(Updated on January 9th, 2023)
On Friday, many managed service providers (MSPs) started experiencing potential attack and it was confirmed to be a ransomware attack via Kaseya VSA that was exploited using a supply-chain attack. The ransomware was confirmed to be REvil ransomware, also known as Sodinokibi ransomware. This ransomware was targeted towards MSPs and has found to have exploited the zero day vulnerability in Kaseya VSA.
Kaseya VSA is a remote monitoring and management (RMM) tool that has been used by IT departments and MSPs for remotely monitoring their employees and client devices respectively. The features include remote access, patch management, server/endpoint management and more. It has been a very popular tool in the MSP community just like how Solarwinds was.
Meanwhile, the Huntress team is active on Reddit updating the MSP community above the attack and how Kaseya VSA users have been the victim of this attack. Also claims to have proof that Kaseya VSA is the entry point of the attack, as their clients have been impacted by this attack and around 200 businesses data have been encrypted through their three partners.
On the other hand, Kaseya published a security advisory requesting their VSA users to shutdown their server imminently to prevent the spread of the attack. And below is a gist of Kaseya’s statement,
“We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”
Kaseya shutdown their VISA servers from their side, and is now working with other security firms to handle the situation and understand what is happening with their application. A major ransoware attack happening on Friday right before the weekend, and also with July 4th coming up. Considering this would be a long weekend for most of the organization, ransomware actors have clearly planned the attack and launched it accordingly.
Modus Operandi of the attack
Based on the statements from John Hammond, Huntress and Mark Loman, Sophos the attack is identified to be a supply chain attack through Kaseya VSA platform.
- As per John, Kaseya VSA drops an agent .crt file at c:\kworking folder that is used for updating the Kaseya hot-fix.
- Then a PowerShell command is launched to decode the .crt file and the agent.exe file will be extracted inside the same folder.
- Later, the agent.exe file is signed with the “PB03 TRANSPORT LTD” certificate including an ‘MsMpEng.exe’ and ‘mpsvc.dll’, with that DLL file being the REvil ransomware encryption.
- This MsMpEng.exe is later used for LOLBin to launch the DLL and encrypt the device completely. There are also a few samples with modified Windows Registry keys and configurations.
- One of the variants launches REvil in safe mode giving advanced control for encryption.
- Later, the agent.exe file is signed with the “PB03 TRANSPORT LTD” certificate including an ‘MsMpEng.exe’ and ‘mpsvc.dll’, with that DLL file being the REvil ransomware encryption.
- This MsMpEng.exe is later used for LOLBin to launch the DLL and encrypt the device completely. There are also a few samples with modified Windows Registry keys and configurations.
- One of the variants launches REvil in safe mode giving advanced control for encryption.
Kaseya CEO Fred Voccola has said that their organization is working on a patch to resolve the vulnerability and it will be released soon. Here’s his exact words about the security incident,
“While our investigation is ongoing, to date we believe that:
Our SaaS customers were never at-risk. We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24 hours;
Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.
We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.” – Kaseya.
REvil ransomware and their targeted attacks
The REvil ransomware group is demanding $5,000,000 ransom to share the decryptor, and few small MSP customers have received a ransom of $44,999, this clearly shows that REvil ransomware studies the environment and based on the devices encrypted there ransom demand varies.
MSP’s have always been a sweet spot for hackers as they do manage numerous devices and businesses, and any targeted attack on MSPs happens via end-to-end study of their network and software they use. REvil has a very good knowledge about the MSP space and they have been targeting MSPs for a long time now.
Last year, REvil targeted MSPs via Remote Desktop and later orchestrated the attack using a management software to deliver ransomware to the devices they manage. On the side note REvil group members is rumored to be a part of GrandCarb ransomware and is thus known for their domain expertise and clarity of MSP’s and their management models.
How to stay immune against such Supply Chain and Ransomware Attacks?
Supply chain and ransomware attacks are increasing in numbers in recent times as the demand for remote workforce management is growing. MSPs are needed during these remote times, and considering that the threat actors are orchestrating their attack in a very clinical way by ensuring the fix will take some time and that should be enough to wreck havoc for businesses. There are some best practices to stay immune to such attacks and we will see them one-by-one.
- Always ensure the RMM software you own is aware of its suppliers and proper supplier confidentiality and security agreements have been signed between the properties to ensure everything is documented. Ask your RMM provider for a supply chain confidentiality document where their suppliers list has to be disclosed and updated periodically.
- Make sure their privacy policies are clean and neat, ensure there isn’t an unnecessary third party involved in handling of your data.
- Always patch the RMM application, and the applications/OS it manages on time. Delayed patching is a breeding ground for ransomware attacks.
- Always have plan B, a reactive approach to managing your organization. Disaster Recovery and Backups are the key practices that any organization should have during these unprecedented times.
Be prepared and stay secured with the right security practices, skills and tools for being the less favorite target for threat actors.
