EXECUTIVE SUMMARY:
Just hours ahead of the US Independence Day weekend, a massive ransomware attack paralyzed computer networks across the country and around the world. Attackers spread the ransomware via a supply chain infection. They leveraged IT firm Kaseya’s VSA software in order to fraudulently push malicious updates to the company’s clients.
Kaseya is considered a central player when it comes to software deployment. The company is known for providing basic software tools to enterprises that want to handle their own technology configurations. With over 40,000 clients and MSP customers, as many as 1,500 organizations are believed to have experienced network encryption due to this attack. As immediate concerns are resolved, Kaseya states that the company will develop a security patch for the exploited vulnerability.
Real-world impact
The VSA software incident had direct, immediate real-world consequences. For example, 800 supermarkets (all part of the Coop chain) were forced to close. The employees were unable to open cash registers. Customers left without food for their families and business losses are expected to be significant.
Other groups were also affected, from dentists’ offices to accounting firms. In New Zealand, primary schools and kindergartens experienced internet outages due to the VSA software event.
In exchange for restoring all systems, the hackers who declare themselves responsible for the attack want $70 million. Private conversations between the hackers, cyber security professionals and the Reuters news outlet indicate that a lower price tag could be negotiated.
Will Kaseya pay the ransom?
When asked about the matter, Kaseya’s leadership declined to offer firm comments. To consult on the issue, Kaseya pulled in the FBI, the Department of Homeland Security and other federal officials.
As of Sunday, the White House was in the process of assessing whether or not the ransomware posed any “national risk.” To date, such risk has not been reported.
Early incident reporting
Initially, the attack was thought to be limited to a small number of on-premise Kaseya customers. On Friday afternoon, out of an abundance of caution, all customers were directed to halt the functions of their VSA servers. Customers received notification concerning the breach via email, phone and other channels. The Kaseya Incident Response team quickly powered down SaaS servers and took data centers offline.
By the time that many Americans were celebrating July 4th, investigators determined that Kaseya had been the victim of a carefully calculated and sophisticated cyber threat. Due to internal ongoing vulnerability fixes in the VSA software, some information security experts suggested that the attackers may have been plugged into internal Kaseya communications. However, incident response investigators have not yet seen any signs that hackers had been hiding out in the network.
Technical details
Attackers appear to have triggered an authentication bypass vulnerability in the Kaseya VSA web interface, which enabled them circumvent authentication controls, access an authenticated session, add malware to systems, and launch commands via SQL injection. Code execution was achieved during the process.
The ransomware appears to have been pushed through via a fraudulent software update option within Kaseya VSA, known as “Kaseya VSA Agent Hot-fix.”
In connection with the attack, experts are also looking into a specific AWS IP address. It may have functioned as an attack launch point.
In summary
This incident closely follows on the heels of the Department of Homeland Security’s warning surrounding a spike in ransomware threats. The group that is believed to be responsible for the threat, REvil, is known for other high-profile attacks, including those carried out earlier this year. For more information about the REvil ransomware gang, check out Cyber Talk’s past coverage of their activities.
