible in the case of zero-day vulnerabilities. In the case of Kaseya and VSA, we know that Kaseya got information about a vulnerability from the Dutch Institute for Vulnerability Disclosure. Kaseya were at the time of the attack working hard to remediate the vulnerability. So, in the case of this REvil attack and Coop, it might have been down to just unfortunate timing. 

Preventing and reducing the likelihood of a cyber incident is essential. Equally important is having the ability to discover when something goes wrong. The faster you can detect and analyse an ongoing incident, the quicker you can do something about it. Detection includes monitoring systems for anomalies as well as staying up to date with threat intelligence. In the case of REvil’s ransomware attack, threat intelligence sources have now provided IOCs (indicators of compromise) in the form of file names and file hashes. In other words, now other organizations know what to look for to detect this specific ransomware in their systems. Check out X-Force Exchange REvil collections.  

Finally, organizations should also work to prepare themselves to respond if an incident occurs.  Knowing what to do in the event of a cyber incident is equally important to prevent and detect the event in the first place. This could for example include formulating and practising incident response plans but also regularly perform and validate back-ups of critical systems. One good place to start is to practise incident management at a cyber range such as IBM Security Command Center. 

Going back to Coop and their closed supermarkets. Today I read in the news that Coop is reopening their stores and Kaseya have released a patch to remediate the vulnerability. From what I have understood, technicians have worked tirelessly to physically visit all the store locations to reset the systems. Not a small task for Coop, Visma and Kaseya! Kudos to them! While this attack was indeed severe, there is also a silver lining. Besides being able to share experience and learn from each other, we also see increased awareness in society and among our politicians. The cyber vulnerability of a society is very relevant and something that needs to be taken seriously. However, that is a blog for another time… Now it is time for me to finally head over to my local Coop supermarket for some dinner grocery shopping. 

Recommended further reading:

• Kaseya published IOCs 
• Security intelligence article on REvil Ransomware