REvil Malware Suspected of Infecting Scores of IT Management Companies, Clients
UPDATED July 4, 5 a.m. EDT
U.S. President Joe Biden has ordered federal intelligence agencies to investigate the incident involving IT management software vendor Kaseya, which sustained a suspected REvil ransomware attack on Friday. Attackers reportedly compromised Kaseya’s remote monitoring system, VSA, forcing the company to urge its managed service provider customers to temporarily shut down their on-premise servers for at least for the next 24 to 48 hours.
Kaseya VSA is a remote management platform for MSPs that provides solutions such as automated patch management. According to Kaseya, the platform has been used by more than 36,000 MSP customers worldwide.
On a visit to Michigan on Saturday, Biden was asked about the attack and told reporters “we’re not certain” who is behind it. “The initial thinking was it was not the Russian government but we’re not sure yet,” he said.
In an update late Friday, Kaseya CEO Fred Voccola said the company detected the compromise on its VSA platform on Friday afternoon. He also added the spread of the attack has “been limited to a small number of on premise customers.”
In a Saturday evening update, Kaseya stuck by its conservative estimate. “Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.”
Security firm Huntress Labs, which assessed a ransom note believed to be tied to Kaseya, has linked the attack to REvil ransomware group – the same group the FBI has said was responsible for attacking meat processing giant JBS in late May. Huntress also added that the attack already has compromised eight of Kaseya’s MSP customers with 200 businesses linked to three of the victims reporting instances of file encryption.
Among the businesses impacted: Coop, a Swedish grocery chain, which reportedly was forced to close many of its 800 retail stores. “One of our suppliers has been hit by an IT attack and therefore the cash registers do not work,” Coop announced to its customers. “We regret this and do everything to be able to open again soon.”
On Friday, Mark Loman, a malware analyst at security firm Sophos, tweeted the hackers demanded $5 million as ransom in exchange for the file decryptor.
Kaseya did not immediately respond to a request from Information Security Media Group seeking more information on the attack. The firm did promise ongoing updates.
Kaseya describes itself as a leading provider of IT and security management solutions for MSPs and small to medium sized businesses. It is headquartered in Dublin, Ireland, is privately held and operates in over 20 countries.
Upon learning of the attack, Kaseya says it immediately shut down its SaaS servers as a precautionary measure, and it notified its on-premises customers “via email, in-product notices, and phone” to shut down their on-premise VSA servers to prevent them from being compromised. Further, Kaseya also directed its on-premise customers to remain offline until the affected systems have been checked for its safety.
Kaseya also added that it is currently working with its internal forensic team and law enforcement agencies to investigate the attack.
“Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide,” Kaseya CEO Voccola said. “We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24-48 hours.”
In a follow-up update on Saturday morning, the company said it has been working around the clock on “a security assessment, client support, progress update, technical resolution, and return to operational status standpoint.”
Further, Kaseya said “We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized.”
Kaseya said it will continue to post updates every 3-4 hours.
On Saturday evening, Kaseya reported that it has engaged with FireEye and other unidentified incident response firms to identify indicators of compromise related to its breach. “We have identified a set of preliminary IoCs and have been working with our affected customers to validate them,” Kaseya reports.
Additionally, the firm announced plans to offer a new Compromise Detection Tool for Kaseya VSA customers. They may access it by sending an email to firstname.lastname@example.org with the subject “Compromise Detection Tool Request” from an email address associated with a VSA customer. “With the availability of the Compromise Detection tool, we strongly recommend that compromised customers immediately begin the recovery process,” Kaseya says.
As of Saturday evening, Kaseya acknowledges only one new report of a compromise occurring because of a VSA on-premises server being left on. “We are confident we understand the scope of the issue and are partnering with each client to do everything possible to remediate,” Kaseya says. “We believe that there is zero related risk right now for any VSA client who is a SaaS customer or on-prem VSA customer who has their server off.”
The U.S Cybersecurity and Infrastructure Security Agency also alerted Kaseya customers to quickly follow the mitigation steps issued by the company. “Immediately follow their guidance to shutdown VSA servers,” CISA said.
In its alerts, Kaseya noted that it identified the source of the vulnerability that may have led to the attack and added that it is working to issues patch for the flaw soon. “We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly,” Voccola said. “We will release that patch as quickly as possible to get our customers back up and running.”
Loman of Sophos tweeted that the vulnerability is exploited by a malicious update, which contains code to disable Microsoft Defender Real-Time Monitoring.
Although complete details of the Kaseya hack have yet to ascertained, this latest incident would mark the second time in recent months that attackers have compromised a high-profile supply chain environment using a malicious software update.
The SolarWinds supply chain hack is believed to have begun in March 2020 when attackers installed the backdoor in an Orion software update. Up to 18,000 customers installed and ran the Trojanized software. Later, attackers launched follow-on attacks on nine U.S. government agencies and about 100 private sector firms, federal investigators say (see: Why Didn’t Government Detect SolarWinds Attack? ).
REvil, also known as Sodinokibi and Sodin, is a ransomware-as-a-service offering, which means a core group develops and maintains the ransomware code and makes it available to affiliates via a portal.
Those affiliates and the core group of operators share in any profits that result from victims paying a ransom. Recent victims that have made payments include meat processor JBS, which paid $11 million in bitcoins.
Many security experts rank REvil among the most damaging and prevalent RaaS operations, alongside Conti, DoppelPaymer (aka DopplePaymer), Maze offshoot Egregor, and Ryuk. (For more on REvil, see REvil’s Ransomware Success Formula: Constant Innovation
Targeting MSPs: “A Diabolical Extortion Tactic”
Security experts note that MSPs are a vulnerable target as they are mostly smaller business with relatively less mature security checks and balances in place.
“These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed,” says Chris Grove, technology evangelist with security firm Nozomi Networks. “Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts.”
“MSPs leverage Kaseya’s software, making them an attractive target because extortionists can quickly increase potential targets,” says Rick Holland, CISP and vice president strategy at Digital Shadows. “These victims are a desirable target as they may not have the means to eradicate the adversary and restore their IT systems, forcing them to pay the ransom. Targeting an MSP that serves vulnerable SMBs is a diabolical extortion tactic.”
Philip Reitinger, CEO and President of the Global Cyber Alliance, says this latest attack is “both different from and similar to the SolarWinds attack.” It’s is similar because it also has a widespread scope and appears as a supply chain attack. But the means and purpose are different, he says.
“Here we don’t have an attack (so far as I see) on the systems of a software provider. We have an attack on its software,” Reitinger says. “Most important here, the software used by managed service providers, vastly increasing the effect. So, at the end of the day many entities will suffer, and there is very little if anything most could do to prevent it because the primary capabilities to prevent and detect lay with another.”
FBI: ‘A Very Busy Summer’
Threats from ransomware have increased significantly in recent months, with incidents such as the Colonial Pipeline Co. attack and the REvil attack of meat processor JBS causing the victims millions of dollars in operational and mitigation loss.
The rising sophistication and proliferation of ransomware threats has also caught the attention of the U.S. government, with several federal agencies and the White House initiating a number of steps to counter them.
For instance, on Wednesday, CISA released its Ransomware Readiness Assessment audit tool to help organizations size up their ability to defend against and recover from attacks (see: CISA Tool Helps Measure Readiness to Thwart Ransomware).
On May 12, the Biden administration issued its cybersecurity executive order that aims to address ransomware and other threats to the U.S. (see: Biden’s Cybersecurity Executive Order: 4 Key Takeaways).
In a session recorded this week for ISMG’s upcoming Government Cybersecurity Summit, Elvis Chan of the U.S. Federal Bureau of Investigation predicted that this will be a busy summer for ransomware investigations and takedowns.
“We have many joint investigations with our foreign partners,” says Chan, Asst. Special Agent in Charge, San Francisco Division, Cyber Branch of the FBI. “Look for this to be a very busy summer for us with multiple takedowns across different countries.
“We want to impose as much consequence as possible,” Chan says.