A new ransomware attack has surfaced earlier this month. Kaseya, a US-based software developer, was compromised and used by the attackers to deploy their ransomware to other organizations. Reports say that hundreds of companies were directly affected by this attack. However, it is estimated that 36,000 other companies were affected indirectly.
The incident was first identified on July 2, 2021, as an exploitation of vulnerability within the Kaseya VSA product. The product is an endpoint management and network monitoring tool that is used by managed service providers, or MSPs for short. The VSA system lets small and medium-size businesses remotely monitor their computer system and automatically take care of server maintenance and security update. The system is designed to have full administrative privileges on a client’s system, making it an ideal target for cybercriminals. After identifying the breach, Kaseya shut down their software-as-a-service (SaaS) severs and advised customers to shut down any on-premise VSA server as a precautionary measure.
REvil, a ransomware-as-a-service group, posted on their dark web blog stating that they were responsible for the attack and will only release a universal decryptor to unlock all affected computers if they are paid $70 million in Bitcoin. Previously, the group targeted JBS, a US-based meat processing company, and threatened to leak their personal information. Ultimately, the company paid the $11 million ransom to protect their data.
According to reports, REvil exploited multiple zero-day vulnerabilities in on-premise Kaseya VSA installations to avoid authentication controls and run arbitrary commands. They entered malicious code into a software vendor’s network and were consequently distributed to customers. The group claimed that they have infected more than a million systems and will only provide the universal decryption tool if their demands are met. However, as of July 14, the infamous group is reported to have gone “dark” due to their lack of posting and their sites appearing offline.
The impact of the incident is much more widespread than initially thought since it has affected the customers of Kaseya’s customers as well. Many companies rely on MSPs for numerous tasks such as help desk support or manage entire networks. Companies turn to MSPs to help improve their security, becoming more flexible and scalable. However, due to the pandemic, companies had to adapt to remote work which limited access to on-premise IT infrastructure. They heavily relied on MSPs to handle tech support and cloud services.
What makes this attack stand out is the combination of two dangerous attack vectors: the software supply chain and the MSP sector. This multiplies the effect of the attack and has the potential to affect any company that uses the compromised software. Aside from the advice that Kaseya released, here are other steps that our partner Cyberint recommend organizations take into consideration:
- Consider monitoring for, and alerting on, the anomalous modification of security settings or configurations, such as those observed with Windows Defender.
- Continuously monitor endpoint security events as an early warning of suspicious behavior, for example, host-to-host communications indicating lateral movement or high-volume disk operations indicating mass file encryption or exfiltration.
- Limit user permissions according to the principle of least privilege (POLP).
- Secure sensitive data, adhering to any legal or regulatory requirements, to prevent unauthorized access, be that internal or external in origin.
- Utilize application permit and deny lists to prevent the execution of unauthorized or unknown executables, such as those delivered as part of a broader attack.
- Ensure that disaster recovery plans and backup policies take into account regular backups, verification of data integrity, and offline storage to facilitate restoration in the event of a catastrophic incident.
- Make use of network segregation to limit communications between nodes, especially end-points, to provide damage limitation and limit the propagation of threats.
- Disable administrative tools and script interpreters to prevent misuse by malicious payloads or threat actors.
Companies need to have countermeasures set in place with the increasing number of ransomware threats happening around the world. We saw a domino effect happen with the Kaseya incident— one compromised software affecting thousands of companies. Many of these cyberattacks are financially motivated campaigns that target anything and everything. More sophisticated and threatening attacks are directed to larger organizations that can pay large sums of money. It is critical to add a multiple layered risk deduction strategy.
Cyberint’s Argos Edge Threat Intelligence platform provides additional safety to keep your company safe. This platform is made of sophisticated crawlers that continuously scans all layers of the web including the deep, dark and open web, marketplaces, forums, social media and many more. The data collected are used to provide full visibility into the threat landscape against your company’s brand, business goals, employees, processes, and customers. It is a fully automated system that works in real time and is maintained by a dedicated Source Development Team. It is machine learning-based algorithms that allow identification of the threat category, severity, and level of confidence, image processing and entity extraction for advanced correlation. Cyberint’s Argos Edge Threat Intelligence platforms keeps you and your company one step ahead from cyber attackers.
“REvil/Kaseya Incident Update.” Cyberint, 15 July 2021, blog.cyberint.com/revil/kaseya-incident-update.
“MSPs Targeted in Ransomware Attack.” Cyberint, 4 July 2021, blog.cyberint.com/msps-targeted-in-ransomware-attack.
Moyer, Edward. “Ransomware Attack on Kaseya, a Software Firm, Threatens Businesses Worldwide.” CNET, 5 July 2021, www.cnet.com/tech/services-and-software/ransomware-attack-on-kaseya-a-software-firm-threatens-businesses-worldwide.
Lawler, Richard, and Kim Lyons. “REvil Ransomware Attacks Systems Using Kaseya’s Remote IT Management Software.” The Verge, 3 July 2021, www.theverge.com/2021/7/2/22561252/revil-ransomware-attacks-systems-using-kaseyas-remote-it-management-software.
Staff, Apple Insider. “REvil Demands $70M to End Kaseya Ransomware Attack.” AppleInsider, 6 July 2021, appleinsider.com/articles/21/07/06/revil-demands-70m-to-end-kaseya-ransomware-attack.
Korolov, Maria. “The Kaseya Ransomware Attack Is a Wakeup Call for MSP-Reliant IT Shops.” Data Center Knowledge, 14 July 2021, www.datacenterknowledge.com/security/kaseya-ransomware-attack-wakeup-call-msp-reliant-it-shops.