Skip to main content

IT Software Firm Kaseya Hit By Supply Chain Ransomware Attack


Software maker Kaseya Limited is urging users of its VSA endpoint management and network monitoring tool to immediately shut down VSA servers to prevent them from being compromised in a widespread ransomware attack.

According to Kaseya, the attack began around 2PM ET on Friday. The company said that while the incident only appears to impact on-premises customers, SaaS servers have also been shut down as a precautionary measure.

While the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had not yet issued an official alert as of early Saturday, the agency said late Friday that it was “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software.”

Timing of the attack is certainly no coincidence, as IT and security teams are likely to be understaffed and slower to respond due to the 4th of July holiday weekend in the United States.

“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” the company said.

Kaseya says it’s working on a patch for on-premises customers, and that patch will need to be installed before VSA is restarted. “We will release that patch as quickly as possible to get our customers back up and running,” the company said.

According to security firm Huntress, at least 8 managed service providers (MSPs) have been compromised, with more than 200 of their customers already impacted.

Kaseya currently estimates that less than 40 of its customers have been affected.

The attack appears to have involved exploitation of a vulnerability and the delivery of a malicious Kaseya VSA software update. The update has delivered a piece of ransomware that encrypts files on compromised systems.

According to security researcher Kevin Beaumont, VSA runs with administrator privileges, which has enabled the attackers to also deliver the ransomware to the customers of the impacted MSPs.

On compromised systems, the malware attempts to disable various Microsoft Defender for Endpoint protections, including real time monitoring, IPS, script scanning, network protection, cloud sample submission, cloud lookup, and controlled folder access, Beaumont said.

To make matters worse, VSA admin accounts are apparently disabled just before the ransomware is deployed.

According to Huntress, the attack appears to have been carried out by a REvil/Sodinokibi ransomware-as-a-service affiliate. Sophos and others also confirmed that REvil was involved.

 “REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process,” explained Sophos’ Mark Loman.

The ransomware encryptor is signed with a valid digital signature belonging to a transportation company in Canada.

In some cases, the attackers appear to have demanded $50,000 while in others they reportedly demanded a $5 million ransom from victims. REvil attacks typically also involve the theft of data from compromised systems in an effort to pressure the victim into paying the ransom. However, it’s unclear if any files were stolen in these attacks considering that the attackers may not have had too much time on victim systems before the Kaseya breach came to light.

The REvil ransomware was also used recently in an attack aimed at meat packaging giant JBS, which paid $11 million to the hackers to ensure that the files they stole would not be made public.

Indicators of compromise (IOCs) for this attack have been shared by Huntress, Sophos, and Kevin Beaumont. Emsisoft’s Fabian Wosar has shared a copy of the ransomware encryptor configuration.

Incident Response Impact

Experts are sounding the alarm over the fact that many firms use Kaseya’s tool as part of their incident response process, and losing the ability to leverage the tool could pose a big problem.

“This type of a supply chain attack, similar to the SolarWinds attack, goes straight to the jugular of organizations looking to recover from a breach,” added Chris Grove, technology evangelist with Nozomi Networks. “These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed.”

“Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts,” Grove said.

“It’s hard to explain how devastating this is for Kaseya VSA customers,” said Jake Williams, co-founder and CTO at BreachQuest. “Most of our customers who use Kaseya employ it as their single IT tool for systems management, software installation, and visibility. Now, during a ransomware event, they’re unable to use this tool they’ve invested in for remediation. Most Kaseya customers we’ve worked with have no contingency plan for this. Even worse, given the holiday weekend in the US, we’re unlikely to know the full impact of this until next week.”

News Source@securityweek


Popular posts from this blog

WannaRen, died in past reborn in present now targeting India

Credit: Trend-micro Originally WannaRen discovered in 2020 when it is used against Chinese internet users. it is used for a very short time-span but damaged a lot in that short time than ransomware author shared the decryption keys to a security company in August 2020 and we believe that it was the end of WannaRen ransomware. October 2022 Trend Micro team discovered "Life ransomware" which they believe may be a new variant of WannaRen. New Variant targeted Indian organizations .

Prilex: The Most Advanced PoS Malware with the Ability to Block Contactless Payments

Prilex is a highly advanced malware that has evolved from ATM-focused malware into a unique modular PoS malware, known to be the most advanced PoS threat seen so far. It has a unique cryptographic scheme, performs real-time patching in target software, forces protocol downgrades, manipulates cryptograms, performs GHOST transactions and performs credit card fraud. Recently, three new versions of Prilex have been discovered with the ability to block contactless payment transactions, which have become popular due to the pandemic. These new versions block NFC-based transactions and force victims to use their physical card by inserting it into the PIN pad reader, which allows the malware to capture the data coming from the transaction.

Newcomers to the Cybersecurity Space: Opportunities Abound for Those Willing to Learn and Adapt to an Evolving Industry

There are several key roles within the cyber security field that are in high demand in the job market. Some of the top profiles in the market include: Cybersecurity Analyst: These professionals are responsible for identifying, assessing, and mitigating security threats to an organization's computer systems and networks. Penetration Tester: Also known as ethical hackers, these professionals are hired to test the security of an organization's systems and networks by simulating a cyber attack. Security Engineer: These professionals design, develop, and implement security systems and solutions to protect an organization's networks and data. Security Operations Center (SOC) Analyst: These professionals monitor and analyze security data to detect and respond to potential security threats and incidents.