Supply chain attack on Kaseya infects hundreds with ransomware: What we know

A ransomware gang has successfully encrypted the files of more than 200 businesses after compromising a remote IT monitoring and management tool as part of a supply chain attack. It is not yet known how the attackers compromised the tool, or just how widespread is the attack.

Enterprises running Kaseya VSA remote monitoring and management tools should shut down servers running the service immediately, Fred Voccola, CEO of IT company Kaseya said in a warning posted on Friday. Attackers behind the ransomware attack are disabling administrative access to VSA once they have access to the victim network, complicating efforts to contain and remove the ransomware.

The company shut down the servers for the software-as-a-service version of its tool as a precautionary measure, despite not having received any reports of a compromise affecting SaaS and hosted customers. The company said SaaS and hosted VSA servers “will become operational once Kaseya has determined that we can safely restore operations.”

Ransomware has been around for years, but has surged recently, with nearly 2,400 governments, health-care systems and schools in the country hit by ransomware in 2020, according to a Ransomware Task Force report. Data is the lifeblood of a modern company — when ransomware encrypts the files and makes it inaccessible, it brings that company to a standstill.

The attack against Kaseya’s systems is the latest in a series of recent attacks against critical infrastructure and manufacturing companies across the United States: Colonial Pipeline, Molson Coors, and JBS Meads. The gang behind the attack — REvil — is the same one the Federal Bureau of Investigation said impacted JBS a few weeks ago.

Here’s a breakdown of the supply chain ransomware attack against Kaseya VSA and what it means for enterprises.

What should security teams do right now?

Organizations running Kaseya VSA in their networks should shut down those servers immediately. “All on-premise VSA servers should continue to remain down until further instructions for Kaseya about when it isafe to restore operations,” the company said in its latest update.

A patch will be required to be installed prior to restarting VSA, Kaseya said. The company said in an earlier update that it believes it had identified the source of the vulnerability and is developing and testing a security patch to mitigate the issue.

Sophos has also released a detailed guide for potential victims to figure out if they are under attack.

Isn’t shutting down the servers a little excessive?

The Cybersecurity and Infrastructure Security Agency doesn’t think so. “CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers,” the agency said in a National Cyber Awareness System alert.

Independent security firm Huntress Labs told Reuters the attack has “the potential to spread to any size or scale business.”

What does the attack look like?

No one knows at this time how the attackers compromised Kaseya’s VSA, but the REvil ransomware appears to be entering customer networks via a Kaseya update and spreading to all connected client systems via VSA’s internal scripting engine. Because VSA has administrative privileges, it is able to infect the clients. It’s also unclear at this point if the attackers have actually exfiltrated any data prior to encrypting them.

The malware disables local antivirus software and side-loads a malicious DLL using Windows Defender — and that malicious file encrypts the files on the compromised machine, Mark Loman, a Sophos malware analyst, wrote on Twitter.

We are monitoring a REvil ‘supply chain’ attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:Windowsmpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:WindowsMsMpEng.exe to run the encryption from a legit process.

— Mark Loman @? (@markloman) July 2, 2021

Kaseya’s warning said that one of the first things the attacker does once the ransomware has infiltrated the network is to “shut off administrative access to the VSA.”

How widespread is the attack?

A little hard to say. More than 40,000 organizations use Kaseya products, but that number also includes customers using some other IT tool from Kaseya and not VSA. “only a very small number of on-premises customers” were affected — which appears to be fewer than 40 direct customers. However, researchers pointed out there may be a cascading effect, especially since VSA is popular among managed service providers providing IT services such as network management, system updates, and backups for other companies.

Security company Huntress Labs is monitoring the situation and posting regular updates on a Reddit thread. Huntress said it is tracking eight managed service providers that had been used to infect more than 200 clients.

What if we have already been infected with ransomware?

If the organization has already been infected by the ransomware, security teams should be working through the incident response plan. That may mean paying the ransom (although it is highly discouraged, there have been some high-profile payments, such as the $11 million JBS paid the REvil gang), or taking all systems offline and restoring data afresh from backups. Ransomware can target backup servers, Cisco Talos warned in its threat advisory, so IT may need to check if the backup servers were also infected and restore from offline backups if they exist.

Ransoms vary, from ransoms demanding $44,999 (posted on Twitter by Mark Loman, a malware analyst for Sophos) to $5 million (as reported by Reuters).

What about the fact that it was a supply chain attack?

This isn’t the first time adversaries are targeting the supply chain to amplify the impact of their attacks, and it won’t be the last. Enterprises are increasingly relying on a network of providers for a wide range of business operations which includes data processing and storage, networking infrastructure, and application delivery — that trend isn’t going away. A security incident at the supplier is inevitably going to be an incident for the enterprise, as well.

The Ransomware Task Force considered “worst case scenarios” and identified this kind of supply chain attack as a critical weakness, said James Shank, Ransomware Task Force Committee Lead for Worst Case Scenarios and Chief Architect, Community Services for Team Cymru. Enterprises need to audit suppliers and think carefully about how they integrate with third-party vendors. Many organizations are talking about zero-trust.

Finding the balance between limiting exposure to the absolute minimum and having enough links to enable business operations is the tricky part.

Is the timing of the attack significant?

Probably. These kinds of attacks take planning and preparation, and the timing is not likely to be selected at random or left up to chance. Attackers could have planned the timing of this attack for the biggest impact, knowing that many digital businesses experience an increase in service usage over the U.S. Independence Day weekend, said Curtis Simpson, CISO, at Armis.

News Flash: cybercriminals are a$$holes.

Keep all the Incident Response teams in mind this holiday weekend as they’re in the thick of it…again.

If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate IR. Here’s the binary: https://t.co/NIuGJZW84p https://t.co/GSXPlOPjFt

— Chris Krebs (@C_C_Krebs) July 2, 2021

It could also be a practical decision to delay detection and to make remediation more difficult. Many enterprises gave employees time off on Friday afternoon and may have fewer personnel working over the holiday weekend. Handling a ransomware attack is generally an all-hands-on-deck situation and a stressful time — and many enterprises are gearing up to fight with a smaller team than usual. In some cases, victims may not know they were affected until they get back to work on Tuesday.