Software maker Kaseya Limited is urging users of its VSA endpoint management and network monitoring tool to immediately shut down VSA servers to prevent them from being compromised in a widespread ransomware attack.
According to Kaseya, the attack began around 2PM ET on Friday. The company said that while the incident only appears to impact on-premises customers, SaaS servers have also been shut down as a precautionary measure.
While the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had not yet issued an official alert as of early Saturday, the agency said late Friday that it was “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software.”
Timing of the attack is certainly no coincidence, as IT and security teams are likely to be understaffed and slower to respond due to the 4th of July holiday weekend in the United States.
“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” the company said.
Kaseya says it’s working on a patch for on-premises customers, and that patch will need to be installed before VSA is restarted. “We will release that patch as quickly as possible to get our customers back up and running,” the company said.
According to security firm Huntress, at least 8 managed service providers (MSPs) have been compromised, with more than 200 of their customers already impacted.
Kaseya currently estimates that less than 40 of its customers have been affected.
The attack appears to have involved exploitation of a vulnerability and the delivery of a malicious Kaseya VSA software update. The update has delivered a piece of ransomware that encrypts files on compromised systems.
According to security researcher Kevin Beaumont, VSA runs with administrator privileges, which has enabled the attackers to also deliver the ransomware to the customers of the impacted MSPs.
On compromised systems, the malware attempts to disable various Microsoft Defender for Endpoint protections, including real time monitoring, IPS, script scanning, network protection, cloud sample submission, cloud lookup, and controlled folder access, Beaumont said.
To make matters worse, VSA admin accounts are apparently disabled just before the ransomware is deployed.
According to Huntress, the attack appears to have been carried out by a REvil/Sodinokibi ransomware-as-a-service affiliate. Sophos and others also confirmed that REvil was involved.
“REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process,” explained Sophos’ Mark Loman.
The ransomware encryptor is signed with a valid digital signature belonging to a transportation company in Canada.
In some cases, the attackers appear to have demanded $50,000 while in others they reportedly demanded a $5 million ransom from victims. REvil attacks typically also involve the theft of data from compromised systems in an effort to pressure the victim into paying the ransom. However, it’s unclear if any files were stolen in these attacks considering that the attackers may not have had too much time on victim systems before the Kaseya breach came to light.
The REvil ransomware was also used recently in an attack aimed at meat packaging giant JBS, which paid $11 million to the hackers to ensure that the files they stole would not be made public.
Indicators of compromise (IOCs) for this attack have been shared by Huntress, Sophos, and Kevin Beaumont. Emsisoft’s Fabian Wosar has shared a copy of the ransomware encryptor configuration.
Incident Response Impact
Experts are sounding the alarm over the fact that many firms use Kaseya’s tool as part of their incident response process, and losing the ability to leverage the tool could pose a big problem.
“This type of a supply chain attack, similar to the SolarWinds attack, goes straight to the jugular of organizations looking to recover from a breach,” added Chris Grove, technology evangelist with Nozomi Networks. “These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed.”
“Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts,” Grove said.
“It’s hard to explain how devastating this is for Kaseya VSA customers,” said Jake Williams, co-founder and CTO at BreachQuest. “Most of our customers who use Kaseya employ it as their single IT tool for systems management, software installation, and visibility. Now, during a ransomware event, they’re unable to use this tool they’ve invested in for remediation. Most Kaseya customers we’ve worked with have no contingency plan for this. Even worse, given the holiday weekend in the US, we’re unlikely to know the full impact of this until next week.”