REvil Ransomware Attacks Used Zero-Day Vulnerability in Kaseya's IT Management Software
A ransomware attack leveraging a zero-day vulnerability in Kaseya's VSA management solution may have affected about 60 managed service providers (MSPs) and almost 1,500 of their business customers.
The so-called "supply-chain" attack, attributed to the REvil ransomware gang (a.k.a., "Sodinokibi"), was acknowledged by Kaseya in this rolling series of posts, dating back to July 2. Kaseya provides its VSA solution as a service, hosted from its datacenters, but the management software also gets installed on local servers (on customer premises). VSA is typically used by MSPs to provide outsourced IT support to businesses.
Early on, Kaseya shut down its VSA servers and urged its customers using VSA on local infrastructure to do the same. However, the vulnerability had already been leveraged by the attackers, affecting MSPs and businesses.
On-Premises VSA Customers Affected
Here is Kaseya's July 5 assessment of the ransomware attack, which indicated that MSP customers using VSA installed on-premises, as well as their customers, were the ones affected:
To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised.
So far, it's known that 800 of Sweden's Coop grocery stores were shut down due to the ransomware, according to a Reuters report. Coop relies on Visma Esscom to keep its cash registers running, and Visma Esscom uses Kaseya's solution for IT management tasks.
The attackers are said to have "demanded $70 million to restore all the affected businesses' data," although they negotiate the price, per another Reuters story.
Kaseya is currently working to restore its VSA service and has distributed an indicator-of-compromise detection tool for customers that's available from a link in its announcement. The company hired Mandiant to assess its overall security posture, according to a Kaseya "Incident Overview" post.
The ransomware attacks mostly affected customers located in the "United Kingdom, South Africa, Canada, Germany, the United States and Colombia," according to a post by Esset security researchers. The Esset post included a reproduction of the ransom note, which promised to provide a key to restore an organization's encrypted data for a price.
The ransomware attackers used the zero-day flaw in Kaseya's VSA software to add a malicious dropper via a PowerShell script, according to analysis by Kaspersky researchers. This script disables current Microsoft Defender anti-malware software and substitutes an older version. It also sets up the ransomware via a dynamic link library file.
Kaseya Was Fixing the Flaw
The vulnerability in Kaseya's VSA software apparently was known before the outbreak of the ransomware attacks. It had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) and a fix was being worked on, according a Kaspersky Threatpost article, as well as this July 4 DIVD post.
The DIVD recently reported seeing a rapid decrease in the use of VSA servers per this July 6 post. It advised following security best practices, such as using multifactor authentication and removing public Internet-facing admin interfaces.
The attack is under investigation by the U.S. Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, which offered guidance for affected MSPs and affected MSP customers via this announcement. It includes links to articles listing indicators of compromise, plus general advice for users of remote monitoring and management (RMM) tools.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.