Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

IT Software Firm Kaseya Hit By Supply Chain Ransomware Attack

Supply chain cyberattack could have wide blast radius through compromised MSPs

Supply chain cyberattack could have wide blast radius through compromised MSPs

Software maker Kaseya Limited is urging users of its VSA endpoint management and network monitoring tool to immediately shut down VSA servers to prevent them from being compromised in a widespread ransomware attack.

According to Kaseya, the attack began around 2PM ET on Friday. The company said that while the incident only appears to impact on-premises customers, SaaS servers have also been shut down as a precautionary measure.

While the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had not yet issued an official alert as of early Saturday, the agency said late Friday that it was “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software.”

Timing of the attack is certainly no coincidence, as IT and security teams are likely to be understaffed and slower to respond due to the 4th of July holiday weekend in the United States.

“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” the company said.

Kaseya says it’s working on a patch for on-premises customers, and that patch will need to be installed before VSA is restarted. “We will release that patch as quickly as possible to get our customers back up and running,” the company said.

According to security firm Huntress, at least 8 managed service providers (MSPs) have been compromised, with more than 200 of their customers already impacted.

Advertisement. Scroll to continue reading.

Kaseya currently estimates that less than 40 of its customers have been affected. 

The attack appears to have involved exploitation of a vulnerability and the delivery of a malicious Kaseya VSA software update. The update has delivered a piece of ransomware that encrypts files on compromised systems.

According to security researcher Kevin Beaumont, VSA runs with administrator privileges, which has enabled the attackers to also deliver the ransomware to the customers of the impacted MSPs. 

On compromised systems, the malware attempts to disable various Microsoft Defender for Endpoint protections, including real time monitoring, IPS, script scanning, network protection, cloud sample submission, cloud lookup, and controlled folder access, Beaumont said.

To make matters worse, VSA admin accounts are apparently disabled just before the ransomware is deployed. 

According to Huntress, the attack appears to have been carried out by a REvil/Sodinokibi ransomware-as-a-service affiliate. Sophos and others also confirmed that REvil was involved.

REvil ransomware note to Kaseya VSA victims

“REvil binary C:Windowsmpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:WindowsMsMpEng.exe to run the encryption from a legit process,” explained Sophos’ Mark Loman.

The ransomware encryptor is signed with a valid digital signature belonging to a transportation company in Canada.

In some cases, the attackers appear to have demanded $50,000 while in others they reportedly demanded a $5 million ransom from victims. REvil attacks typically also involve the theft of data from compromised systems in an effort to pressure the victim into paying the ransom. However, it’s unclear if any files were stolen in these attacks considering that the attackers may not have had too much time on victim systems before the Kaseya breach came to light.

The REvil ransomware was also used recently in an attack aimed at meat packaging giant JBS, which paid $11 million to the hackers to ensure that the files they stole would not be made public.

Indicators of compromise (IOCs) for this attack have been shared by Huntress, Sophos, and Kevin Beaumont. Emsisoft’s Fabian Wosar has shared a copy of the ransomware encryptor configuration

Incident Response Impact

Experts are sounding the alarm over the fact that many firms use Kaseya’s tool as part of their incident response process, and losing the ability to leverage the tool could pose a big problem.

“This type of a supply chain attack, similar to the SolarWinds attack, goes straight to the jugular of organizations looking to recover from a breach,” added Chris Grove, technology evangelist with Nozomi Networks. “These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed.”

“Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts,” Grove said. 

“It’s hard to explain how devastating this is for Kaseya VSA customers,” said Jake Williams, co-founder and CTO at BreachQuest. “Most of our customers who use Kaseya employ it as their single IT tool for systems management, software installation, and visibility. Now, during a ransomware event, they’re unable to use this tool they’ve invested in for remediation. Most Kaseya customers we’ve worked with have no contingency plan for this. Even worse, given the holiday weekend in the US, we’re unlikely to know the full impact of this until next week.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.