A new advanced coordinated cyber attack debuted by hitting over a thousand companies around the globe on Friday with ransomware. The IT software company, Kaseya, had a single zero-day vulnerability that cybercriminal group REvil used to breach the Kaseya VSA appliance.
Kaseya is a company that provides software to IT service providing companies, also known as Managed Service Providers (MSP’s). MSP’s oftentimes have direct access to their customer’s environments, sometimes with escalated privileges. These MSP’s and their customers are the targets. This means that the cybercriminals effectively gained access to thousands of organizations through about 30 (known) MSP’s, and a single vulnerability within Kaseya VSA. After they gain access to a target organization, they look to disable protection, delete logs, and drop ransomware in the environment.
Who is Affected
This attack targeted MSP’s using Kaseya and their customers. So far about 30 MSP’s are known to have been affected. Many small businesses that outsource their IT, such as accountants and dentist offices have been shut down with ransomware. On the larger end, a supermarket chain had to shut down hundreds of locations for a day to recover from the attack. Multiple schools and kindergartens were knocked offline by the attack as well.
Even if you do not use Kaseya directly in your environment, you can still be affected by this breach. In fact, it appears that the cybercriminals targeted Kaseya in order to gain access to a global network of businesses through a handful of MSP’s and the Kaseya toolsets may never have even been used in the environment.
What Our SOC Has Seen
We responded to attempted access and configuration changes in environments that had nothing to do with Kaseya, which means that once the criminals got in, they were looking to set up new accounts and do privilege escalation to be able to carry out other activities. They may have been looking to remove backups and to shut down antivirus before deploying their ransomware to ensure it does the most damage possible. This is advanced cybercriminal activity happening in small, medium, and large-sized organizations.
What You Can Do
Kaseya issued a security advisory warning all Kaseya VSA customers to immediately shut down their VSA server to prevent the attack’s spread while investigating. In the meantime, you can make the following changes below to reduce your risk.
- Review and restrict all admin accounts for on-prem and cloud environments
- Remove any accounts that are no longer needed
- If a partner setup your Office365 or Azure tenant, ensure that their Service Account links through Azure Lighthouse have also been removed or restricted
- Make sure Multi-Factor authentication (MFA) is enabled for all accounts that are turned on and can be used for remote access into networks AND cloud applications such as anti-virus and EDR tools
- Use a SIEM to search and monitor for any unapproved configuration changes throughout the environment
- Track whitelisting for changes in your EDR and Next-Gen Antivirus tools very carefully – REvil has been known to whitelist their own malware (RAT’s and Ransomware itself) to allow it to run normally in many environments
Want to protect your organization from threats like this? Click here for a free consultation.