At a glance.
- REvil operators exploit Kaseya vulnerability to launch ransomware attacks.
- REvil expands to Linux systems.
REvil operators exploit Kaseya vulnerability to launch ransomware attacks.
IT management software provider Kaseya sustained an attack by REvil ransomware operators against its Virtual System Administrator (VSA) tool, which is widely used by managed service providers (MSPs). The attackers subsequently executed ransomware attacks against many of these MSPs' customers. Kaseya says "the total impact thus far has been to fewer than 1,500 downstream businesses." Intezer notes the similarities to the SolarWinds attack, although the attackers in this case are financially motivated.
The Dutch Institute for Vulnerability Disclosure (DIVD) had discovered and responsibly disclosed the vulnerability (CVE-2021-30116), and Kaseya had been working on a patch. The DIVD stated, "After this crisis, there will be the question of who is to blame. From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."
Sophos has written up a detailed technical analysis of the incident:
"The outbreak was delivered via a malicious update payload sent out to VSA servers, and in turn to the VSA agent applications running on managed Windows devices. It appears this was achieved using a zero-day exploit of the server platform. This gave REvil cover in several ways: it allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code—reflected in anti-malware software exclusions that Kaseya requires for set-up for its application and agent “working” folders. Anything executed by the Kaseya Agent Monitor is therefore ignored because of those exclusions—which allowed REvil to deploy its dropper without scrutiny.
"The Kaseya Agent Monitor (at C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE, with the ID being the identification key for the server connected to the monitor instance) in turn wrote out the Base64-encoded malicious payload AGENT.CRT to the VSA agent “working” directory for updates (by default, C:\KWORKING\). AGENT.CRT is encoded to prevent malware defenses from performing static file analysis with pattern scanning and machine learning when it is dropped. These technologies normally work on executable files (though, as we’ve noted, since this file was deployed within the “working” directory excluded under Kaseya’s requirements, this would not likely have come into play.)"
Sophos also notes, "There are some factors that stand out in this attack when compared to others. First, because of its mass deployment, this REvil attack makes no apparent effort to exfiltrate data. Attacks were customized to some degree based on the size of the organization, meaning that REvil actors had access to VSA server instances and were able to identify individual customers of MSPs as being different from larger organizations. And there was no sign of deletion of volume shadow copies—a behavior common among ransomware that triggers many malware defenses."
REvil expands to Linux systems.
Researchers at AT&T's Alien Labs note that the REvil ransomware now has the ability to target Linux systems. The new capability was first reported in May by AdvIntel. Alien Labs says the malware can now target ESXi and NAS devices:
"These software upgrades follow the trend seen in other popular RaaS groups, like DarkSide, where they have added Linux capabilities to include ESXi in their scope of potential targets. The hypervisor ESXi allows multiple virtual machines (VM) to share the same hard drive storage. However, this also enables attackers to encrypt the centralized virtual hard drives used to store data from across VMs, potentially causing disruptions to companies. According to the blog post, in addition to targeting ESXi, REvil is also targeting NAS devices as another storage platform with the potential to highly impact the affected companies.
"In late May 2021 the first REvil ransomware samples affecting *nix systems and ESXi were observed in the wild. The samples are ELF64 executables, with similarities to the Windows REvil executable, being the most noticeable among the configuration options."