Kaseya ransomware attacks: What we know so far
REvil ransomware threat actors exploited a zero-day vulnerability to issue ransomware payloads disguised as legitimate software updates from Kaseya.
The devastating supply chain attack on Kaseya was enabled by a zero-day authentication bypass flaw and antivirus workarounds Kaseya had built into its products to allow for automatic updates.
Kaseya, which specializes in remote management software for managed services providers (MSPs), revealed Monday that approximately 60 of its MSP customers and as many as 1,500 MSP clients were affected by a wide-range ransomware attack from the notorious REvil gang. As the MSP software specialist continues to address and investigate the ransomware attacks, security researchers are unearthing new details about the breach that enabled the attacks.
According to the team at the Dutch Institute for Vulnerability Disclosure, which discovered the zero-day, the specific vulnerability targeted in the attack was CVE-2021-30116. The authentication bypass flaw allowed an attacker to remotely send arbitrary commands over Kaseya's VSA product; in this case, REvil threat actors issued commands to feed users a dropper for the REvil ransomware.
UPDATE 7/8: An earlier version of this story identified CVE-2021-30116 as an SQL injection vulnerability. Researchers at the Dutch Institute for Vulnerability Disclosure identified the flaw as an authentication bypass vulnerability in two disclosure posts Wednesday.
This backs up Kaseya's earlier assertion that none of its product source code was accessed or modified, as occurred in the SolarWinds attack. Instead, REvil actors crafted malicious updates that appeared to be legitimate software from Kaseya.
"The Kaseya attack consisted of 2 incidents -- first an attack against dozens of managed service providers using Kasey VSA '0-day' and then the use of the VSA software to deploy the REvil ransomware throughout businesses who were customers of that managed service provider," Cisco Talos director of outreach Craig Williams said in a statement to SearchSecurity. "This is another concerning development on the ransomware landscape, [and] the fact that it occurred before the July 4th holiday cannot be ignored."
One thing that was clear, however, was the threat actors who distributed the malware had a working knowledge of the on-premises VSA tool and some of the quirks that would allow for installations without tipping off antimalware software.
Due to compatibility problems with some antivirus tools, Kaseya had advised customers to exclude several of the folders used by VSA for normal scans and protections against automatic downloads. This could allow for automated updates, but also left a direct tunnel into customer systems once the VSA server was compromised.
"This gave REvil cover in several ways: it allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code -- reflected in anti-malware software exclusions that Kaseya requires for set-up for its application and agent 'working' folders," Sophos researchers said in a report published Sunday. "Anything executed by the Kaseya Agent Monitor is therefore ignored because of those exclusions -- which allowed REvil to deploy its dropper without scrutiny."
Sophos also said based on the incidents it observed, the REvil actors didn't exfiltrate any data from victims and there were no signs they attempted to delete volume shadow copies, which researchers said could have alerted threat detection and antimalware products.
It is worth noting that no single individual or hacking crew is likely responsible for launching the REvil attacks. The ransomware outfit operates under a sort of "crimeware-as-a-service" model where developers sell access to the tool to other criminals, sometimes in exchange for a share of the ransomware haul.
Pinpointing the identity of those involved may prove difficult thanks to a growing network of re-investment and spin-off operations among the various ranks of those who create ransomware and malware, as well as the criminal hacking groups that use them.
Even getting a full picture of the companies associated with the attack is going to be difficult in the short term, according to Sophos Vice President and CISO Ross McKerchar.
"We expect the full scope of victim organizations to be higher than what's being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions," McKerchar said in a statement to SearchSecurity. "Based on Sophos telemetry, the Kesaya ransomware attack impacted approximately 145 organizations in the US and 77 in Canada, but the scope in both of these countries and globally is much broader overall."