REvil Ransomware Gang Launches Major Supply Chain Attack Through Kaseya
On
July 2, 2021, Kaseya customers were notified of a compromise affecting the
company’s VSA product in a way that poisoned the product’s update mechanism
with malicious code. VSA is a remote monitoring and management tool for
networks and endpoints intended for use by enterprise customers and managed
service providers (MSPs). According to Kaseya, it urged customers to shut down
the VSA to prevent attackers from gaining remote access to further assets.
Kaseya also shut down the cloud version of VSA and all SaaS servers as a
precautionary measure.
Although
it was initially believed that only 50 companies using VSA on-premises were
targeted, the evolving situation reveals more potential victims as numbers
climb to the tune of 1,500-2,000 companies likely exposed to downstream impact
by this major attack. The number of potential victims can be so much larger
because Kaseya’s customers themselves are MSPs who serve a customer base of
their own. Consequently, those who rely on VSA to deliver remote-monitoring
services can also be impacted by the attack.
It
has not been long since the world had to reckon with major supply chain attacks
that call to mind the devastating SolarWinds’ Orion breach and the Accelion
attacks in which one poisoned software update infected a fleet of customers.
Right ahead of the United States’ Independence Day holiday weekend, REvil ransomware
gang affiliates managed to launch what appears to be a premeditated attack that
took a page out of the same playbook, wreaking havoc across the globe. This
time, the software update was Kaseya’s VSA remote management tool, which was
poisoned with malicious code that launched a chain of events ending with an
infection by the group’s ransomware.
Some
portion of REvil actors are believed to be based in Russia and other parts of
Eastern Europe. The gang opened with a $70M ransom demand and later lowered it
to $50M for the release of a decryptor that would apply to all the affected
victims.
How Did Attackers Get in?
Threat
actors affiliated with REvil ransomware were able to leverage a zero-day file
upload and code injection vulnerability in Kaseya VSA’s on-prem solution.
What’s been reported as CVE-2021-30116 was the security vulnerability the
attackers exploited for their initial foothold. This flaw allowed for an
authentication bypass and for executing arbitrary commands, which later helped
attackers download and distribute a malicious loader masquerading as a VSA
update to victim systems with VSA agents installed.
It
is suspected that more than one security flaw enabled the attack to reach its
objectives. IBM X-Force’s Threat Intelligence Index shows that the most common
entry point to organizations has been exploitation tactics, surpassing phishing
and the use of stolen credentials. In cases where a VSA server is exposed to
internet, any known vulnerability could be weaponized and leveraged by attackers
to potentially breach it from a remote location.
The
compromised VSA agents then launched a PowerShell command that disabled
anti-malware protections, then installed and executed the REvil ransomware
payload. The ransomware encrypted data across devices it infected, rendering it
impossible to access.
The
supply chain attack currently unfolding was most probably planned well ahead of
the time it was actively launched over the long holiday weekend. Many major
attacks, especially those that rely on ransomware or destructive malware, are
carefully planned ahead of time and unleashed when security teams are not
working in full capacity.
Continue reading here.
Comments
Post a Comment