Cybercrime gang exploited zero-day flaws
UPDATED The REvil ransomware gang has demanded a $70 million payment after compromising IT management platform Kaseya VSA and reportedly encrypting the data of more than 1,000 downstream organizations.
A screenshot of the demand from the Russian state-linked group was posted by Huntress security researcher John Hammond on Sunday (July 4). Hammond also said more than 1,000 organizations using VSA servers were affected, based on analysis of around 30 MSPs worldwide.
In the latest addition to a series of rolling updates, posted on July 5, Kaseya said it was “aware of fewer than 60” on-premise Kaseya VSA customers “who were directly compromised by this attack”, impacting “fewer than 1,500 downstream businesses”.
The vendor said it believed “there is zero related risk right now” for SaaS and NOC (network operations centers) customers, as well as on-premises customers whose servers are offline.
Race to shut down
After detecting the attacks, which began on July 2, Kaseya urged customers to immediately shut down their VSA servers, since one of the first things the attacker did was shut off administrative access to the VSA.
The Dutch Institute for Vulnerability Disclosure (DIVD) said on Sunday that the number of internet-facing Kaseya VSA instances had since dropped from more than 2,200 to fewer than 140.
The cybercriminals reportedly exploited zero-day SQLi and other vulnerabilities that Kaseya and the DIVD were in the process of remediating.
The vulnerabilities (CVE-2021-30116) were found by DIVD security researcher Wietse Boonstra.
After exploiting the flaws, ransomware was initiated via a fake auto update that deploys “across the estate – including on MSP client customers’ systems”, according to a blog post published on July 2 by British security expert Kevin Beaumont.
Affected customers have been advised to only restore their VSA servers once a security patch is applied.
“The patch for on-premises customers has been developed and is currently going through the testing and validation process,” said Kaseya. “We expect the patch to be available within 24 hours after our SaaS servers have been brought up.
“The current estimate for bringing our SaaS servers back online is July 6th between 2:00 PM – 5:00 PM EDT. These times may change as we go through the final testing and validation processes.
“We will be releasing VSA with staged functionality to bring services back online sooner.”
A tool developed to detect REvil infections has so far been rolled out to more than 2,000 customers. The vendor also promised to make enhancements to WAF capabilities and SaaS server monitoring.
CISA and the FBI have also issued additional mitigation advice aimed at MSPs and their customers.
Speaking on ABC TV show Good Morning America, Kaseya CEO Fred Voccola said: “We’re actually 100% confident that we know how it happened and we’ve remediated it.”
DIVD said Kaseya has been willing to put in the “maximum effort and initiative” to get the issue fixed and customers patched. “They showed a genuine commitment to do the right thing.”
Kaseya VSA is used by managed service providers to manage, monitor, and secure endpoints and corporate networks on behalf of their clients. Miami-based Kaseya says its IT management products are used by more than 40,000 customers.
Supply chain attacks, which can compromise hundreds or thousands of downstream organizations by infiltrating a single software platform, have arguably become the gravest current cybersecurity threat, with the Kaseya attack coming in the wake of the destructive SolarWinds attack earlier this year.
John Hammond also recalled how Huntress released an advice video in 2019 in response to a previous supply chain attack that compromised more than 100 MSPs.
This article was updated on July 6 to reflect a fresh update posted by Kaseya about the incident on July 5.