EclecticIQ

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Kaseya-MSP Clients Remain at Very High Risk of Further Targeted Attacks

EclecticIQ Threat Research Team July 12, 2021

Synopsis

Kaseya-MSP clients remain at very high risk of further targeted attacks using information gained from an initial ransomware compromise last weekend. On July 2 REvil (Sodinokibi) carried out a supply-chain ransomware attack against Kaseya VSA, a cloud-based IT Software supplier to MSPs (managed service providers). The attack targeted encrypted data of MSPs who used Kaseya’s software and their customers. The $70M USD ransom demand by REvil represents the largest known ransom for a cyber attack to date. REvil’s success in getting such a large ransom amount may embolden them, as well as other criminal actors, to demand increasingly high ransom payments from future attacks on highly connected companies.

    • According to a public statement from Kaseya, services have not yet been restored as of July 7.
    • A tool to assist in detection and incident response is available from Kaseya.
    • As of July 04 2021, all vulnerable Virtual System/Server Administrator (VSA) servers located in the Netherlands had been proactively taken offline, according to passive scans.[1]

Victims have so far been identified in at least 17 countries


Victims are located in the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, Sweden, New Zealand, and Kenya. Press reports claim 70 Million US Dollars is the initial ransom for a master key that allegedly unlocks encryption from the attack.

While the full impact of the breach is yet to be felt, a supermarket chain in Sweden closed stores to customers as a result of the ransomware attack. It is also likely that Brazil-based Healthcare organization Grupo Fleury is a victim.[2]

Huntress Labs: “high confidence an authentication bypass was used to gain access into the servers”

Statements from Kaseya’s website and Huntress Labs identify the attack vector exploited as CVE-2021-30116, a SQLi vulnerability in on-premise (client hosted) VSA servers used by Kaseya to distribute services and updates to clients. Huntress Labs has “high confidence an authentication bypass was used to gain access into these servers”.[3] It is likely that the VSA vulnerability was known prior to the attack, based on reports from the Dutch Institute for Vulnerability Disclosure which indicate Kaseya was previously notified of several vulnerabilities.[4]

Based on current reporting, ransomware infections appear to be limited to systems directly connected to affected on-premise Kaseya VSA servers. Threat actors have not been observed pivoting to other parts of a victim network and are currently limited to the communication channels provided via Kaseya VSA.[5]

REvil emerged in the first half of 2019

REvil represents a rebranded splinter-group of threat actors who originally belonged to the Gandcrab criminal ransomware syndicate.[6] Language checks performed by the malware provides evidence that the REvil group likely operates out of Russia.[7]

REvil has previous experience targeting Kaseya and Other MSP Technology

This is not the first time Kaseya was targeted in a cyber attack. In 2019 the Gandcrab ransomware group (now REvil) exploited 2017-18362 in a Kaseya plugin for ConnectWise. ConnectWise is another MSP remote management technology.[8] Kaseya on premise VSA servers likely suffered longstanding configuration issues that possibly led to issues with security based on OSINT from early 2019.[9]

REvil also attacked MSPs using CVE-2018-8453 and CVE-2019-2725 in 2019.[10]

Services have not yet been restored

As of July 7 service is not fully restored due to ongoing issues according to public statements by Kaseya. On July 6 the company stated: “All on-premises VSA Servers should continue to remain offline. A patch will be required to be installed prior to restarting the VSA legacy. VSA functionality will be removed as part of this release out of an abundance of caution.”[11]

EclecticIQ recommends those who suspect they may be impacted by this attack to use the Kaseya tool. The tool assists in detection and response to check for compromise

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government. EclecticIQ’s Threat Research team strives to apply the analytic rigor principles of U.S. Intelligence Community Directive 203 [pdf] to its analysis.

We would love to keep the conversation going! Please email us at fusion@eclecticiq.com.

References

  1. https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/
  2. https://www.bleepingcomputer.com/news/security/healthcare-giant-grupo-fleury-hit-by-revil-ransomware-attack/
  3. https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
  4. https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/
  5. https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html
  6. https://www.coveware.com/blog/sodinokibi-ransomware
  7. https://blogs.blackberry.com/en/2019/07/threat-spotlight-sodinokibi-ransomware
  8. https://www.zdnet.com/article/gandcrab-ransomware-gang-infects-customers-of-remote-it-support-firms/
  9. https://www.reddit.com/r/kaseya/comments/c28b7i/why_is_kaseya_such_a_flaming_dumpster/
  10. https://blogs.blackberry.com/en/2019/07/threat-spotlight-sodinokibi-ransomware
  11. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2024 EclecticIQ B.V.
EclecticIQ. Intelligence, Automation, Collaboration.
Get demo