The Kaseya Attack: Things to Know

 

One of the biggest ransomware attacks in recent years has been committed by the REvil group, who managed to exploit a vulnerability in Kaseya’s VSA remote monitoring and management tool. The attack compromised nearly dozens of MSPs, demanding ransom from nearly 1,500 end-user customers after encrypting their data.

Even those who were not compromised in the attack were affected; more than 36,000 MSPs were left without access to the on-premises version of VSA as Kaseya worked on a patch as a precaution.

Here are some things to know about the Kaseya attack:

What is Kaseya?

Headquartered in Dublin, Ireland, Kaseya is a provider of IT solutions that include VSA, a remote monitoring and management tool. They also provide compliance systems service desks and a platform for professional services automation.

What Happened?

Kaseya was the victim of what the company termed “a sophisticated cyberattack.” The attack was described by the FBI as a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”

 

 

Multifactor Authentication Strongly Advised

Both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are urging those affected by the attack to ensure that multifactor authentication is used on all accounts that they control, as well as customer-facing services. MSPs were also advised to use whitelisting to limit their communication with remote monitoring and management (RMM) capabilities to known IP address pairs.

An alternative is to place RMM administrative interfaces behind a VPN or a firewall on a dedicated network. All backups need to be up to date and easy to retrieve while being air-gapped from the organizational network.

All patches should be implemented as soon as the new patch becomes available.

The Ripple Effect

Although not a Kaseya customer, Sweden’s Coop supermarket chain had to shut down several hundred stores because their POS tills and self-service checkouts ceased to function. This is due to their managing company being a Kaseya customer.

The effects of the cyberattack also spread to the Swedish pharmacy chain, Apotek Hjärtat, and several New Zealand schools, giving an indication of how widespread the ripple effect of the attacks were. While as few as 50 direct customers were affected, it’s believed that between 800 and 1,500 businesses down the chain were impacted.

 

 

REvil Was Able to Gain Privileged Access

A zero-day vulnerability was used to remotely access VSA servers, granting REvil privileged access. They were able to send a malicious update payload to servers through a trusted channel, taking advantage of software exclusions required by Kaseya for application and folder setup, completely ignored by anti-malware software.

Hackers were able to pass authentication by exploiting vulnerabilities in the VSA tool, ultimately allowing them to deploy ransomware to endpoints. Kaseya has responded by saying they will provide 24-hour independent SOC for every VSA. They will also provide the ability to isolate and quarantine files, or entire VSA servers. Customers that are whitelisting IPs will have to whitelist additional IPs once the VPA is up and running again.

Kaseya had previously been made aware of the vulnerability exploited by REvil and was in the process of validating a patch. Unfortunately, REvil’s attack came before it could be rolled out. This caused some speculation that REvil may have been aware of the company’s internal communication, though ultimately it is believed that it is a matter of the vulnerability targeted being easy to exploit.

Largest Ransom Demand of All Time

REvil’s ransom demand is the largest of all time: originally demanding $5 million from larger companies, $500,000 from smaller firms with multiple locked file extensions, and $45,000 from companies with locked files in the same extension, they then demanded $70 million, offering to publicly provide a decryptor. They later dropped the amount to $50 million, an amount equal to the demand they made upon compromising Acer earlier in the year.

 

 

What Can Customers Do?

Kaseya has released patches and as of July 12 is working with on-premise customers to deploy the fix. They have also released a tool, including Indicators of Compromise (IoC) which is available for download on Box. Two PowerShell scripts are available, one on a VSA server and a second designed for endpoint scanning.

Want to avoid becoming the next victim of the latest cyberattack?

Reach out to Safe Harbour today!

Safe Harbor Cybersecurity & IT Solutions Simplified OWN IT. SECURE IT. PROTECT IT