Kaseya: What Happened, How, and Why?

On Friday, July 2, the REvil ransomware gang targeted multiple managed service providers (MSPs) in a massive supply chain attack that has affected more than 1,500 companies to date. The attack exploited a zero-day vulnerability in a remote monitoring and management software (RMM) developed by Kaseya, an IT services provider that mainly sells to MSPs. The attack targeted MSP users of the software and distributed malware to MSP clients all over the globe. The gang is demanding the largest ever ransom for a cyberattack: $50 million in bitcoin (down from $70 million - more below).

What Happened, and How

Kaseya provides on-premises Vector Signal Analysis (VSA) servers, which are remote monitoring and endpoint management tools typically used by MSPs. While cybersecurity researchers at first suspected that the attackers had gained access to Kaseya backend infrastructure, no Kaseya SaaS instances or corporate networks were affected. Rather, the attackers were reportedly able to gain access via a previously unknown (0day) authentication bypass vulnerability in the VSA platform.

The vulnerability was responsibly disclosed by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya was working on validating a patch; unfortunately, REvil (a.k.a. Sodinokibi, aka Pinchy Spider) was able to exploit before the patch was made available.

The attackers gained access to the VSA within the MSP networks, and then leveraged their position to push the REvil ransomware as a payload via the software’s auto-update function. The ransomware was then deployed to hundreds and, eventually, more than 1,500 client businesses that use MSP software and services to manage their networks and cybersecurity.

Comparison to SolarWinds

For the second time in a year, attackers were able to exploit a widely-used software platform in a supply chain attack that gave them access to thousands of downstream clients. That is enough to give any IT services or software provider pause.

However, the two attacks are fundamentally different in some key respects. The SolarWinds attackers looked for a vendor they could use to get to internal, and otherwise unavailable, networks - among them threat intelligence companies, defense contractors, and the U.S. government. The operation’s goal appears to have been espionage, and their targets were clearly defined.

REvil appears instead to have targeted MSPs; Kaseya’s VSA server software is intended for use by vendors to provide remote administration of their clients' networks - and the access they can thereby gain to thousands of potential ransomware victims. The attack was not targeted toward specific networks, but instead mass-deployed. And REvil announced their ransom demand almost immediately: $70 million in BTC, which they dropped to $50 million only two days later. Whether they were overwhelmed with the complexity of collecting from 1,500 victims, or simply looking for the biggest payout as fast as possible - or a mixture of both - is open to debate.

Methodology

So, why did REvil go after Kaseya? Were they even targeting Kaseya at all, or just MSP-focused software companies, or something else? And how did they find out about the exploit?

Ransomware actors have grown extremely efficient at scaling their attacks to extract the most amount of money with the least possible work. They often take advantage of unsecured remote desktop protocol (RDP) ports - easily hitting (the surprisingly large percentage of) companies that do not catalog and secure their internet-facing infrastructure. In that sense, targeting MSPs is simply smart business: a vulnerable MSP is an open door to all of its client companies. And for a successful supply chain attack, identifying common software platforms is the logical next step.

It is not uncommon for penetration testers and attackers to test against trial-licensed copies of their intended target. A sophisticated pen tester, intent on finding exploits in common software platforms and looking at Kaseya, may have been able to find the authentication bypass relatively quickly. It is currently unknown how knowledge of this vulnerability fell into REvil's hands.

Kaseya’s VSA server's web interface made it possible for attackers to scan the internet for possible targets. Some basic reconnaissance techniques gave the attackers a list of potential targets.

BlueVoyant Response

BlueVoyant does not use Kaseya VSA servers in any of our businesses, and we immediately sought to remediate issues for those clients of ours who do.

BlueVoyant’s Managed Security Services (MSS) immediately notified our hundreds of customers of the event and provided detailed instructions on mitigation and remediation.

Within an hour of the announcement, BlueVoyant’s 3PR team (Third Party Cyber Risk) developed analytics and detections allowing for the identification of Kaseya VSA servers on monitored entities' infrastructure. This allowed us to immediately identify clients running Kaseya software and to contact them directly to recommend Kaseya’s guidance to shut down the VSA instances, thereby limiting REvil’s access development that could be leveraged to move into our client’s networks.

BlueVoyant’s Cyber Forensics and Incident Response team, with long experience of REvil and its infrastructure, is ready to help respond and support clients affected by the ransomware attack in any capacity.