Kaseya Ransomware Attack: How it happened and the implications.

While many Americans began to prepare for the Fourth of July weekend, software development company Kaseya found themselves on the wrong end of a $70 million ransomware nightmare. For those unaware, Kaseya produces software and products used by Managed Service Providers to monitor and manage technology environments at scale. On Friday July 2nd, Fred Voccola, Kaseya’s CEO announced that there was “a potential attack against the VSA [product] that has been limited to a small number of on-premise customers.” As the investigation began, multiple businesses who had Kaseya installed in their environment expressed that they had been locked out of their systems due to ransomware. Cybercriminal group REvil was quick to take responsibility for this attack stating:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from the attack in less than an hour. If you are interest in such deal – contact us using victims “readme” file instructions.”

These instructions were left on the organization’s public forum, Happy Blog. As of Monday July 6th, REvil has decreased their ransom price from $70 million to $50 million for a universal decryptor, showing a willingness to negotiate with their victims.

How did we get here?

Reports from Kaseya were quick to denounce ideas that this attack occurred from a breach in their supply chain. After further investigation, researchers have determined that the threat actors were able to exploit a zero-day vulnerability on Kaseya’s central VSA product server. This exploit allowed the attackers to bypass authentication controls and gain an authenticated session to then run arbitrary command execution. The threat actors then began to push REvil ransomware to a select group of Kaseya users under the guise of a fake software update titled “Kaseya VSA Agent Hot-fix”. These updates were then unleashed upon unsuspecting systems throughout MSP and client environments alike as a fake management update. This meant that even if an organization was not a customer of Kaseya’s that they still had the chance to have their data encrypted depending on their MSP.

According to the Dutch Institute for Vulnerability Disclosure (DIVD), Kaseya was in the process of patching the zero-day vulnerability uncovered in this breach. Unfortunately, the REvil affiliate that perpetrated this attack had obtained the zero-day’s details and began exploitation before Kaseya was able to begin rolling out a fix to their customers.

What does this mean?

Cyber-attacks of this nature are becoming more and more common as this marks the fifth major breach of a U.S company in the past six months. Cyber criminals are beginning to utilize RaaS or Ransomware As A Service model to expand their operations by licensing their software out to other malicious actors who may not have had the technical capabilities to create their own ransomware. REvil ransomware has been one of the most advertised and prolific RaaS operations on the dark web since their inception three years ago. The gang netted over $100 million from similar attacks in 2020 and are poised to eclipse that value in 2021.

Netizen CEO, Michael Hawkins had this to add “As more and more companies pay ransoms while failing to put in place adequate preventative and restorative measures to ensure recovery from such events, attackers will only be emboldened to carry out more and larger scale attacks. This will become an endlessly increasing and more dangerous cycle of ransoms and payments until an end is put to it, perhaps through legislation. As Ransomware becomes more pervasive and easier to deploy, it is only a matter of time until our critical infrastructure, medical facilities, supply chain, and private businesses in particular, are severely hindered en masse, which could greatly impact the fledgling economic recovering post-COVID.”

What is the solution?

Organizations needed to move cybersecurity to the front of all discussions moving forward. Attacks like these are becoming far too common as companies everywhere try to balance the cyber risks of today’s world. All security policies need to be thoroughly reviewed and tested for real-world scenarios like this. What happens if your company loses access to their core systems and databases? How long would it take to rebuild from non-impacted backups? These are all questions organizations need to have the answers for to combat this rise in cybercrime.

Software development companies must start addressing application security at the beginning, middle, and end of their development process leveraging DevSecOps techniques and tools. Gone are the times where security was a forethought and often overlooked to rush out an application on time. User-facing applications have repeatedly been targeted in massive ransomware attacks just like this past one. The only way to move forward is to catch security flaws in the code before the product is launched.

For customers directly affected by this attack, Kaseya has released a tool including Indicators of Compromise (IoC) as well as two PowerShell scripts, one for endpoint scanning and the other for a VSA server. Kaseya has recommended these scripts be run in offline mode and to expect further security patches. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations” a representative from Kaseya had to offer.

Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.