Security Experts:

Researchers Reproduce Exploit Used in Kaseya Hack

Kaseya CEO Downplays Impact of Cyberattack

Researchers have successfully reproduced the exploit used in the recent cyberattack targeting IT management software maker Kaseya and its customers.

Kaseya on July 2 urged customers to immediately shut down on-premises servers running its VSA endpoint management and network monitoring tool due to a cyberattack. SaaS deployments do not appear to be impacted, but the service has been shut down by the vendor as a precaution.

Cybercriminals associated with the REvil ransomware compromised Kaseya’s VSA product and used it to deliver the ransomware to many organizations. While the attack apparently only impacted tens of Kaseya’s direct customers, many of them are managed service providers (MSPs) and the ransomware was delivered to hundreds and possibly thousands of their own customers.

Managed detection and response company Huntress has been working with many of the impacted MSPs and the data collected from these firms has allowed its researchers to determine that the attack involved the exploitation of several zero-day vulnerabilities.

The company’s researchers have managed to reproduce the attack and on Tuesday they demonstrated the exploit chain likely used by the cybercriminals. The exploit involves authentication bypass, arbitrary file upload, and command injection flaws.

Huntress pointed out that the exploit could have allowed the attackers to deliver an implant, but they apparently did not deliver one during the attack.

The Dutch Institute for Vulnerability Disclosure (DIVD) said Kaseya had been aware of at least some of the vulnerabilities exploited in the attack and was in the process of patching them when the breach was detected.

Ransom demands

REvil operators typically also steal information from victims to increase their chances of getting paid, but in this case it seems that they only managed to encrypt files on compromised systems. Some victims have been told to pay tens of thousands of dollars to restore files, while others have been instructed to pay millions.

The hackers have also offered a universal decryptor that could be used to decrypt the files of all victims, allegedly in less than an hour. They initially asked for $70 million for this universal decryptor, but they have reportedly reduced the price to $50 million and have also offered decryptors that work only for certain file extensions.

According to reports, some victims are privately negotiating with the cybercriminals in hopes of recovering their files.

Kaseya and U.S. government comment on impact

Kaseya CEO Fred Voccola downplayed the impact of the incident in a video released on Tuesday, saying that impact “is very minimal” and that it has been made “larger than what it is.”

Voccola explained that the breach impacted only one of the 27 modules of IT Complete, a suite of products designed to help midsize businesses manage all of their IT operations. The affected module, VSA, is designed for remote monitoring and management (RMM).

The company claims to have roughly 37,000 customers and the attack allegedly only impacted roughly 50 users of the RMM module.

Voccola said the MSPs that use Kaseya products manage between approximately 800,000 and one million small businesses around the world. Of these, the company estimates that only between 800 and 1,500 were affected by the incident.

However, German news agency dpa reported that an IT services company in Germany claimed that several thousand of its customers were compromised.

Kaseya’s CEO said the VSA product was shut down within an hour after the company learned of a potential issue, and claimed that they had procedures in place for dealing with such an incident.

President Joe Biden also claimed on Tuesday that the damage to U.S. businesses appeared minimal, but said information is still being gathered.

Some cybersecurity professionals, however, questioned Kaseya’s claims regarding the relatively low number of impacted downstream businesses.

“Given the relationship between Kaseya and MSPs, it’s not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming though,” said Jake Williams, CTO of cybersecurity firm BreachQuest.

Both Kaseya and the U.S. government said critical infrastructure did not appear to be affected, but some experts pointed out that the IT sector is a critical infrastructure sector.

Kaseya fails to restore services

Kaseya was planning on restoring VSA SaaS servers on July 6, but it failed to complete the process.

The company has been working on patching the vulnerabilities exploited in the attack and promised to release fixes for on-premises systems within 24 hours after SaaS services have been restored.

“During the VSA SaaS deployment, an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline,” the company said.

Related: Swedish Supermarket Closed by Kaseya Cyberattack

Related: Hackers Demand $70 Million as Kaseya Ransomware Victim Toll Nears 1,500 Firms

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.