Synopsis
Kaseya-MSP clients remain at very high risk of further targeted attacks using information gained from an initial ransomware compromise last weekend. On July 2 REvil (Sodinokibi) carried out a supply-chain ransomware attack against Kaseya VSA, a cloud-based IT Software supplier to MSPs (managed service providers). The attack targeted encrypted data of MSPs who used Kaseya’s software and their customers. The $70M USD ransom demand by REvil represents the largest known ransom for a cyber attack to date. REvil’s success in getting such a large ransom amount may embolden them, as well as other criminal actors, to demand increasingly high ransom payments from future attacks on highly connected companies.
- According to a public statement from Kaseya, services have not yet been restored as of July 7.
- A tool to assist in detection and incident response is available from Kaseya.
-
As of July 04 2021, all vulnerable Virtual System/Server Administrator (VSA) servers located in the Netherlands had been proactively taken offline, according to passive scans.[1]
Victims have so far been identified in at least 17 countries
Victims are located in the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, Sweden, New Zealand, and Kenya. Press reports claim 70 Million US Dollars is the initial ransom for a master key that allegedly unlocks encryption from the attack.
While the full impact of the breach is yet to be felt, a supermarket chain in Sweden closed stores to customers as a result of the ransomware attack. It is also likely that Brazil-based Healthcare organization Grupo Fleury is a victim.[2]
Huntress Labs: “high confidence an authentication bypass was used to gain access into the servers”
Statements from Kaseya’s website and Huntress Labs identify the attack vector exploited as CVE-2021-30116, a SQLi vulnerability in on-premise (client hosted) VSA servers used by Kaseya to distribute services and updates to clients. Huntress Labs has “high confidence an authentication bypass was used to gain access into these servers”.[3] It is likely that the VSA vulnerability was known prior to the attack, based on reports from the Dutch Institute for Vulnerability Disclosure which indicate Kaseya was previously notified of several vulnerabilities.[4]
Based on current reporting, ransomware infections appear to be limited to systems directly connected to affected on-premise Kaseya VSA servers. Threat actors have not been observed pivoting to other parts of a victim network and are currently limited to the communication channels provided via Kaseya VSA.[5]
REvil emerged in the first half of 2019
REvil represents a rebranded splinter-group of threat actors who originally belonged to the Gandcrab criminal ransomware syndicate.[6] Language checks performed by the malware provides evidence that the REvil group likely operates out of Russia.[7]
REvil has previous experience targeting Kaseya and Other MSP Technology
This is not the first time Kaseya was targeted in a cyber attack. In 2019 the Gandcrab ransomware group (now REvil) exploited 2017-18362 in a Kaseya plugin for ConnectWise. ConnectWise is another MSP remote management technology.[8] Kaseya on premise VSA servers likely suffered longstanding configuration issues that possibly led to issues with security based on OSINT from early 2019.[9]
REvil also attacked MSPs using CVE-2018-8453 and CVE-2019-2725 in 2019.[10]
Services have not yet been restored
As of July 7 service is not fully restored due to ongoing issues according to public statements by Kaseya. On July 6 the company stated: “All on-premises VSA Servers should continue to remain offline. A patch will be required to be installed prior to restarting the VSA legacy. VSA functionality will be removed as part of this release out of an abundance of caution.”[11]
EclecticIQ recommends those who suspect they may be impacted by this attack to use the Kaseya tool. The tool assists in detection and response to check for compromise
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government. EclecticIQ’s Threat Research team strives to apply the analytic rigor principles of U.S. Intelligence Community Directive 203 [pdf] to its analysis.
We would love to keep the conversation going! Please email us at fusion@eclecticiq.com.
References
- https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/
- https://www.bleepingcomputer.com/news/security/healthcare-giant-grupo-fleury-hit-by-revil-ransomware-attack/
- https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
- https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/
- https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html
- https://www.coveware.com/blog/sodinokibi-ransomware
- https://blogs.blackberry.com/en/2019/07/threat-spotlight-sodinokibi-ransomware
- https://www.zdnet.com/article/gandcrab-ransomware-gang-infects-customers-of-remote-it-support-firms/
- https://www.reddit.com/r/kaseya/comments/c28b7i/why_is_kaseya_such_a_flaming_dumpster/
- https://blogs.blackberry.com/en/2019/07/threat-spotlight-sodinokibi-ransomware
- https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021