Why it Matters and How to Protect Yourself
What Happened?
At around 1400 EDT on July 2, attackers appear to have used a 0-day authentication bypass vulnerability in Internet-exposed instances of the Kaseya Virtual System Administrator (VSA) server software, a software suite used by MSPs to manage their clients. The auth bypass gave the attackers the ability to upload their payload to the VSA server, which they then executed via SQL injection. This in turn pushed a REvil ransomware payload down to the systems managed by the compromised VSA server and began to execute the ransomware portion of the attack.
Why is it Concerning?
The attacks via SolarWinds put supply chain exploitation in the spotlight, highlighting the interconnectedness of enterprises via the software solutions they trust, and the immense privilege these software packages can provide to attackers if exploited. The Colonial Pipeline and JSB ransomware attacks provided similar illumination around the threat posed by malware under the ransomware business model. The Kaseya/REvil attack combines both and signals a clear escalation of techniques used by cybercriminals—into the realm of techniques previously reserved by nation-states.
What was the Impact?
At the time this blog was posted, REvil claims that up to 1,000,000 host systems have been compromised and encrypted as a product of this singular attack. Multiple large organizations have shuttered for cleanup, and the FBI/CISA, White House, and many others globally have released guidance on dealing with the attack. The initial ransoms range between $45K and $5M USD. The behavior of the REvil gang suggests that they were unprepared for the success of the campaign, with outages reported on their payments and decryptor systems. Since the attack, REvil has offered to decrypt all victims for a flat price of $70M USD, later reducing this to $50M USD.
What can I do?
- Kaseya has advised that any VSA servers should be shut down immediately until further notice. The advisory, which Kaseya is continuously updating, is here: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021
- Organizations under the management of an MSP who use VSA should contact them for instructions
- Kaseya has released a detection tool to determine if any of the known initial indicators of compromise (IOCs) are present: https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40
- For those wanting to do in-house detection, Kevin Beaumont has released a good list of IOCs: https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- CISA has issued guidance on mitigations and cleanup: https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
- All organizations experiencing the impact of ransomware, particularly as a result of this attack, have been urged to inform their local Computer Emergency Response Center (CERT)
How can Unified Vulnerability Management via the Bugcrowd Platform Help?
The Bugcrowd platform helps you resolve the state of previously unknown assets by identifying, categorizing, and prioritizing all your Internet-exposed technologies before attackers can exploit them.
It appears that the REvil gang targeted only Internet-facing VSA servers in this attack. While services like VSA provide great utility to the post-pandemic distributed workforce, this kind of remotely accessible power shouldn’t be directly exposed to the Internet.
The vulnerabilities that provided the attackers an initial foothold into Kaseya VSA were reportedly already known, and in the process of being fixed; however, REvil beat them to the punch. This is a timely reminder for organizations—particularly those with products that form part of a broader supply chain—to ensure vulnerabilities aren’t just being found, but also remediated promptly.
Bugcrowd Bug Bounty™
Pay-for-Impact Vulnerability Discovery
- Quickly find and fix business-critical vulnerabilities by engaging the Crowd for continuous testing with pay-for-results incentives
Bugcrowd Pen Test™
Faster Compliance & Continuous Coverage
- Go beyond today’s scanners and penetration tests to discover, prioritize, and fix your hardest-to-find vulnerabilities faster—continuously and on-demand
Bugcrowd Attack Surface Management™
Hacker-Powered Asset Prioritization
- Identify, categorize all Internet-exposed technologies, prioritize vulnerabilities, and resolve the state of your previously unknown assets before they’re discovered by attackers
Bugcrowd Vulnerability Disclosure™
Neighborhood Watch for your Digital Footprint
- Securely accept, triage, and rapidly remediate vulnerabilities submitted from the global security researcher community to meet compliance and reduce risk
Further Reading
- https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
- https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress
- https://twitter.com/GossiTheDog/status/1412386715155767298
- https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
- The Ultimate Guide to Managing Ransomware Risk
*Please note that Bugcrowd is not a Kaseya customer and was not impacted by the REvil ransomware attack.