Update, Sept. 23rd, 2021: Throughout July and August Kaseya released a slew of patches for this vulnerability. Bitdefender released a universal decryption key that they developed by working with law enforcement. That key, with instructions, has been made available to organizations that have been impacted by the attack. Although REvil has popped back online after nearly two months of silence, this vulnerability is no longer a shocking threat due to vendor patches and a widely available decryption key.
A new advanced coordinated cyber attack debuted by hitting over a thousand companies around the globe on Friday with ransomware. The IT software company, Kaseya, had a single zero-day vulnerability that cybercriminal group REvil used to breach the Kaseya VSA appliance.
Kaseya is a company that provides software to IT service providing companies, also known as Managed Service Providers (MSP’s). MSP’s oftentimes have direct access to their customer’s environments, sometimes with escalated privileges. These MSP’s and their customers are the targets. This means that the cybercriminals effectively gained access to thousands of organizations through about 30 (known) MSP’s, and a single vulnerability within Kaseya VSA. After they gain access to a target organization, they look to disable protection, delete logs, and drop ransomware in the environment.
Who is Affected
This attack targeted MSP’s using Kaseya and their customers. So far about 30 MSP’s are known to have been affected. Many small businesses that outsource their IT, such as accountants and dentist offices have been shut down with ransomware. On the larger end, a supermarket chain had to shut down hundreds of locations for a day to recover from the attack. Multiple schools and kindergartens were knocked offline by the attack as well.
Even if you do not use Kaseya directly in your environment, you can still be affected by this breach. In fact, it appears that the cybercriminals targeted Kaseya in order to gain access to a global network of businesses through a handful of MSP’s and the Kaseya toolsets may never have even been used in the environment.
What Our SOC Has Seen
This breach has already been trickling through the supply chain. Sedara’s Security Operations Center has been dealing with activity from this incident over the weekend in customer environments. These customers did not have Kaseya themselves, however, their MSP’s had in the past and certain accounts associated with Kaseya were still active. It appears the cybercriminals were using that in an attempt to gain high privilege access to the networks.
We responded to attempted access and configuration changes in environments that had nothing to do with Kaseya, which means that once the criminals got in, they were looking to set up new accounts and do privilege escalation to be able to carry out other activities. They may have been looking to remove backups and to shut down antivirus before deploying their ransomware to ensure it does the most damage possible. This is advanced cybercriminal activity happening in small, medium, and large-sized organizations.
What You Can Do
Kaseya issued a security advisory warning all Kaseya VSA customers to immediately shut down their VSA server to prevent the attack’s spread while investigating. In the meantime, you can make the following changes below to reduce your risk.
- Review and restrict all admin accounts for on-prem and cloud environments
- Remove any accounts that are no longer needed
- If a partner setup your Office365 or Azure tenant, ensure that their Service Account links through Azure Lighthouse have also been removed or restricted
- Make sure Multi-Factor authentication (MFA) is enabled for all accounts that are turned on and can be used for remote access into networks AND cloud applications such as anti-virus and EDR tools
- Use a SIEM to search and monitor for any unapproved configuration changes throughout the environment
- Track whitelisting for changes in your EDR and Next-Gen Antivirus tools very carefully – REvil has been known to whitelist their own malware (RAT’s and Ransomware itself) to allow it to run normally in many environments
Want to protect your organization from threats like this? Click here for a free consultation.