The Kaseya ransomware attack: history and industry reaction.
N2K logoJul 6, 2021

REvil exploited a vulnerability in Kaseya's VSA software to spread ransomware through MSPs to their customers. The incident is global in scope and remediation is ongoing.

The Kaseya ransomware attack: history and industry reaction.

On Friday Kaseya sustained a ransomware attack on its widely used VSA product. The attack, as it propagated through the managed service providers (MSPs) who use Kaseya VSA, has affected users worldwide. Huntress Labs warned on Friday that ransomware had been deployed through VSA on-premises servers beginning around 11:00 AM EDT. The attack was not, contrary to earlier speculation, a supply chain attack: Kaseya has ruled out any unauthorized alteration of its code base, which would be a supply chain attack in the narrowest sense of the term. Rather, it was a direct attack in which the attackers exploited a zero-day vulnerability (CVE-2021-30116) that had been responsibly disclosed by the Dutch Institute for Vulnerability Disclosure (DIVD) and that Kaseya was in the process of fixing. How the attackers learned of the vulnerability is unknown.

The effects of the attack have been worldwide, roughly tracking the MSP market penetration of VSA, with the US and Germany showing the highest rates of infestation. Between forty and sixty Kaseya customers are believed to have been directly affected, but since these tended to be MSPs, the ransomware in turn flowed to those customers' customers, whom it's affected indiscriminately. The Record this morning put the tally of affected organizations at more than fifteen hundred. Reuters reports that victims include "schools, small public-sector bodies, travel and leisure organizations, credit unions, and accountants." Another Reuters update speculates that individual organizations' recovery could take weeks. Eddy Bobritsky, CEO of Minerva Labs, observed that, however the attackers got in, the scope of the attack is becoming clear: "The method the Attackers used to commit this attack is still unknown, but we estimate that thousands of companies were hit by ransomware due to this attack. Kaseya mentioned 40 customers worldwide, but each customer is an MSP servicing multiple end companies. Kaseya is a trusted Remote Monitoring and Management (RMM) solution used by MSPs to manage clients and because of that the damage is very serious."

Early indications were that the ransomware was REvil, and subsequent ransom demands have seen the REvil gang (widely regarded as a Russian privateer, and the same threat actor responsible for the recent high-profile attack on JBS Foods) claim credit. After victims were initially quoted ransoms of $40 thousand, soon upped, BleepingComputer reports, to $500 thousand or so, the gang seems to have arrived at its final offer: it now wants $70 million in Bitcoin, for which it promises to release decryptors to all the victims, which suggests that they're looking for a collective payment. (Malwarebytes has an account of the incident that includes the Happy Blog ransom demand REvil published.)

Accounts of how REvil accomplished the attack, and comparison to earlier incidents.

eSentire suggests that REvil exploited a vulnerability in Kaseya VSA to obtain access to admin-level credentials and deploy its Sodin ransomware dropper. The security firm says it's seen that sort of approach before. Eldon Sprickerhoff, eSentire Chief Innovator Officer and founder, wrote:

“From our investigations into the 2018 cyberattack involving some of our customers, who were infected with the coinminer software, via the VSA software, we firmly believe that there was a vulnerability within the VSA software that gave external attackers access to Kaseya Administration-Level credentials, and then they used the Kaseya remote administration and management solution (which is used to manage and distribute software across many hosts) to execute an installation bundle that used PowerShell to deploy Monero-mining software to all systems."

“My guess is in the 2018 cyberattack, a threat actor figured out a zero-day in Kaseya, went to a tool such as Shodan and looked for all external-facing Kaseya instances, built up a bundle to mine Monero, and then en masse started gaining access to these Kaseya installations and deploying their miners.”

“Gaining access to Administration-Level credentials for a remote management solution that distributes software, like Kaseya, and targeting Managed Service Providers, is a very efficient way of deploying ransomware to many organizations. Essentially, the MSPs do all the hard work for the threat actors because they unknowingly deploy the malicious software (in this case, the Sodin ransomware dropper) out to all their customers. This current attack could very well be just a variation on the same attack tactic they used in 2018 which we discovered."

“Another word of warning to customers of the Kaseya VSA software, companies definitely want to check if the Sodin ransomware dropper has already been pushed to their computer systems. As recommended by Kaseya, it is a good idea at this time to disable the VSA Server until a patch has been formally released, however, your security team definitely also needs to check for indicators that the Sodin ransomware dropper or the ransomware hasn’t already been installed onto your computer systems, and that external attackers don’t have already have access to your organization.”

“Luckily, in this current attack involving the Kaseya VSA, we have only found one instance that had the Sodin ransomware dropper installed, and we shut that system down before the ransomware could be deployed onto the organization’s IT systems. I expect that one of the attackers involved in this current attack jumped the gun and initiated the en masse event before Friday evening in North American timezones before the 4th of July holiday weekend in the U.S., when in North America fewer security team members would have been active. Had they initiated the attack on Saturday morning, July 2, I expect that they would not have had such a robust response from information security practitioners.”   

Anurag Gurtu, CPO of StrikeReady, commented on how REvil's ransomware-as-a-service model works:

"This year, REvil, also called Sodinokibi, is on a rampage. To distribute ransomware and earn commissions, REvil uses a ransomware-as-a-service operation (RaaS). Recent threats have included demands for ransom from Apple and a threat to leak blueprints on its site before Apple's Spring-Loaded event - a live streaming event from Cupertino. Affiliates keep 60 percent of every ransom payment, and 70 percent after three successful ransom payments. The remaining 30 or 40 percent goes to the actor or actors behind REvil. A common tactic used by REvil is to check if there are any other instances of the program running on the host by establishing a mutex and hard-coding a name."

Supply chains and ransomware tactics.

The attackers exploited CVE-2021-30116. Kaseya's Monday update said that, "The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified." This statement is the basis for not calling the incident a supply chain attack in the strictest sense. But the attack on Kaseya resembles supply chain attacks in certain important respects, particularly the way in which it represents a fourth-party risk: the customers of Kaseya's MSP customers are particularly affected.

James Shank, Ransomware Task Force Committee Lead for Worst Case Scenarios and Chief Architect, Community Services, for Team Cymru, wrote:

“Vendors and supply chains enable business growth and efficiency, but they also create high value targets for attackers. With SolarWinds, CodeCov, and now Kaseya being some of the recent software and IT system supply chain attacks that enabled attackers to hit their customers, the writing on the wall is crystal clear: Attackers are looking for ways to compromise supply chain vendors to amplify their reach into victims.

"This is not the first and it won’t be the last. It is time to add another item to the already overwhelmed corporate security teams: audit suppliers and integrations with your supply chain providers. Limit exposure to the absolute minimum while still enabling business operations.

"During the Ransomware Task Force Worst Case Scenarios thought experiment, this exact scenario was identified as a critical weakness. It isn’t clear how best to respond, as the world — and enterprise operations — becomes more and more connected and codependent every day. Each of these connections can be a pathway for massively good things, but also opens the door to a shared fate scenario, where a security incident at your supplier is likely to also become an incident on your network.

"The new security operations paradigm must consider suppliers as part of their extended perimeter to defend. Being able to see exposures and threats beyond the traditional network perimeter needs to become part of best in class security practice.”

Bryson Bork, CEO of SCYTHE, is among those who see an analogy (allowing for differences) with the SolarWinds compromise. In both cases the attackers took advantage of a trusted relationship between vendor and customer: "This is going to be another SolarWinds in size. MSSPs are the trusted backbone to many companies and this compromise takes advantage of that relationship. Pour one out for the thousands of folks who just lost their 4th of July weekend to this latest (and not the last) threat campaign."

Responding to the attack, and preventing similar attacks in the future.

Kaseya itself has been issuing regular situation updates since it disclosed the incident at 4:00 PM EDT Friday. It learned of the attack when customers began reporting unusual behavior on endpoints managed by VSA, and then saw ransomware being executed on those endpoints. The company yesterday posted the following summary advice on mitigation:

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.

"We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized."

Kaseya has brought in Mandiant to help with assistance and remediation.

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged users of the software to immediately shut down their servers and to follow the mitigation advice Kaseya has issued. The FBI has seconded CISA, and solicited information from victims of the attack.

Chris Grove, technology evangelist at Nozomi Networks, wrote about the importance of visibility in dealing with incidents of this kind:

"This type of a supply chain attack, similar to the Solarwinds attack, goes straight to the jugular of organizations looking to recover from a breach. These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed.

"Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts. At times like this, when we don’t fully understand the scope and tactic used, or which versions are affected….. visibility into the blast radius of the attacker is crucial. Knowing which systems were impacted, which were used for lateral movement, or where the attackers may be hiding, ensures defenders can make educated decisions on the ground. When it comes to defending critical infrastructure, that visibility could make all the difference between the power being on….or off."

Mike Hamilton, CISO of Critical Insight, sees the attack on MSPs as the sort of threat the recent US Executive Order was designed to address:

"This is a perfect example of what we’re trying to address with supply chain security through the President’s executive order. The trust that the mid-market has with their IT managed service providers is being strained. MSPs are the perfect third party to compromise because of their extensive access into customer networks. This *may* be another example of a key piece of software being compromised at the source, as in Solarwinds. Appears to have come in as a normal agent Kaseya VSA update – meaning that monitoring the network would have shown normal traffic. Appears as though it doesn’t spread, just hoses up the servers with that agent."

Attribution and motivation.

REvil claimed responsibility for the attack, and there's no reason to doubt them. And the obvious motive is money: the gang is looking for a $70-million payday. But the fluctuating ransom demands, which only settled on the final $70-million demand after a few days, are curious, as is the consolidation of the demands. Whom does REvil expect to pay? Kaseya? A government? That seems unlikely to happen. A consortium of MSPs? Any of these are possible, but the disruption the attack caused seems at least as significant as the financial damage. If REvil is an example of what Cisco's Talos calls "privateers," it's reasonable to look for some motive that would serve the sponsoring state's interests. In this case, Axios may be on to something: "Coming just two weeks after President Biden's personal warning to Vladimir Putin during the Geneva summit, the attack looks like the Russians thumbing their nose at the tough talk."