The cyber security world was rattled last week with the revelation of the largest ever ransomware attack – the Kaseya ransomware attack. A complicated mix of zero-day, supply chain, and ransomware attacks, the Kaseya ransomware attack was a sophisticated ransomware attack which compromised the on-premises version of the Kaseya VSA, a tool used by Managed Service Providers (MSPs) to connect to customer’s systems.
The timing couldn’t have been better. The attack was launched at 2pm EDT on Friday 2nd July, just as IT security teams across the United States were getting ready to knock off for the long July 4th weekend. We take a look at the attack itself, its aftermath, what this attack means for the future of ransomware attacks, and what organisations can do to keep themselves safe in times like these.
Intro to the players – Kaseya and REvil
Kaseya is an Irish-owned IT solutions developer for MSPs and enterprise clients. They have offices in 10 countries, including one in Florida in the United States. This is significant, as the United States MSP supply chain appears to have been the epicenter of the attack.
Kaseya is a key player in the wider software supply chain. Among Kaseya’s IT solutions is a virtual system administrator (VSA) platform which is used by customers including managed service providers (MSPs) to manage their own customers’ IT estates. Kaseya appears to have been targeted by REvil because they could open up such a large number of downstream customers.
REvil is a Russian based ransomware group, also known as Sodinokibi. REvil first rose to prominence in April 2019, and have gained a reputation for being a hard hitting ransomware gang, providing ransomware as a services (RaaS) services for other cyber criminals. REvil heavily use double extortion tactics against their victims – they usually steal data from their victims before encrypting their systems, and threaten to publish the stolen data through their website, also known as the Happy Blog.
REvil have been unusually successful in earning large ransoms from their victims. In 2021 alone, REvil demanded a $50 million ransom from Taiwanese hardware producer Acer, received an $11 million ransom from meat packing giants JBS, and tried to extort a ransom from Apple through a ransomware attack on Apple’s supplier Quanta, that stole data rather than encrypting it.
The Kaseya ransomware attack was a highly sophisticated attack, requiring REvil to up their game considerably. They scaled up their operations considerably from a single target to a supply chain target, which was not entirely new for REvil as they had some success carrying out a supply chain attack in 2019 when they hacked TSM Consulting Services, a web services provider in Texas. On that occasion they impacted 22 of the company’s customers. This time they went one level higher in the supply chain to reach 60 MSPs.
What do we know about the Kaseya ransomware attack?
It likely began much sooner than 2nd July
The Kaseya ransomware attack was launched on Friday 2nd July, although it likely started back in May when REvil were able to gain access to Kaseya’s VSA and begin uploading agent files in order to start carrying out the required steps to carry out the attack.
It is a supply chain attack with the added twist of ransomware
The Kaseya ransomware attack was deliberately aimed at the supply chain in order to gain access to a larger pool of customers.
The attack only impacted MSPs using Kaseya’s on-premises VSA
The attack was initiated by leveraging a vulnerability in Kaseya’s VSA software, and using it as a launch pad against multiple MSPs and their customers. However the attack only affected on-premise Kaseya VSA customers, and did not impact on the SaaS VSA. Latest updates suggest that more than 60 MSPs were impacted, and through them, over 1,500 organisations were hit by the attack, including most famously the Swedish Coop supermarket chain who had to close all 800 stores for several days as they couldn’t open their cash registers.
The exploited vulnerability was a zero day bug which was already being actively worked on
The authentication bypass vulnerability (vulnerability CVE-2021-30116) was a zero day vulnerability that Kaseya had already been made aware of by the Dutch Institute for Vulnerability Disclosure (DIVD), and were in the process of patching it. Early patch versions had already been released to the DIVD to assess their effectiveness. Unfortunately the attack was launched before this work was completed.
REvil demanded a record breaking ransom
REvil demanded a collective $70m ransom to release a universal decryption key. At the same time they were also demanding $5m for affected managed services providers, and a sliding scale starting at $44,999 from affected downstream customers, creating chaos across the affected organisations.
There is no evidence so far that Kaseya has paid the ransom, and neither have any of the affected MSPs. There are suggestions that some of the impacted downstream victims have tried to pay their ransoms. The ransom pays for an unencrypting tool created by REvil, which is supposed to help businesses get back online sooner.
How did the Kaseya ransomware attack happen?
The exact chain of events that lead to the attack is still to be determined. However Kaseya themselves say that REvil were able to exploit zero day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. Through this, they were able to access the VSA product and deploy the ransomware to endpoints.
Once inside Kaseya’s systems, the hackers carried out several tasks before pushing the ransomware as an update called “Kaseya VSA Agent Hot-fix”.
On gaining access to the targeted environment REvil used the Kaseya Agent Monitor to write a base 64 decoded file called agent.crt (the ransomware dropper) to the path c:\kworking\ and execute a series of commands that disabled security controls. The agent.crt file was then renamed to agent.exe and executed the dropper.
The ransomware was signed with what on the surface looked like a legitimate certificate (PB03 TRANSPORT LTD) in order to evade detection.
Next, REvil placed the ransomware dropper in the system, taking care to hide their actions, using DLL Side-Loading to drop an outdated version for Windows Defender using that response from that action to write the new script.
Finally, they executed the ransomware (mpsvc.dll) with a command to change the firewall settings to allow local windows systems to be discovered, encrypting files, and eventually delivering the ransomware note.
The response from Kaseya
When the attack hit, Kaseya proactively shut down its SaaS servers, and pulled data centres offline. They notified customers as soon as quickly as possible by email, in-product notifications, and by phone. The Incident Response team mobilised immediately to investigate, and the firm called in FireEye and other cyber forensics experts to assist.
Kaseya say that their very quick response to the attack limited the extent to a relatively small number (60 out of 36,000 customers) of on-premises customers only. The company maintains that the SaaS product was not affected. SaaS and hosted VSA servers were given upgraded security features, and the plan is to slowly bring servers back online region by region starting with the EU, UK and APAC data centres. Kaseya were hoping to begin bringing SaaS servers back online within a few days of the attack, but had to delay until 11 July. Systems are now returning online.
The team quickly identified the indicators of compromise of the attack, and circulated them to customers and security researchers to help them investigate the attacks. The full set of indicators can be found here.
R&D replicated the attack vendor in order to understand it, and ensure that their mitigations are effective.
As mentioned above, Kaseya were already aware of the vulnerability that led to the attack, and were working on the patch before the attack was launched. Following the attack, all customers using the on-prem VSA version were taken down, and customers are advised to remain offline until the patch is released. The patch was released on 11 July.
Protect yourself from cyber attacks
Customers and other organisations who suspect they are victims of the attack can download a compromise detection tool from Kaseya. This tool analyses systems and looks for any indicators of compromise. Keep up to date with the latest news from Kaseya here.
Every organisation, whether they are connected to Kaseya or not, should remain cautious of copycats or phishing scams as other cyber criminals try to cash into the confusion surrounding the attack. Kaseya warned on 8th July that there are fake emails circulating claiming to be from Kaseya. Kaseya will not send out emails with links or attachments.
Avoiding a cyber attack entirely is almost impossible as cyber criminals become more and more sophisticated, evolving their methods, and integrating new tools and techniques of their own. However, preparation is key, and knowing your cyber security risks, understanding your infrastructure, and putting in measures to protect yourself will definitely limit the impact of an attack. These measures include but are not limited to:
- Regularly check your infrastructure to ensure that it is secure. Enact any mitigation recommendations as quickly as possible.
- Protect your network perimeter using up to date software, and employing tools where necessary.
- Enforce strong identity and access management controls, including enabling multi factor authentication on all accounts, central controls for access to sensitive applications, and the principle of least privilege.
- Be prepared: Make regular backups of your files, and check that the backups are easily restorable. Create an effective Disaster Recovery plan, and test it, so that you are ready to hit the ground running following an incident.
Every organisation relies on numerous IT related suppliers in order to do their jobs on a daily basis. The trick is to understand the risks of using those suppliers, and in having local protections that improve your own cyber security posture locally.