Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Automation allowed a REvil affiliate to move from exploitation of vulnerable servers to installing ransomware on downstream companies faster than most defenders could react.

Sometime after 14:30 UTC on Friday, July 2, network traffic combining three vulnerabilities started compromising scores of Internet-connected Kaseya Virtual System Administrator (VSA) servers hosted by managed service providers. The attackers' code synchronized to a specific time and then hibernated.

Related Content:

Cyberattack on Kaseya Nets More Than 1,000 Victims, $70M Ransom Demand

headline here

Special Report: Building the SOC of the Future

New From The Edge: Security 101: The 'PrintNightmare' Flaw

At 4:30 p.m. UTC, all within the same second, the compromised servers woke up and ran a command script that disabled a variety of security controls and sent malicious payloads to every system managed by those servers, according to an analysis conducted by Huntress Labs. While security firms are still sifting through the data, reverse engineering has revealed that the attack — from the first packets exploiting dozens of VSA servers, to the deployment of ransomware on the endpoints of hundreds to thousands of MSP customers — took less than two hours.

The speed of automation gave managed service providers and their customers only a very narrow window in which to detect attacks and block them, says John Hammond, a senior threat researcher for Huntress Labs. Companies would have to run frequent monitoring and alerts to have caught the changes, he says.

"Unfortunately, this form of hyperactive logging and detection is rare — managed service providers often don't have the resources, let alone the personnel to frequently monitor massive components of their software and stack," Hammond says. "With that said, the efficacy and potential for human-powered threat hunters is never something to be left out of the equation."

The quick turnaround of the attack underscores the compressed timeline for defenders to respond to automated attacks. The REvil group and its affiliates, who are thought responsible for the attack, scanned for Internet-connected VSA servers and, when found, sent the initial exploit, which chained three vulnerabilities. 

At 14:48 UTC on Friday, July 2, the first packets started hitting on-premise Kaseya VSA servers, according to logs collected from affected MSPs by Huntress Labs. The exploited flaws included an authentication bypass, an arbitrary file upload, and a command injection. The activity continued, until the hibernating processes reactivated at 16:30 UTC, and antivirus firms suddenly started seeing spikes in detections of the ransomware payload. 

In the hour after the attack's activation, between 16:30 and 17:30 UTC, antivirus firm Sophos detected a massive spike in blocked ransomware activity on its endpoints. 

"We started seeing telemetry immediately as the client systems started getting hit," says Sean Gallagher, senior threat researcher at Sophos. "The telemetry spiked all at one time, in a very small time window." After that, the attack most went quiet, he says.

Because Kaseya VSA manages other systems, the software not only has higher privileges — usually administrator privileges — on other systems but also often has exclusions in place so that antivirus software does not flag its activity as malicious. The command-line script that executed at 16:30 UTC on Friday ran a PowerShell script, disabling many security measures, loading in certificates, and running a malicious executable disguised as a certificate, agent.crt.

The final insult: The attackers installed in an obsolete version of Microsoft's antivirus program, Defender, to load in the final ransomware payload.

"It uses an antivirus product to load a virus," Sophos' Gallagher says. "It dropped an obsolete version of Windows Defender that is susceptible to side-load attacks ... and installs a malicious DLL [dynamic linked library] that is named the same as a DLL that Windows Defender would load." Because that was a piece of code signed by Microsoft, it would evade some malware protection as it looks like a legitimate piece of code, even though it is over 6 years old.

The Dutch Institute for Vulnerability Disclosure (DIVD), which had found at least one of the vulnerabilities used in the attack, published more information on the issues on July 7. The vulnerabilities were discovered in April, disclosed to Kaseya, and DIVD had worked with the company while it shored up its security and started producing patches. 

Overall, Kaseya has not "been slacking" and did everything that DIVD expected of them, says Victor Gevers, chairman of DIVD. The company did not have the security processes in place in April to handle the requirements of patching and incident response, but quickly ramped up, he says.

"If you go back through the timeline, a few days after notification, they knew they needed to hire more security people, and they did," he says. "It showed that their security posture was not up to par yet."

On Monday, Kaseya estimated that fewer than 60 customers, each using the on-premises version of the VSA server, had been affected, with fewer than 1,500 total downstream businesses affected. In interviews, security experts expected that number to rise. 

As of 8 a.m. ET on July 7, Kaseya continued to have problems patching the issue and has delayed rolling out a fix to on-premises customers.

'Overblown' Numbers?

While the attackers claim that more than a million endpoints were encrypted by the ransomware, the number is likely overblown, say security experts. However, many companies have suffered disruption due to the attack. The Swedish grocery chain Coop had to close several hundreds of stores on Saturday because of the ransomware attack, and several schools in New Zealand were affected, according to a Reuters report

The Biden administration maintained on Tuesday that the attack did minimal damage to US businesses, but intends to put increasing pressure on Russia to curb attackers that act from within its borders. "If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own," White House press secretary Jen Psaki said Tuesday, according to the Washington Post.

The attack could have been worse. At the onset, about 2,200 vulnerable VSA servers were connected to the Internet, according to data from DIVD. Without a patch from Kaseya, or even a notification or workaround, the MSPs hosting those servers would have been hard pressed to defend against the attack, says Corey Nachreiner, chief security officer at WatchGuard Technologies.

"In many cases, there are no real protections against zero-day network exploits, which may leave people blind to the indicators of that attack until after that fact," he says. "That said, there are security solutions that did detect the ransomware involved and could prevent it from an individual endpoint perspective."

While the use of a previously unknown vulnerability and the fast, automated attack may lead to many calling the attack a zero-day exploit, Huntress Labs' Hammond takes issue with that description.

"In my mind, a zero-day is defined as the defenders having zero days to prepare. But Kaseya had already been working with DIVD, so I have to put an asterisk around the notion they had zero days to prepare."

The small and midsize business clients of the managed service providers subscribed to their services because they did not have the expertise to manage their own technology. The vendors and MSPs need to take responsibility for their security, Hammond says.

"We have been a bit vocal about these services, by design, giving administrative access and godlike superpowers on all the potential clients," he says. "Vendors and companies, including us, have to review the source code, having that internal red teaming, and being absolute certain to make sure that the technology is hardened to the world and secure."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/6/2022 | 6:45:27 AM
Pending Review
This comment is waiting for review by our moderators.
bharath ts
bharath ts,
User Rank: Apprentice
11/11/2022 | 6:15:52 AM
Pending Review
This comment is waiting for review by our moderators.
User Rank: Apprentice
9/8/2022 | 11:52:22 AM
Pending Review
This comment is waiting for review by our moderators.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file