More than 1000 businesses from around the world have reportedly been impacted in a supply-chain attack where hackers exploited a vulnerability in a remote computer management tool called Kaseya VSA to deploy the REvil ransomware.
Kaseya shut down its cloud-based service and urged all users with on-premises deployments, which includes many managed services providers (MSPs), to immediately shut down their vulnerable servers until a patch is released.
This is not the first time cyber criminals and ransomware gangs have targeted MSPs as an easy way to gain access into corporate networks. Defending against this attack vector is not easy for many organisations since outsourcing IT administration means giving MSPs highly privileged access into their networks and systems.
The Kaseya VSA attack impact
The attack targeting Kaseya VSA servers started around midday on Friday in the US. It's possible this was timed intentionally ahead of a major holiday weekend because attackers hoped security teams would be slower to respond.
"Only a very small percentage of our customers were affected—currently estimated at fewer than 40 worldwide," Kaseya said in an advisory. "We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running."
The company also shut down the SaaS version of VSA but noted customers of its cloud-hosted service were never at risk.
Kaseya VSA is an IT remote monitoring and management (RMM) solution that's used by IT and network administrators to automate patching on endpoints and servers, manage back-ups and antivirus deployments, automate other IT processes and remotely resolve and troubleshoot IT issues. To be able to perform all these tasks, the Kaseya VSA software operates with administrator-level access.
According to Kaseya, its RMM solution has over 36,000 users, so fewer than 40 impacted customers might sound like a small number. However, according to third-party reports, many of those affected customers were MSPs which use Kaseya VSA to manage the systems and networks of hundreds of businesses.
"We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1000 businesses and are working in collaboration with many of them," John Hammond, a senior security researcher at managed threat detection and response vendor Huntress said in a blog post.
"All of these VSA servers are on-premises and Huntress has confirmed that cyber criminals have exploited a SQLi vulnerability and have high confidence an authentication bypass was used to gain access into these servers."
Kaseya was working on fixes for the flaws
According to the Dutch Institute for Vulnerability Disclosure (DIVD), an organisation focused on responsible vulnerability disclosure whose members are volunteer security researchers, disclosed over the weekend that a number of the zero-day flaws used in the attack had already been found by one of its researchers and had been reported to Kaseya who was in the process of developing patches for them.
"During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched," researcher Victor Gevers, who acts as chairman and head of research of DIVD, said in a blog post.
"They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."
According to Gevers, DIVD researchers analysed Kaseya VSA as a part of a larger effort to investigate vulnerabilities in tools used for system administration and security and identify publicly exposed systems that run the affected software.
DIVD has been working with national CERTS and other partners to identify and contact users with publicly exposed Kaseya VSA servers and noted that the number of publicly exposed instances dropped from 2,200 to less than 140.
Until patches are ready, Kaseya advises customers not to turn their on-premises VSA servers back on. However, the company has released a Compromise Detection Tool that can be used to scan a VSA server or Kaseya-managed endpoint for signs of compromise following this attack.
What is REvil and how is it deployed?
REvil, also known as Sodinokibi, is a ransomware threat that appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. REvil is operated as a ransomware-as-a-service platform where the group behind it relies on partners called affiliates to distribute it for a share of the ransom payments.
Over the past year, REvil was one of the most common manually-operated ransomware strains that infected corporate networks. Since the malware is distributed by different affiliates, the initial access vector varies, as well as the actions taken by attackers inside networks.
According to security researcher Kevin Beaumont, once attackers gain access to a Kaseya VSA instance by exploiting the zero-day vulnerabilities, they immediately disable the legitimate administrator access to the software in order to prevent the attack from being stopped. They then set up a task called “Kaseya VSA Agent Hot-fix" to push a fake Kaseya agent update to systems managed through the software.
"This management agent update is actually REvil ransomware," he said. "To be clear, this means organisations that are not Kaseya’s customers were still encrypted."
The deployment of this malicious update is further enabled by the fact that Kaseya documentation advises customers to exclude from antivirus scans the folders where the VSA remote management agent and its components are installed.
Once installed, the REvil ransomware executes a PowerShell command that disables several important features of Microsoft Defender for Endpoint: Real Time Monitoring, IPS, Cloud Lookup, script scanning, Controlled Folder Access (ransomware prevention), Network Protection and cloud sample submission. The malware also attempts to tamper with antivirus products from other vendors, including Sophos, and disables various back-up systems.
The ransom website is hosted on the Tor network and the ransom currency is Monero (XMR). A screenshot shared by HitmanPro malware analyst Mark Loman shows a ransom amount of $50,000, but there are reports of ransom requests of $5 million associated with this attack. It's usual for ransomware gangs to adjust the ransom size based on what they perceive the victim's annual revenue is.
MSPs and remote management tools are not a new target
Attacks against MSPs and the management software they use, such as Kaseya, are not a new development. In January 2018, security firm eSentire reported that a number of its customers were targeted through a vulnerability in Kaseya VSA with the goal of deploying cryptocurrency mining malware on their systems. Kaseya subsequently released a patch to address the vulnerability.
In August 2019, a REvil affiliate managed to compromise a Texas-based MSP called TSM Consulting Services and deployed ransomware to its customers, which included 22 municipalities in Texas.
Earlier that year, ransomware groups exploited an old vulnerability in ConnectWise ManagedITSync integration, a utility designed to sync data between the ConnectWise Manage PSA and the Kaseya VSA RMM, to compromise MSPs.
According to a report by security firm Armor Defense, 13 MSPs and cloud-services providers were hit in 2019, leading to systems belonging to municipalities, school districts and private businesses being infected with ransomware.