The Kaseya ransomware case continues ransomware groups’ abuse of trust
Attackers have used Kaseya’s VSA product as a vector to deploy ransomware to a number of organizations around the globe.
Kaseya reports that “the attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified.”
This is not the same as supply chain attack (such as the SolarWinds attack earlier this year), which involve attacks manipulating a supplier’s hardware/software to compromise dependent organizations. It is similar in that both exploit the trust organizations place in suppliers. However, the differences are important enough to consider the two as separate techniques (MITRE’s descriptions are here and here) with the latter becoming more popular among ransomware groups. In fact, Kaseya was the victim of a similar attack in 2019.
What actually happened
On July 2nd, 2021, Kaseya reported that some of their customers were experiencing cyber attacks due to the exploitation of their VSA Remote Monitoring and Management (RMM) software. Impacted customers appear to be limited to those with on-premise deployments of the VSA software. Customers with the Kaseya’s SaaS VSA offering are apparently unaffected.
The cyber attack has been publicly attributed to REvil – a ransomware group who previously made headlines exploiting vulnerable Pulse Secure VPN servers. Victims of the attack report that their systems were encrypted by ransomware associated with the group. REvil claims that over a million devices have been affected by this attack.
An unpredictable impact
The exact number of affected organizations is not currently known. One analysis suggests 1,500 organizations have been hit.
REvil’s claim of a million affected devices is plausible, according Mikko Hypponen, F-Secure’s Chief Research Officer.
“Think about a retail chain, like a chain of grocery stores,” he said. “Every single cashier system is an endpoint. Every laptop. Everybody in the sales department has a system with multiple servers. 200 stores, 300 stores. That alone would equal thousands of endpoints. And if a thousand retail companies were infected, yes, you would have a million endpoints.”
If this is correct, this attack is possibly the largest ransomware attack in history (or only second to 2017’s WannaCry).
If Revil’s claim of one million infected systems is true, what we’re currently experiencing is the biggest ransomware case in history.
— @mikko (@mikko) July 5, 2021
One consequence of REvil’s approach in this attack is that it is impossible to know its full impact in advance. In an interview with Reuters, the group admitted that hitting schools in New Zealand was “a mistake.”
Are F-Secure customers protected?
Yes. F-Secure has observed this ransomware deployed across victims in 6 countries: Argentina, Ireland, Italy, Norway, Sweden, and the United States.
F-Secure’s products and services provide protection against this attack in a number of ways. For more information about how you’re protected, and as well as technical details and indicators, check out F-Secure’s initial statement on this incident.
What should I do now if I am a Kaseya customer?
If you have a Kaseya VSA on-premise product, take it offline and isolate it until assurances have been given that the risk of exploitation of these vulnerabilities has been mitigated. F-Secure advises Kaseya SaaS customers to review their exposure and reduce possible risk of exploitation.
F-Secure also recommends that organizations review the credentials and secrets the Kaseya VSA product would have access to in their environments. Look to reset those wherever possible for extra assurance. There is no evidence at this time that any of these have been compromised, but the investigation is rapidly evolving.
Kaseya continues to provide updates on their website.
Investigations are still ongoing on the full impact of this incident. Still, here are some lessons from this incident thus far, along with some advice that’s always applicable.
Kaseya’s transparency, along with the bold decision to shut off its entire SaaS infrastructure and the immediate communication to customers, indicate the company is executing structured response plans prepared for this sort of attack. Furthermore, the plan’s implementation appears to have rolled out quickly, likely due to internal readiness and training.
Every company could learn from Kaseya’s response: have a response plan and, more importantly, practice how that plan would be executed in case of an attack.
Here’s a list of questions organizations can ask themselves the next time they’re concerned about a cyber attack that’s made headlines around the globe:
- What data are the attackers going after?
- Are we able to identify the threat actor or a general profile?
- What progress/impact is already in the public domain?
- Is our response plan ready to help contain/mitigate this type of incident?
Fighting future ransomware attacks
The underlying problem is that the defenders have to get everything right. The attacker only has to discover one mistake. Defenders have to abide by strict policies and processes. Attackers, of course, follow no rules.
Security is an ever-evolving practice complicated by the growing reliance on 3rd party vendors and software. That said, organizations can improve their prospects greatly by reducing attack vectors.
Here are steps all organizations can take now to protect against ransomware attacks:
- Have quality backups and consistently perform tests to validate their integrity.
- Evaluate software patching and proper patch management. Public-facing systems should be prioritized.
- Review all security policies—including user management, assets list, and software management—and audit them to stay current with the threat landscape. Any policies for systems that undergo constant changes should be reviewed on an ongoing basis.
- Treat all 3rd party vendors or software as part of the organization and audit them to ensure compliance.
- Develop a multi-layered defense strategy, as well as a response plan, in case of an attack. Practice, improve, and re-evaluate this strategy to ensure it keeps up with the ever-changing threat landscape.
- Ensure all third-party code dependencies are audited for custom-built software. When integrating third-party software, especially open-sourced code, ensure that it is audited and updated whenever a new version is made available to keep up with security fixes.