theDocumentId => 1341476 Cyberattack on Kaseya Nets More Than 1,000 Victims, ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Cyberattack on Kaseya Nets More Than 1,000 Victims, $70M Ransom Demand

The provider of remote monitoring and management services warns customers to not run its software until a patch is available and manually installed.

A massive supply-chain ransomware attack targeting managed service providers (MSPs) who use the Kaseya Virtual System Administrator (VSA) has left data at more than 1,000 companies encrypted and the attackers demanding $70 million in ransom.

The attack—which the REvil ransomware group launched on July 2, just before the US holiday weekend—exploited multiple vulnerabilities, including a zero-day flaw that was in the process of remediation, according to security firms. REvil, a ransomware-as-a-service group, claims that more than a million systems were compromised and encrypted, and posted a ransomware demand to its blog on Sunday, July 4, saying if it receives the $70 million ransom payment, it will publicly publish the decryptor.

Related Content:

Customers of 3 MSPs Hit in Ransomware Attacks

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

The attack underscores the danger that weaknesses in  business supply chains pose to companies, Adam Meyers, senior vice president of CrowdStrike Intelligence, said in a July 3 statement sent to Dark Reading. 

"Make no mistake, the timing and target of this attack are no coincidence," he said. "It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down. What we are seeing now in terms of victims is likely just the tip of the iceberg."

Kaseya and other remote monitoring and management (RMM) providers are ideal targets for attacks, because the software is used by managed service providers and any compromise not only encrypts systems at those firms, but also at their clients' businesses. 

Estimates of the number of victims varied between about 30 managed service providers, according to Huntress Labs, and "fewer than 60 Kaseya customers," according to Kaseya. Yet, the actual impact is much broader, with Huntress Labs estimating more than 1,000 business have been affected, and Kaseya estimating "fewer than 1,500 downstream businesses."

Security firm Kaspersky has detected more than 5,000 attack attempts spread out over 22 countries, the company stated. While the company does not explicitly define "attack attempt," the statistic likely represents attempts to install one of the components of the ransomware at already-compromised businesses as part of the attack chain. Italy topped the list of nations, accounting for more than 45% of attempted ransomware attacks associated with the Kaseya operation, with the United States and Columbia taking the next two positions with about 26% and 15% of the share, respectively.

Kaseya warned MSPs to shut down its software until further notice. 

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations," Kaseya stated in its latest advisory on the issues. "A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized."

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released guidance for companies, including ensuring backups are up-to-date and moving them to an easily retrievable, off-site location unconnected to the network. In addition, companies should go back to a manual patch management process to shore up defenses, CISA stated. The agency linked to the Kaseya VSA Detection Tool, urging affected MSPs to use the tool to check their systems for signs of the attack.

"CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices," the advisory stated. "Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack."

The attack most likely made use of a zero-day vulnerability in Internet-facing Kaseya VSA servers that many managed service providers installed on premise, according to cybersecurity firm Sophos. This, in turn, gave the attackers access to the systems of the MSPs' clients.

"As Kaseya is primarily used by Managed Service Providers (MSPs) this approach gave the attackers privileged access to the devices of the MSP’s customers," the company said. "Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks. As such, it has a high level of trust on customer devices."

While the investigation into the incident and response to the widespread attack are ongoing, the Dutch Institute for Vulnerability Disclosure (DIVD) has reported that the number of suspected Kaseya VSA instances accessible from the Internet has plummeted from over 2,200 to 140. The DIVD also revealed that a researcher associated with the group, Wietse Boonstra, had "previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks."

DIVD supported Kaseya's response to the attack, saying that the company responded quickly to their disclosure and worked diligently to produce a patch. 

"During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched," the group stated in its latest update. "They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."

Holiday Hack

The attack coincided with US Independence Day, a long weekend, leaving many companies scrambling. A number of other major attacks have been attributed to REvil, also known as Sodinokibi, such as the attack on JBS USA Holdings, which paid an estimated $11 million to recover its data and systems. In addition, the US government blamed REvil for the attack on local governments and agencies in the state of Texas almost two years ago, which also appears to have involved at least one managed service provider.

Such attacks will continue as long as supply-chain vulnerabilities are easy to exploit, CrowdStrike's Meyers said. 

"The continued success of large software supply chain attacks provides an ominous outlook for organizations of all sizes as threat actors observe how profitable and wide ranging they can be," he said. "Organizations must understand that these headlines are no longer warnings, but are a reality of what is in their future if they have not established a mature cybersecurity strategy."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3663
PUBLISHED: 2021-07-25
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
CVE-2021-23413
PUBLISHED: 2021-07-25
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...