Kaseya is Focus of New Supply Chain Ransomware Attack

UPDATED July 3, 11:30 a.m. EDT

See Also: Rapid Digitization and Risk: A Roundtable Preview

IT management software vendor Kaseya sustained a suspected REvil ransomware attack on Friday. Attackers reportedly compromised Kaseya’s remote monitoring system, VSA, forcing the company to urge its managed service provider customers to temporarily shut down their on-premise servers for at least for the next 24 to 48 hours.

Kaseya VSA is a remote management platform for MSPs that provides solutions such as automated patch management. According to Kaseya, the platform has been used by more than 36,000 MSP customers worldwide.

In an update late Friday, Kaseya CEO Fred Voccola said the company detected the compromise on its VSA platform on Friday afternoon. He also added the spread of the attack has “been limited to a small number of on premise customers.”

Security firm Huntress Labs, which assessed a ransom note believed to be tied to Kaseya, has linked the attack to REvil ransomware group – the same group the FBI has said was responsible for attacking meat processing giant JBS in late May. Huntress also added that the attack already has compromised eight of Kaseya’s MSP customers with 200 businesses linked to three of the victims reporting instances of file encryption.

On Friday, Mark Loman, a malware analyst at security firm Sophos, tweeted the hackers demanded $5 million as ransom in exchange for the file decryptor.

Kaseya did not immediately respond to a request from Information Security Media Group seeking more information on the attack. The firm did promise another update to be posted on its site at approximately 9 a.m. EDT on July 3.

Kaseya Responds

Upon learning of the attack, Kaseya says it immediately shut down its SaaS servers as a precautionary measure, and it notified its on-premises customers “via email, in-product notices, and phone” to shut down their on-premise VSA servers to prevent them from being compromised. Further, Kaseya also directed its on-premise customers to remain offline until the affected systems have been checked for its safety.

Kaseya also added that it is currently working with its internal forensic team and law enforcement agencies to investigate the attack.

“Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide,” Kaseya CEO Voccola said. “We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24-48 hours.”

In a follow-up update on Saturday, the company said it has been working around the clock on “a security assessment, client support, progress update, technical resolution, and return to operational status standpoint.”

Further, Kaseya said “We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized.”

Kaseya said it will continue to post updates every 3-4 hours, including a comprehensive bulletin that will include:

• A detailed description of the security incident process and current status;
• How to determine whether customers have been compromised;
• Status updates from R&D on the progress of the patch for on-premises users;
• The plan to bring our SaaS and on-premises customers back online.

The U.S Cybersecurity and Infrastructure Security Agency also alerted Kaseya customers to quickly follow the mitigation steps issued by the company.

Update Flaw

In its alert, Kaseya noted that it identified the source of the vulnerability that may have led to the attack and added that it is working to issues patch for the flaw soon. “We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly,” Voccola said. “We will release that patch as quickly as possible to get our customers back up and running.”

Loman of Sophos tweeted that the vulnerability is exploited by a malicious update, which contains code to disable Microsoft Defender Real-Time Monitoring.

Although complete details of the Kaseya hack have yet to ascertained, this latest incident would mark the second time in recent months that attackers have compromised a high-profile supply chain environment using a malicious software update.

The SolarWinds supply chain hack is believed to have begun in March 2020 when attackers installed the backdoor in an Orion software update. Up to 18,000 customers installed and ran the Trojanized software. Later, attackers launched follow-on attacks on nine U.S. government agencies and about 100 private sector firms, federal investigators say (see: Why Didn’t Government Detect SolarWinds Attack? ).

About REvil

REvil, also known as Sodinokibi and Sodin, is a ransomware-as-a-service offering, which means a core group develops and maintains the ransomware code and makes it available to affiliates via a portal.

Those affiliates and the core group of operators share in any profits that result from victims paying a ransom. Recent victims that have made payments include meat processor JBS, which paid $11 million in bitcoins.

Many security experts rank REvil among the most damaging and prevalent RaaS operations, alongside Conti, DoppelPaymer (aka DopplePaymer), Maze offshoot Egregor, and Ryuk. (For more on REvil, see REvil’s Ransomware Success Formula: Constant Innovation

Targeting MSPs: “A Diabolical Extortion Tactic”

Security experts note that MSPs are a vulnerable target as they are mostly smaller business with relatively less mature security checks and balances in place.

“These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed,” says Chris Grove, technology evangelist with security firm Nozomi Networks. “Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts.”

“MSPs leverage Kaseya’s software, making them an attractive target because extortionists can quickly increase potential targets,” says Rick Holland, CISP and vice president strategy at Digital Shadows. “These victims are a desirable target as they may not have the means to eradicate the adversary and restore their IT systems, forcing them to pay the ransom. Targeting an MSP that serves vulnerable SMBs is a diabolical extortion tactic.”

Philip Reitinger, CEO and President of the Global Cyber Alliance, says this latest attack is “both different from and similar to the SolarWinds attack.” It’s is similar because it also has a widespread scope and appears as a supply chain attack. But the means and purpose are different, he says.

“Here we don’t have an attack (so far as I see) on the systems of a software provider. We have an attack on its software,” Reitinger says. “Most important here, the software used by managed service providers, vastly increasing the effect. So, at the end of the day many entities will suffer, and there is very little if anything most could do to prevent it because the primary capabilities to prevent and detect lay with another.”

FBI: ‘A Very Busy Summer’

Threats from ransomware have increased significantly in recent months, with incidents such as the Colonial Pipeline Co. attack and the REvil attack of meat processor JBS causing the victims millions of dollars in operational and mitigation loss.

The rising sophistication and proliferation of ransomware threats has also caught the attention of the U.S. government, with several federal agencies and the White House initiating a number of steps to counter them.

For instance, on Wednesday, CISA released its Ransomware Readiness Assessment audit tool to help organizations size up their ability to defend against and recover from attacks (see: CISA Tool Helps Measure Readiness to Thwart Ransomware).

On May 12, the Biden administration issued its cybersecurity executive order that aims to address ransomware and other threats to the U.S. (see: Biden’s Cybersecurity Executive Order: 4 Key Takeaways).

In a session recorded this week for ISMG’s upcoming Government Cybersecurity Summit, Elvis Chan of the U.S. Federal Bureau of Investigation predicted that this will be a busy summer for ransomware investigations and takedowns.

“We have many joint investigations with our foreign partners,” says Chan, Asst. Special Agent in Charge, San Francisco Division, Cyber Branch of the FBI. “Look for this to be a very busy summer for us with multiple takedowns across different countries.

“We want to impose as much consequence as possible,” Chan says.