Last week, the REvil ransomware gang carried out an unprecedented supply chain ransomware attack against customers of Kaseya’s VSA product.
Update July 6, 2021:
Even though the REvil cyber gang claims to have infected 1 million systems running Kaseya services, federal authorities say the number of infected entities is in the thousands. Approximately 1,500 systems are believed to be victimized by the attack. Kaseya also says that the attack is not supply chain ruling out the possibility of access to its backend infrastructure, but it is rather based on the CVE-2021-30116 zero-days. The zero-days were leveraged in a way that successfully pushed the REvil ransomware on vulnerable systems.
Update July 12, 2021:
Kaseya released patches for the vulnerabilities, 10 days after the initial attack. “Fixed security vulnerabilities related to the incident referenced here and made other updates to improve the overall security of the product,” Kaseya said in its advisory.
Kaseya VSA is a virtual system/server administrator software that monitors and manages Kaseya customers’ infrastructure. The product can be supplied either as a hosted cloud service, or via on-premises VSA servers.
“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only,” Kaseya said in a statement. According to the advisory, all on-premises VSA servers should stay offline until further instructions from the company regarding when it is safe to restore operations.
How did the REvil ransomware gang carry out the Kaseya attack?
According to an update shared by the DIVD CSIRT, the Dutch Institute for Vulnerability Disclosure, the organization had previously alerted Kaseya of several zero-day vulnerabilities, known under the CVE-2021-30116 identifier, in the VSA software:
Wietse Boonstra, a DIVD researcher, has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks. And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure).
Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch, the Dutch organization said.
Following the attacks, REvil is now demanding a ransom payment in the amount of $70 million. In exchange for the ransom, the cybercriminals are promising to publish a universal decryption tool that should restore all systems damaged by the ransomware.
According to a post the REvil gang shared on their underground data leak site, the attack on MSP providers was launched on July 2. The attack is said to have infected more than a million systems. “If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” the post said.
Related: Apple Targeted by REvil Gang in a $50 Million Ransomware Attack
What should Kaseya’s customers do?
CISA and the FBI recently published an advisory, recommending the download of the Kaseya VSA Detection tool that analyzes a system, either VSA server or managed endpoint, and determines whether any indicators of compromise are present.
Other recommendations include the employment of multi-factor authentication on every single account, as well as enforcing MSA for customer-facing services; the implementation of allowlisting to limit communication with remote monitoring and management capabilities to known IP address pairs, and placing administrative interfaces to RMM behind a VPN or a firewall on a dedicated admin network.
It is noteworthy that in 2019 the GandCrab ransomware gang used a few-year-old vulnerability in a software package used by remote IT support firms to gain a foothold on vulnerable networks. The vulnerability was exploited to grant access to vulnerable networks and distribute the ransomware payload. The flaw in question affected the Kaseya plugin for the Connectwise Manage software, a professional service automation product for IT support.