What We Know About The Kaseya Ransomware Attack

With the July 4th weekend dawning in the U.S., the REvil ransomware gang launched a massive attack on Kaseya, an Ireland-based provider of IT management software that counts some of the world’s leading managed service providers as customers.

The attack, which reportedly began with an undisclosed and unpatched flaw in Kaseya’s VSA software, resulted in both MSPs and their customers being infected with the REvil ransomware disguised as a Kaseya software update. With a potential list of victims in the thousands, the situation “on the ground” is very fluid and will likely change by the hour. Here is what we know now:

What happened?

Based on statements by Kaseya and public reporting, it appears that the REvil cybercriminal gang compromised the IT management software provider Kaseya and was able to push malicious code to Kaseya customers disguised as a software update to Kaseya’s VSA software.

The update was pushed to VSA on-premise servers, many of which were configured to apply patches from the vendor automatically. Subsequent to the malicious update being installed, the attackers leveraged Kaseya VSA’s internal scripting engine to push the REvil ransomware to any and all connected client systems.

Who is affected by this attack?

Any Kaseya customers were affected either directly or indirectly as a result of service interruptions created by the attack. According to Kaseya, the REvil ransomware appears to have been pushed specifically to customers running on-premises versions of VSA server. Customers using SaaS versions of VSA do not appear to have been affected. Kaseya has instructed its customers with on-premises VSA servers to IMMEDIATELY disconnect them from the Internet until further notice. That order still stands as of this writing.

Indirectly, of course, a much wider range of firms are affected by this attack, because the Kaseya software is used extensively by Managed Service Providers (MSPs) to interact with their clients. Also: MSPs typically have administrative-level access to customer networks, meaning that compromised MSPs would have been able to distribute the REvil ransomware directly to managed endpoints at downstream customers. There is not a comprehensive list of affected MSPs or customers, but news reports mention 30 MSPs spread across the US, EU, Australia and Latin America and thousands of businesses affected, including the Swedish grocery chain Coop, which closed 800 stores on Saturday following a REvil outbreak. More reports of customers of hacked MSPs are expected in the days ahead.

How did attackers compromise Kaseya?

While we don’t know exactly, speculation is that the REvil gang was in possession of a “zero day” vulnerability that affected Kaseya on-premises VSA servers. That is: an exploitable software vulnerability that was unknown to vendors and un-patched. Some of the best support for this notion comes from Dutch Institute for Vulnerability Disclosure  (DIVD CSIRT), which said it had been working with Kaseya on “severe vulnerabilities in Kaseya VSA” prior to the REvil attack. It is unclear, however, what the vulnerability was or how it was exploited. Speculation in public forums has mentioned a SQL injection (SQLi) attack as the initial attack vector. Huntress says it has “moderate” confidence that the “web interface was not directly used by the attackers.” So...stay tuned. More information will likely be forthcoming on the means of initial compromise. In the meantime, it appears Kaseya is aware of the attack vector and is mitigating it.

More is known about how the attack proceeded once the attackers had gained access to Kaseya’s customers. Ransomware encryptors named agent.exe were dropped to Kaseya’s TempPath and then pushed out via VSA as “Kaseya VSA Agent Hot-fix.” The attackers then used various strategies to sidestep host-based antivirus detection of the malware, including leveraging Kaseya guidance to customers on recommended antivirus and firewall exclusions. A fake Windows Defender app was also deployed to run the actual ransomware binary that encrypts a victim’s files, as well. Attackers also employed anti-forensic strategies to complicate incident response, including the use of Archive and Purge Logs to remove evidence of compromise. A list of indicators of compromise (IOCs) is available on the MSP subreddit here.  

What does this mean for my organization?

The impact of this attack is considerable for organizations directly affected and those not affected at all.

MSP Customers Beware

The immediate impact of this incident on your organization really hinges on whether you are a Kaseya customer or a customer of a Kaseya customer, like one of the 30 or so MSPs who were victims of this attack. As noted, that later list could number in the thousands of companies worldwide.

If you are a Kaseya customer, you likely have already been contacted by that company with guidance. Follow that company’s guidelines. At this point, it appears that on-premises VSA customers are the most directly impacted by the attack. However—per the Dutch DIVD—it seems likely that the vulnerability used to install REvil was not the only serious flaw in Kaseya’s products. The company’s customers - SaaS or on-premises - should be on guard against subsequent attacks, and take extra precautions to make sure that they have not been victimized.

Furthermore, if your organization uses an MSP and you don’t have definitive proof that they do not use Kaseya for IT management, you should be scrutinizing and limiting any interactions with your environment from that MSP. At the very least, any updates and changes coming from the MSP should be held prior to being installed so that the integrity of those files or changes can be verified internally, with the MSP and via security scans.

Supply Chain Worries

Even if your organization is not a Kaseya customer and does not use an MSP, there is reason for concern. MSPs have their hooks deep into customer environments and are highly privileged actors. That makes them particularly rich targets for ransomware gangs. However, MSPs are hardly the only software and service provider that presents a rich target. IT consultants, hosted application providers and platform providers of all types provide the scaffolding for modern businesses. Any and all could plausibly provide a platform from which to launch a damaging attack.

At the very least, organizations need to pay close attention to what third parties have access to their internal environment. That includes individuals, service providers, application providers, and more.

The Kaseya incident suggests that companies should take a hard look at any whitelisting requirements from MSPs and other application providers. These are typically designed to streamline management of customer environments, but in an age when the integrity of MSPs and other service providers can’t be taken for granted, security exemptions and whitelists add substantially to your risk of compromise by side-stepping monitoring and defense technologies.

Similarly, rules to automatically apply software updates from designated vendors need to be reassessed. Steps should be taken to eliminate the possibility of any code moving seamlessly from any third party to your internal environment, as the REvil ransomware did via Kaseya’s VSA. Steps should be introduced to validate any update or code from a third party and ensure that it is not malicious. That won’t stop every attack (note: the SolarWinds back door would not have triggered antivirus scanners.) However, it will stop fast-moving attacks like the Kaseya/REvil attack from spreading to your internal environment.

Ransomware Gets Political

The latest incident may even prompt diplomatic rows and influence international relations, especially following the recent meeting between Russian Prime Minister Vladimir Putin and US President Joe Biden, at which the problem of ransomware groups operating from within Russia came up. Biden has indicated that his administration will delve into the latest attack to determine its origin.

Given the recent spate of disruptive attacks on US firms and critical infrastructure operators including the Colonial Pipeline and meat processor JBS, the Biden Administration would be expected to exact a price on Russia’s government should the latest attack be linked to a group operating out of Russia.

QOMPLX Can Help

QOMPLX helps its customers to identify and counter sophisticated attacks and threats like cybercriminal ransomware groups. Tools like QOMPLX’s Identity Assurance and Privilege Assurance can spot suspicious behavior related to user permissions and monitor activities related to Active Directory and Kerberos to detect attempts to elevate privileges and forge phony identities.

If you want to learn more about how QOMPLX can help your company spot signs that may signal a compromise, request a meeting with QOMPLX or use the form below to contact us.