Kaseya’s remote VSA monitoring and management tool was used as an attack vector to target Inject ransomware into the systems of more than a thousand end customers from around 30 Managed Service Providers (MSPs) at the start of the US Independence Day weekend.
A Kaseya statement said: “Unfortunately, Kaseya’s VSA product was the victim of an ingenious cyber attack. Due to the quick response of our teams, we believe this was limited to a very small number of local customers. “
VSA, the Virtual System / Server Administrator, is software used by Kaseya customers to monitor and manage their infrastructure. It is delivered either as a hosted cloud service from Kaseya or via local VSA servers. These SaaS VSA servers can be provided by end users or MSPs. Kaseya is sending updates to these VSA servers, and on Friday, July 2nd, an update was distributed that contained REvil ransomware code. It affected fewer than 40 Kaseya VSA customers – but about 30 of those were MSPs, and the code was then forwarded to their customers. Thousands of MSP client companies have potentially been infected.
This is known as a supply chain attack and its basic methodology is similar to that of last year SolarWinds attack, with installed malware via an update server.
Kaseya periodically publishes updates about the attack and its ongoing response efforts. It has shut down its own hosted and also SaaS VSA servers and urges customers to shut down their own VSA servers until further notice.
A Kaseya statement on July 4th said, “Our security, support, R&D, communications and customer teams are working all weekend round the clock in all regions to solve the problem and get our customers back up and running.”
Customers who receive a ransomware request should not click any links in the message as the links themselves can be used as a weapon. How they should actually react to the ransomware demand is not described. In the meantime, they might find that some of their files are encrypted and need to somehow restore their contents.
Kaseya said: “We are in the process of staging our SaaS server farms with reduced functionality and a higher security status (expected in the next 24-48 hours, but subject to change) on a geographic basis. Further details on the restrictions, changes to the security situation and the time frame will be given in the next communique later today. “
Kaseya works with the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and cybersecurity forensics firms, and its executives are contacting affected customers. The company’s R&D engineers diagnose the point of attack of the incident and investigate how the attack code affected customers. A Compromise Detection Tool was rolled out to nearly 900 Kaseya customers who requested it in late June, and an update for that development tool was also distributed.
The tool can be used to determine whether a customer’s VSA server has been infected.
It develops a patch that must be installed before customers restart their VSA servers, along with a number of recommendations to strengthen their security posture.
Attack vector and scope
Kaseya’s own systems were breached by a vulnerability that the company became aware of Dutch Vulnerability Disclosure Institute (DIVD) just recently and which has just been fixed. In a July 3 DIVD statement it said: “We discovered serious vulnerabilities in Kaseya VSA and reported them to Kaseya, with whom we have been in regular contact since then.” The date on which DIVD reported the vulnerability to Kaseya is not known.
The security company Huntress Labs updated a Reddit thread on the incident. It provides details on how to first break into customers’ Kaseya VSA servers:
The thread includes these points:
- More than 1000 companies had encrypted servers and workstations.
- It is reasonable to assume that this could potentially affect thousands of small businesses.
- Based on the forensic patterns, ransomware advisories, and the TOR URL, we firmly believe that a REvil / Sodinokibi RaaS partner was behind these break-ins.
Sophos malware analyst Per Mark Loman is reported said affected companies see ransom demands of $ 50,000 or $ 5 million when their system is part of a larger corporate network.
According to The recording, Kaseya has been targeted twice already. “In February 2019, the Gandcrab ransomware gang exploited a vulnerability in a Kaseya plug-in for ConnectWise Manage software to deploy ransomware in the networks of MSPs’ customer networks.”
The Gandcrab gang was renamed REvil and then launched a second attack against Webroot SecureAnywhere and Kaseya VSA products to gain access to MSPs’ customer networks.
In this latest attack, the REvil code appears to attempt to disable any local antivirus code and then run a fake Windows Defender application. This app runs the ransomware routines to encrypt files in the system.
Number of affected customers
Huntress Labs researcher John Hammond believes there are more than 1,000 companies affected. (Hammond is tweet about the incident.) These are located around the world, including Argentina, Canada, Germany, Kenya, Mexico, the Netherlands, New Zealand, South Africa, Sweden, the UK, and the US.
A Swedish grocery chain with 800 branches, Coop, had deactivated its POS terminals because the actual payment code service came from a Swedish MSP called Visma Esscomn. This is a Kaseya customer with a million customers, according to him press release about the incident. It distributed the ransomware code to the Coop POS terminals and these could no longer accept payments.
The Coop initially closed all 800 branches and then began renovation work. Your customers can use a Scan & Pay app for their Coop mobile phone in some branches.
The Swedish state railway was also affected, as was a Swedish pharmaceutical chain.
This disgusting cyber piracy seems unstoppable. The only effective defense for victims seems to be to restore from immutable backups, preferably with granular point-in-time restore and quick restores to minimize data loss.
It’s ironic that Kaseya offers its own Unitrends backup that has an anti-ransomware feature. Even more ironic is that there is also one Managed SOC Service that provides 24/7 threat monitoring with this pitch: “Stop attackers with our managed cybersecurity detection and response solution backed by a world-class security operations center.”
US President Joe Biden met with Russian President Putin in Geneva in June and told him the US would hold Russia accountable for cyberattacks against US companies and organizations if the attacks originated from Russia. He is reported To have directed US intelligence agencies to investigate the attack.
If the Kaseya incident is found to have a Russian origin, it does not specify exactly how Russia would be held accountable. More than a thousand companies around the world are now forced to extort their data because Kaseya was the unwitting agent used to send ransomware onto their systems.
Future legal action could seek to get Kaseya to pay compensation to the affected companies. The lost business of the Swedish Coop could amount to several million crowns. Kaseya’s quick and constantly updated response to the attack will help mitigate the reputational damage, but the resulting financial cost could literally be enormous.
#Kaseya #VSA #vulnerability #opens #thousand #business #doors #ransomware #blocks #files