REvil Ransomware Gang Launches Major Supply Chain Attack Through Kaseya

On July 2, 2021, Kaseya customers were notified of a compromise affecting the company’s VSA product in a way that poisoned the product’s update mechanism with malicious code. VSA is a remote monitoring and management tool for networks and endpoints intended for use by enterprise customers and managed service providers (MSPs). According to Kaseya, it urged customers to shut down the VSA to prevent attackers from gaining remote access to further assets. Kaseya also shut down the cloud version of VSA and all SaaS servers as a precautionary measure.

 

Although it was initially believed that only 50 companies using VSA on-premises were targeted, the evolving situation reveals more potential victims as numbers climb to the tune of 1,500-2,000 companies likely exposed to downstream impact by this major attack. The number of potential victims can be so much larger because Kaseya’s customers themselves are MSPs who serve a customer base of their own. Consequently, those who rely on VSA to deliver remote-monitoring services can also be impacted by the attack.

 

It has not been long since the world had to reckon with major supply chain attacks that call to mind the devastating SolarWinds’ Orion breach and the Accelion attacks in which one poisoned software update infected a fleet of customers. Right ahead of the United States’ Independence Day holiday weekend, REvil ransomware gang affiliates managed to launch what appears to be a premeditated attack that took a page out of the same playbook, wreaking havoc across the globe. This time, the software update was Kaseya’s VSA remote management tool, which was poisoned with malicious code that launched a chain of events ending with an infection by the group’s ransomware.

 

Some portion of REvil actors are believed to be based in Russia and other parts of Eastern Europe. The gang opened with a $70M ransom demand and later lowered it to $50M for the release of a decryptor that would apply to all the affected victims.

 

How Did Attackers Get in?

Threat actors affiliated with REvil ransomware were able to leverage a zero-day file upload and code injection vulnerability in Kaseya VSA’s on-prem solution. What’s been reported as CVE-2021-30116 was the security vulnerability the attackers exploited for their initial foothold. This flaw allowed for an authentication bypass and for executing arbitrary commands, which later helped attackers download and distribute a malicious loader masquerading as a VSA update to victim systems with VSA agents installed.

 

It is suspected that more than one security flaw enabled the attack to reach its objectives. IBM X-Force’s Threat Intelligence Index shows that the most common entry point to organizations has been exploitation tactics, surpassing phishing and the use of stolen credentials. In cases where a VSA server is exposed to internet, any known vulnerability could be weaponized and leveraged by attackers to potentially breach it from a remote location.

 

The compromised VSA agents then launched a PowerShell command that disabled anti-malware protections, then installed and executed the REvil ransomware payload. The ransomware encrypted data across devices it infected, rendering it impossible to access.

 

The supply chain attack currently unfolding was most probably planned well ahead of the time it was actively launched over the long holiday weekend. Many major attacks, especially those that rely on ransomware or destructive malware, are carefully planned ahead of time and unleashed when security teams are not working in full capacity.

Continue reading here.