After receiving phenomenal positive feedback at our previous live cyber exercising workshops in Edinburgh and Aberdeen, the Scottish Business Resilience Centre organised another Exercise in…
Ethical hacker Suzie delves into the recent Kaseya supply-chain attack and everything you need to know.
Managed Service Providers (MSPs) allow businesses to outsource specific services to specialist companies and are usually synonymous with cost-benefits to the organization. MSP offer a range of services but particularly IT due to the ever-growing demand and a lack of in-house capability or resources.
Information technology is a pivotal aspect of doing any kind of business on-line and so MSPs offer access to technical and security expertise, provide IT support, and resources such as cloud storage, remote access, and Software-as-a-Service (SaaS) solutions. MSP are also beneficial for ensuring systems are up-to-date and that data is backed-up and protected appropriately. To do all this MSPs require “specialist software platforms to automatically manage all functions” (1). This is where Kaseya features.
“Potential security incident”
Kaseya provides a suite of products used by MSPs to support their customers. Kaseya VSA facilitates the management of software patching, antivirus (AV), antimalware (AM) and backup (BDR) amongst other services (2).
On July the 2nd, 2021 Kaseya Incident Response Team learned that a “potential security incident” involving their VSA software had been affected (3).
The attack has been attributed to the ransomware gang known as REvil, or one of their affiliates, and it is believed that they have identified and leveraged a previously unknown (zero-day) vulnerability in order to access MSP systems to infect their client’s devices.
Hundreds of customers have been impacted world-wide with massive disruptions that is impacting the lives of ordinary citizens.
In just one example the Swedish supermarket chain Coop has had to shut approximately 500 stores because they are unable to process payments (4).
Kaseya immediately shut down their SaaS servers and notified clients to shut down their on-premise VSA servers, to prevent further compromise (3).
Supply-chain ransomware attacks focus on disrupting the supply chain network through exploiting vulnerabilities. As supply chains become more interconnected the more likely they become targets for malicious threat actors. As much as forty percent of cybersecurity attacks can be linked to the extended supply chain (5).
To translate this attack to users, this will have affected hundreds, if not thousands, of servers. Kaseya has several different products, but only one is affected which is their VSA software. This software is utilised in patching devices and backups. As such, the systems have admin rights into many organisation IT estates in order to carry out their necessary functions.
By targeting MSPs, threat actors can compromise a single device, which in turn creates the opportunity to have vast access to a broad spectrum of organisations, which are then vulnerable all at the same time and individually ransomwared. This means that the threat actors compromise one organisation and leverage their position to potentially collect multiple ransom payments.
With this understanding provides an insight into the scale of the attack and the fallout has yet to be fully determined.
Kaseya has released a statement via email to some of its clients indicating that they believe that they have identified the vulnerability and are working hard to create a patch for it. The email goes on to state the links and instructions as to when and how the patch becomes available and is applied, will be emailed out as well as posted on the website. Screen shots of the emails are available on social media however, it is recommended that anyone affected by the issues go to the website directly rather than following any links included with the email as Kaseya does not appear to have DMARC (Domain-based Message Authentication, Reporting, and Conformance) or SPF (Sender Policy Framework) protection in place, which leaves their domain susceptible to spoofing (6).
This was a REvil industry-wide supply-chain attack implemented through a previously undisclosed vulnerability, for the purpose of deploying ransomware into a victim’s environment. It is a “trojanized software” distributed via “Kaseya VSA Agent Hot-fix” (7).
Mark Loman, a Sophos Malware Analyst has commented:
“REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into a C:\Windows\MsMpEng.exe to run the encryption from a legit process…..(The)Attack chain contains code that attempts to disable Microsoft Defender Real-Time Monitoring, Script Scanning, Controlled Folder Access, etc. via PowerShell” (8).
For more information from Mark Loman: https://twitter.com/markloman/status/1411035534554808331
For more information on Indicators of Compromise (IOC): https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
This will include process data, files involved, registry keys and ransomware extensions.
For more details on the ransomware payload:
If you think you’ve been affected
As of the 5th of July 2021, Kaseya has released a compromise checker tool:
Updates are available from Kaseya here:
More Information and further updates on Kaseya
More information on ransomware
SBRC provides a Ransomware Guide which contains advice and further information on ransomware, suggested measures that can be taken to mitigate and lessen the chances of a successful ransomware attack.
1. What Is An MSP. Atera. [Online] 2021. [Cited: 03 07 2021.] https://www.atera.com/what-is-an-msp/.
2. Kaseya. Kaseya. [Online] 2021. [Cited: 03 07 2021.] https://www.kaseya.com/.
3. Helpdesk Update. Kaseya. [Online] 2021. [Cited: 03 07 2021.] https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689).
4. Coop Supermarket closes 500 stores. Bleeping Computer. [Online] 2021. [Cited: 03 07 2021.] https://www.bleepingcomputer.com/news/security/coop-supermarket-closes-500-stores-after-kaseya-ransomware-attack/.
5. Securing the supply chain. Accenture. [Online] 2021. [Cited: 03 07 2021.] https://www.accenture.com/us-en/insights/consulting/securing-the-supply-chain.
6. Updates regarding VSA security incident. Kaseya. [Online] 2021. [Cited: 03 07 2021.] https://www.kaseya.com/potential-attack-on-kaseya-vsa/.
7. Kaseya REvil ransomware attack. The Hacker News. [Online] 2021. [Cited: 03 07 2021.] https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html.
8. Mark Loman. Twitter. [Online] 2021. [Cited: 03 07 2021.] https://twitter.com/markloman/status/1411035534554808331.