Earlier this month, a new massive supply chain attack dominated the headlines: the REvil ransomware gang hit the cloud-based managed service provider platform Kaseya, impacting both other MSPs using its VSA software and their customers.
The VSA tool is used by MSPs to perform patch management and client monitoring for their customers.
Like other supply chain attacks, the REvil ransomware operators initially compromised Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premises servers to infect the enterprise networks.
Researchers from the security firm Huntress Labs, who began the investigation shortly after the attack, immediately speculated that the attack impacted tens of MSPs and hundreds of their customers, making this incident one of the largest ransomware attacks in history.
The threat actors attempted to maximize the impact of their attack by launching it on Friday, ahead of the July 4 holiday in the US.
In response to the attack, Kaseya shut down their SaaS infrastructure and notified the FBI, who are investigating the incident. Experts from the FireEye Mandiant team, alongside other forensics companies, were also recruited to investigate the security breach.
REvil ransomware operators initially asked the owners of systems infected in this campaign $44,999 worth of Bitcoin. Later, however, they opted for a different and quick solution, a single massive ransom of $70 million from all of the victims.
A deeper analysis of the attack
Threat actors exploited a zero day vulnerability in Kaseya VSA tracked as CVE-2021–30116. The availability of a zero-day exploit in the arsenal of the ransomware gang demonstrates the level of sophistication of their operations.
Researcher Kevin Beaumont noticed that once having deployed the malicious updates, the attackers were also stopping administrator access to the VSA, and then added a task called “Kaseya VSA Agent Hot-fix.” The tainted update was delivered to the on-premise servers used by the MSP, which in turn delivered the malware to client customers’ systems in the form of a fake management agent update.
Mark Loman, a senior researcher from Sophos, reported that the REvil binary was side-loaded into a legitimate Microsoft Defender copy before being copied into C:\Windows\MsMpEng.exe to start the encryption process.
Loman also added that the attack chain contained the PowerShell code that attempts to disable the Microsoft Defender Real-Time Monitoring feature.
John Hammond, a cybersecurity researcher at Huntress Labs, told BleepingComputer that Kaseya VSA will drop an agent.crt file to the c:\kworking folder, which is being distributed as an update called ‘Kaseya VSA Agent Hot-fix.’ Then a PowerShell command is launched to decode the certificate file using the legitimate Windows certutil.exe command and extract an agent.exe file to the same folder.
The agent.exe is digitally signed using a certificate issued for “PB03 TRANSPORT LTD” and includes the REvil ransomware encryptor.
The zero-day vulnerability exploited by REvil gang
For the initial attack vector, REvil operators exploited an authentication bypass in the web interface of the Kaseya VSA server to gain an authenticated session. Then, the attackers uploaded the payload and executed a command via SQL injection to deploy the malicious updates.
The attackers exploited a zero-day vulnerability, tracked as CVE-2021-30116, which was discovered by the Dutch Institute for Vulnerability Disclosure (DIVD). DIVD reported the flaw to Kaseya. The company was validating the patch before they rolled it out to the customers, but REvil ransomware operators exploited the flaw in the massive supply chain ransomware attack.
“During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing,” states an update provided by the Dutch Institute for Vulnerability Disclosure.
“Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”
Kaseya announced that fewer than 60 of its customers and less than 1,500 businesses have been impacted by the attack.
“While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure. Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants. Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.” reads a statement published by the company.
At the time of this writing, only five MSPs have publicly disclosed the security breach caused by the attack: Avtex, Hoppenbrouwers, Synnex, Visma EssCom, and VelzArt.
Kaseya has released a security update to fix the zero-day vulnerabilities in its VSA software that were exploited by the REvil ransomware gang in the massive ransomware supply chain attack.
The company has released VSA version 9.5.7a (22.214.171.12494), which address the following security flaws:
- CVE-2021-30116 – A credentials leak and business logic flaw, to be included in 9.5.7
- CVE-2021-30117 – An SQL injection vulnerability, fixed in VSA 9.5.6.
- CVE-2021-30118 – A Remote Code Execution vulnerability, fixed in VSA 9.5.6.
- CVE-2021-30119 – A Cross Site Scripting vulnerability, to be included in 9.5.7
- CVE-2021-30120 – 2FA bypass, to be resolved in v9.5.7
- CVE-2021-30121 – A Local File Inclusion vulnerability, fixed in VSA 9.5.6.
- CVE-2021-30201 – A XML External Entity vulnerability, fixed in VSA 9.5.6.
Kaseya also recommends customers to follow the ‘On Premises VSA Startup Readiness Guide‘ steps before installing the security updates. The guidance provides instruction to determine if their systems have been already compromised, and include instructions on how to clean them.
The software vendor also released a detection tool that could be used by organizations to determine if your infrastructure has been compromised.
For additional security, Kaseya recommends reducing the surface of the attack by limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on the internet firewall.
“For VSA On-Premises installations, we have recommended limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on your internet firewall. Some integrations may require inbound access to your VSA server on port 443,” states Kaseya.
Once the security updates are installed, all user passwords will be reset and users will have to choose new ones.
CISA and the FBI have also published guidance for the organizations impacted by the supply chain attack. The US agencies provide instructions to affected MSPs and their customers on how to check their infrastructure for indicators of compromise.
Kaseya has also released a detection tool that can be used by organizations to determine if their infrastructure has been compromised.
“The new Compromise Detection Tool was rolled out last night to almost 900 customers who requested the tool,” states the company.
Supply chain attacks are truly insidious, their detection is complex, and potential impacts on the victims could be dramatic. The Kaseya attacks could be considered as a case study because the supply chain attack aimed at customers of targeted organizations amplified the magnitude of the security breach.
Probably one of the best approaches to prevent supply chain attacks involves implementing a zero-rust model within your architecture. In the zero-trust model, every resource (i.e. a network or a user) is a potential security threat until proven otherwise.