On Friday, July 2, 2021, a Cyber ransomware gang named REvil (note the word evil in their name) targeted multiple managed IT service providers (MSPs) in a massive supply chain attack that has affected more than 1,500 companies to date. The attack exploited a Zero-Day vulnerability in a remote monitoring and management software (RMM) developed by Kaseya, an IT services provider that sells software applications to MSPs.
The Kaseya cyberattack distributed malware (malicious software) to MSP customers all over the globe. The gang is demanding the largest ever ransom for a cyberattack: $50 million in bitcoin (down from $70 million – more below).
What Happened, and How?
Kaseya supplies on-premises Vector Signal Analysis (VSA) servers, which are remote monitoring and endpoint management tools typically used by MSPs. While cybersecurity researchers at first suspected that the attackers had gained access to Kaseya backend infrastructure, none of Kaseya's Software-as-a-service (SaaS) instances or other Kaseya software applications were affected. Rather, the attackers were able to gain access via an authentication bypass vulnerability in the on-premises VSA servers -- used by many MSPs with datacenters and private cloud offerings.
The vulnerability was initially reported by the Dutch Institute for Vulnerability Disclosure (DIVD) in April 2021. Kaseya was working on confirming a patch since the initial report but unfortunately, REvil was able to exploit the vulnerability before the Kaseya patch was made available.
The attackers gained access to the VSA within the MSPs networks, and then used their elevated position to push the Ransomware via Kaseya’s software’s auto-update function to hundreds and, eventually, more than 1,500 MSP customers that use the software and services to manage their networks and small business security.
Comparison to the Zero-Day SolarWinds Attack
For the second time in a year, attackers were able to exploit a widely used software platform in a supply chain attack that gave them access to thousands of downstream clients. That is enough to give any IT managed service provider or software developer pause.
However, the two attacks are fundamentally different in some key respects. The SolarWinds attackers looked for a vendor they could use to get to internal, and otherwise unavailable, networks – among them threat intelligence companies, defense contractors, and the U.S. government. The operation’s goal appears to have been espionage, and their targets were clearly defined.
REvil appears instead to have targeted MSPs; to get remote administration access of their clients’ networks – and then push ransomware out to thousands of potential ransomware victims. The attack was not targeted toward specific networks, but instead mass deployed. And REvil announced their ransom demand almost immediately: $70 million in bitcoin, which they dropped to $50 million only two days later. It’s open to speculation as to why they dropped their ransom demand so quickly; did they feel it would be too difficult to collect from each small MSP affected? We will never know.
So, why did REvil go after Kaseya? Were they even targeting Kaseya at all, or just MSP-focused software companies, or something else? And how did they find out about the exploit?
Ransomware actors have grown extremely efficient at scaling their attacks to extract the most amount of money with the least possible work. They often take advantage of unsecured remote desktop protocol (RDP) ports – easily hitting (the surprisingly significant percentage of) companies that have their RDP server's Internet-facing instead of securely behind a firewall requiring multi factor access. In that sense, targeting MSPs is simply smart business: a vulnerable MSP is an open door to all its customers. And for a successful supply chain attack, finding common software platforms is the logical next step.
It is not uncommon for penetration testers and attackers to test against trial-licensed copies of their intended target either. A sophisticated penetration tester intent on finding exploits in common software platforms and looking at Kaseya, may have been able to find the authentication bypass relatively quickly. It is currently unknown how knowledge of this vulnerability fell into REvil’s hands.
Kaseya’s VSA server’s web interface made it possible for attackers to scan the Internet for possible targets. Some basic reconnaissance techniques gave the attackers a list of potential targets. This is exactly what took place in February of this year when a Chinese Nation-state attack scanned all American businesses for on-premises Exchange email servers, and once detected, an automated script was run on the Exchange server to exploit a known Zero-day Microsoft vulnerability that had not been patched yet.
It is not lost on us at ANP that many of the recent attacks were launched the day before a National US holiday. It's our belief the cyber criminals are doing this intentionally by expecting most IT departments are on vacation and not as vigilant as they might be during the work week.
ANP does not use Kaseya VSA servers in our managed service business, and we can report with confidence that none of our customers have been affected by this attack.
In response to the news of the attack on fellow MSPs, ANP immediately developed and ran a script to identify any rogue Kaseya VSA present on our client’s managed workstations and servers.
While ANP does use 3 applications from Kaseya, none of these were part of the recent REvil attack. However, using an abundance of caution, our team of security experts immediately removed the active Application-Program-Interfaces (API’s) from our own Remote Monitoring and Management platform. We are keeping the APIs inactive until Kaseya has the time and resources to supply a clean bill of health for the three applications that we do use.
ANP is not surprised with the increased activity and sophistication of cyberattacks this year. The truth is it is only going to get worse and companies of all sizes and industries need to be prepared to protect against all types of attacks.
If you are not doing business with ANP -- we highly encourage you to contact us to learn about our security managed services to proactively keep your company out of harm's way from the relentless cyberattacks taking place today.
If you are a client of ANP and would like to discuss increasing your security posture, please reach out to your Virtual-CIO or contact us at (215) 572-0111.