Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

End of Bibblio RCM includes -->

Cyberattack on Kaseya Nets More Than 1,000 Victims, $70M Ransom Demand

The provider of remote monitoring and management services warns customers to not run its software until a patch is available and manually installed.

A massive supply-chain ransomware attack targeting managed service providers (MSPs) who use the Kaseya Virtual System Administrator (VSA) has left data at more than 1,000 companies encrypted and the attackers demanding $70 million in ransom.

The attack—which the REvil ransomware group launched on July 2, just before the US holiday weekend—exploited multiple vulnerabilities, including a zero-day flaw that was in the process of remediation, according to security firms. REvil, a ransomware-as-a-service group, claims that more than a million systems were compromised and encrypted, and posted a ransomware demand to its blog on Sunday, July 4, saying if it receives the $70 million ransom payment, it will publicly publish the decryptor.

Related Content:

Customers of 3 MSPs Hit in Ransomware Attacks

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

The attack underscores the danger that weaknesses in  business supply chains pose to companies, Adam Meyers, senior vice president of CrowdStrike Intelligence, said in a July 3 statement sent to Dark Reading. 

"Make no mistake, the timing and target of this attack are no coincidence," he said. "It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down. What we are seeing now in terms of victims is likely just the tip of the iceberg."

Kaseya and other remote monitoring and management (RMM) providers are ideal targets for attacks, because the software is used by managed service providers and any compromise not only encrypts systems at those firms, but also at their clients' businesses. 

Estimates of the number of victims varied between about 30 managed service providers, according to Huntress Labs, and "fewer than 60 Kaseya customers," according to Kaseya. Yet, the actual impact is much broader, with Huntress Labs estimating more than 1,000 business have been affected, and Kaseya estimating "fewer than 1,500 downstream businesses."

Security firm Kaspersky has detected more than 5,000 attack attempts spread out over 22 countries, the company stated. While the company does not explicitly define "attack attempt," the statistic likely represents attempts to install one of the components of the ransomware at already-compromised businesses as part of the attack chain. Italy topped the list of nations, accounting for more than 45% of attempted ransomware attacks associated with the Kaseya operation, with the United States and Columbia taking the next two positions with about 26% and 15% of the share, respectively.

Kaseya warned MSPs to shut down its software until further notice. 

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations," Kaseya stated in its latest advisory on the issues. "A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized."

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released guidance for companies, including ensuring backups are up-to-date and moving them to an easily retrievable, off-site location unconnected to the network. In addition, companies should go back to a manual patch management process to shore up defenses, CISA stated. The agency linked to the Kaseya VSA Detection Tool, urging affected MSPs to use the tool to check their systems for signs of the attack.

"CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices," the advisory stated. "Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack."

The attack most likely made use of a zero-day vulnerability in Internet-facing Kaseya VSA servers that many managed service providers installed on premise, according to cybersecurity firm Sophos. This, in turn, gave the attackers access to the systems of the MSPs' clients.

"As Kaseya is primarily used by Managed Service Providers (MSPs) this approach gave the attackers privileged access to the devices of the MSP’s customers," the company said. "Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks. As such, it has a high level of trust on customer devices."

While the investigation into the incident and response to the widespread attack are ongoing, the Dutch Institute for Vulnerability Disclosure (DIVD) has reported that the number of suspected Kaseya VSA instances accessible from the Internet has plummeted from over 2,200 to 140. The DIVD also revealed that a researcher associated with the group, Wietse Boonstra, had "previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks."

DIVD supported Kaseya's response to the attack, saying that the company responded quickly to their disclosure and worked diligently to produce a patch. 

"During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched," the group stated in its latest update. "They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."

Holiday Hack

The attack coincided with US Independence Day, a long weekend, leaving many companies scrambling. A number of other major attacks have been attributed to REvil, also known as Sodinokibi, such as the attack on JBS USA Holdings, which paid an estimated $11 million to recover its data and systems. In addition, the US government blamed REvil for the attack on local governments and agencies in the state of Texas almost two years ago, which also appears to have involved at least one managed service provider.

Such attacks will continue as long as supply-chain vulnerabilities are easy to exploit, CrowdStrike's Meyers said. 

"The continued success of large software supply chain attacks provides an ominous outlook for organizations of all sizes as threat actors observe how profitable and wide ranging they can be," he said. "Organizations must understand that these headlines are no longer warnings, but are a reality of what is in their future if they have not established a mature cybersecurity strategy."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-0624
PUBLISHED: 2022-06-28
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
CVE-2017-20105
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument path with the input ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd leads to path traversal. The att...
CVE-2017-20106
PUBLISHED: 2022-06-28
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally...
CVE-2017-20107
PUBLISHED: 2022-06-28
A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used...
CVE-2017-20104
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been declared as critical. This vulnerability affects unknown code of the component Cookie Handler. The manipulation of the argument UWA_SID leads to sql injection (Time). The attack can be initiated remotely. The exploit has been disclosed to th...