IT company Kaseya has been hit by a major ransomware attack and is working to resolve its aftermath. It is working with FireEye Mandiant to resolve the incident and to assess the manner and impact of the attack and identify and mitigate the vulnerability.
A statement from the company said: “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.
“Our security, support, R&D, communications and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service.”
Charl van der Walt, Head of Security Research, Orange Cyberdefense, said: “These so-called ‘supply chain attacks’ are the consequence of several diverse factors that have colluded to make a compromise of this kind almost inevitable. One of these factors is ‘IT Interdependence’ – IT systems and the businesses that use them do not operate in isolation. As a result, the impact of a breach or compromise is never restricted to the primary target alone.
“We simply cannot afford to think of our own security as isolated or separate from the security of our technology product or service providers, or from the myriad of other business entities or government agencies we share technology with. A shared dependency on core technologies, vendors, protocols or core Internet systems like DNS or CDNs bind businesses together just as tightly as fibre links and IP networks. Businesses in turn also bind together the suppliers who depend on them, the industries they belong to, the countries they operate in and, eventually, the entire global economy.
“By their very nature, supply chain attacks provide the attacker with vast scope and scale, even if they take more resources and time to perpetrate. The frequency of these attacks is therefore not as important as their impact. Given the persistence of the systemic forces that enable these attacks, we anticipate that they will increase in both frequency and impact.
“When we consider when, where and how much to invest in security, we must think beyond the single-dimensional risk we are addressing for our business and consider the impact of the secondary and tertiary effects on the broader economy when breaches and compromises happen. We need to recognise that what’s bad for society generally, is also bad for us as businesses.”
James Shank, Ransomware Task Force Committee Lead for Worst Case Scenarios and Chief Architect, Community Services for Team Cymru, said: “Vendors and supply chains enable business growth and efficiency, but they also create high value targets for attackers. With SolarWinds, CodeCov, and now Kaseya being some of the recent software and IT system supply chain attacks that enabled attackers to hit their customers, the writing on the wall is crystal clear: Attackers are looking for ways to compromise supply chain vendors to amplify their reach into victims.
“This is not the first and it won’t be the last. It is time to add another item to the already overwhelmed corporate security teams: audit suppliers and integrations with your supply chain providers. Limit exposure to the absolute minimum while still enabling business operations.
“During the Ransomware Task Force Worst Case Scenarios thought experiment, this exact scenario was identified as a critical weakness. It isn’t clear how best to respond, as the world – and enterprise operations – becomes more and more connected and co-dependent every day. Each of these connections can be a pathway for massively good things, but also opens the door to a shared fate scenario, where a security incident at your supplier is likely to also become an incident on your network.
“The new security operations paradigm must consider suppliers as part of their extended perimeter to defend. Being able to see exposures and threats beyond the traditional network perimeter needs to become part of best in class security practice.”
Chris Grove, Product Evangelist, Nozomi Networks, said: “This type of a supply chain attack, similar to the SolarWinds attack, goes straight to the jugular of organisations looking to recover from a breach.
“These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed.
“Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts.
“At times like this, when we don’t fully understand the scope and tactic used, or which versions are affected, visibility into the blast radius of the attacker is crucial. Knowing which systems were impacted, which were used for lateral movement, or where the attackers may be hiding, ensures defenders can make educated decisions on the ground. When it comes to defending critical infrastructure, that visibility could make all the difference between the power being on or off.”
Ross McKerchar, Sophos Vice President and Chief Information Security Officer, said: “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations.
“We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions.”
Mark Loman, Sophos Director of Engineering, said: “Sophos is actively investigating the attack on Kaseya, which we see as a supply chain distribution attack. The adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type.
“This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more. In other widescale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely used IT management are the conduit.
“Some successful ransomware attackers have raked in millions of dollars in ransom money, potentially allowing them to purchase highly valuable zero-day exploits. Certain exploits are usually only deemed attainable by nation-states. Where ‘nation-states’ would sparingly use them for a specific isolated attack, in the hands of cybercriminals, an exploit for a vulnerability in global platform can disrupt many businesses at once and have impact on our daily lives.
“A day after the attack, it became more evident that an affiliate of the REvil Ransomware-as-a-Service (RaaS) leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s Virtual Systems Administrator (VSA) software. Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environments.”
Based on Sophos threat intelligence, REvil has been active in recent weeks, including in the JBS attack, and is currently the dominant ransomware gang involved in Sophos’ defensive managed threat response cases.
Mark Manglicmot, VP of Security Services, Arctic Wolf, said: “The Kaseya VSA supply chain ransomware campaign is a sophisticated and intentional attack, the scope of which will not be fully understood for many weeks or possibly months. Any organization using Kaseya VSA should treat this as a critical risk to their business and immediately shut down their Kaseya VSA server. They should also follow CISA guidance to ensure that back-ups are up-to-date and air-gapped, manual patching is implemented, multi-factor authentication (MFA) is turned on, and then await additional instructions from Kaseya for next steps.
“With supply chain attacks able to cascade across thousands of organizations within a matter of hours, those looking to protect themselves against future incidents must deploy world-class security operations with 24×7 monitoring capable of detecting, managing and mitigating any threat. Often, users are seen as the weakest link, and adversaries will continue to exploit the human element to reach their objectives, which means establishing a stronger security posture is the first and best approach organizations can take in avoiding future supply chain compromises.”
Craig Sanderson, VP of Product Management, Infoblox, said: “The Kaseya attack, which paralyzed companies such as the supermarket chain Coop in Sweden, shows that anyone can be targeted. Instead of being blackmailed by cyber-criminals, organizations need to proactively prepare defenses to mitigate against paying a painful ransom and reputation loss among customers and partners.
“To prevent such damages, companies should make their security strategies as proactive as possible and keep back-ups in case a system reset is needed. Because attackers commonly use DNS for communicating with malicious domains, DNS security can help block those communications while providing indispensable visibility into the activity of impacted machines, helping customers understand the scope of a breach for quick response.”
Charles Carmakal, SVP and CTO, Mandiant, said: “On July 2, 2021, an affiliate of REvil/Sodinokibi exploited multiple vulnerabilities in the Kaseya VSA product to distribute a ransomware encryptor to connected endpoints. Kaseya VSA is a remote monitoring and management solution used by managed service providers (MSPs) and organizations to remotely manage computer systems.
“The number of impacted organizations is not currently known, but Kaseya estimates that the number of organizations impacted by the REvil ransomware disruption is under 1,500 organizations. Many of the impacted organizations are very small family businesses who are only now discovering the impacts because of the holiday weekend.
“REvil ransomware-as-a-service (RaaS) has been marketed in Russian-language underground forums since May 2019. In the RaaS business model, a central group develops ransomware, communicates with victims and runs back-end infrastructure, while partners, or affiliates, carry out intrusions and deploy the ransomware.
“The RaaS is operated by the actor ‘UNKN’ (aka ‘Unknown’) who does not accept English-speaking partners and does not allow partners to target CIS countries, including Ukraine. While the known affiliates are Russian speaking, it is probable that some of the operators may not physically reside in Russia. Notably, following the Colonial Pipeline incident, UNKN made an effort to restrict targeting of REvil affiliates, insisting on vetting targets prior to ransomware deployment.
“REvil took credit for the operation on the evening of July 4, claiming to have impacted over a million systems. They are asking US$70 million for a universal decryptor which could be used to unlock any system affected by this incident. This exorbitant demand is the largest on record. In private conversations, REvil has proactively decreased their demands, and they have been known to exaggerate the scope and impact of their intrusions. Furthermore, at this time, REvil has not leaked data from their intrusions, a scheme they often use to pressure victims into paying ransoms. As long as criminals can demand ransoms in the tens of millions of dollars, and are unlikely to face jail, this problem will continue to grow from bad to worse. These actors are well-funded and highly-motivated and only dramatic, collaborative action is going to turn back the tide.”
Matthew Sanders, Director of Security, LogRhythm, said: “This is unfortunately a major reminder that ransomware attacks continue to be an increasing threat to companies, critical infrastructure organizations and government agencies at all levels. This attack is especially dangerous because Kaseya is used by many Managed Service Providers that businesses trust to handle their IT functions such as endpoint inventory, patching and software deployment. With up to 1,500 possible businesses affected from the Kaseya ransomware attack, the impacts from the attack will be felt for months to come.
“Recovering from a ransomware attack takes time, and a well-rehearsed incident response plan will prove invaluable should the worst happen. Aside from planning their response to a successful attack, organizations should keep their prevention and detection technologies top of mind by ensuring that they have the appropriate protective controls in place, as well as visibility into what is happening across their environment. A properly configured security monitoring solution that has full visibility into the environment with robust automated response capability would help organizations such as Kaseya identify malicious activity and thwart bad actors before ransomware can take hold.”Click below to share this article