Kaseya, an IT solutions developer for enterprise clients and MSPs, stated that they became victims of a cyberattack over the weekend of American Independence Day on July 2nd.
It seems that the attackers have carried out a supply chain ransomware attack by exploiting a vulnerability in Kaeya’s VSA software with multiple managed service providers (MSP) and their customers.
Kaseya’s CEO, Fred Voccola, states that the company’s customers embroiled in the breach are less than 0.1%, but as their clientele includes MSPs, this means that smaller businesses have been caught up in the incident as well.
The estimates suggest that about 800 to 1500 small to medium-sized companies may have been endangered to experience ransomware through their MSP.
This attack is similar to the SolarWinds security fiasco, where the attackers managed to compromise the software of the vendor in order to push a malicious update to thousands of customers. However, we are yet to know just how widespread this ransomware incident really is.
Who is Kaseya?
Kaseya is the leading provider of IT and security management solutions — including VSA, a unified managing and remote monitoring tool for handling networks and endpoints— for Managed Service Providers (MSPs) and Small to Medium-Sized Businesses (SMBs). Their international headquarters are located in Dublin, Ireland, with US headquarters in Miami, Florida. The vendor has a presence in countries.
The software of the firm is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya confirms that over 400,000 organizations worldwide use at least one of their software solutions. Kaseya is central to a wider supply chain.
On Friday, July 2nd at 2:00 pm Eastern Time, the CEO of Kaseya Fred Voccola revealed “a potential attack against the VSA that has been limited to a small number of on-premise customers”. During which, out of affluence of caution, Voccola urged their clients to immediately shut down their VSA servers.
Customers were notified of the breach through phone, email, and online notices. The notice stated the importance of immediately shutting down their VSA servers because one of the first things the attacker does is shut off their access to the VSA.
While Kaseya’s team of Incident Response investigated, they decided to proactively stop activity in their SaaS servers and pull its data offline.
By July 4th, the company rectified their thoughts on the severity of the incident and called themselves the victim of a sophisticated cyber attack. Cyber forensic experts from other companies — one of them being FireEye’s Madiant— have been pulled in to assist.
Kaseya said in an update on July 5 that they have already developed a fix and that it would be first deployed to SaaS environments once the testing and validation are complete.
The attack explained
The FBI shortly explained the incident as a supply chain ransomware attack exploiting a vulnerability in Kaseya’s VSA software against multiple MSPs and their customers.
Huntress was able to track 30 MSPs involved in the breach and believes with “high confidence“ that the attack was sparked via a bypass in authentication vulnerability in the Kaseya VSA web interface. This is what allowed the attackers to evade authentication controls, gain an authenticated session, upload a malicious payload, and payload, and execute commands via SQL injection, which allowed them to achieve code execution in the process.
On a webinar discussing the technical aspects of the attack that happened on July 6, Kyle Hanslovan (CEO and co-founder of Huntress) told the attendees that the attackers were ‘crazy efficient’. The CEO also stated that there’s no proof the actors had any idea of how many businesses were being targeted during the VSA.
Sophos has provided an in-depth technical analysis of the attack.
Who has been impacted so far?
Kaseya stated over the weekend that SaaS customers were never at risk and that the current estimates imply that the number of on-pre clients that have been affected worldwide is less than 40.
Nonetheless, it’s important to note that while the number of Kaseya clients that have been infected directly is small, as MSPs have their own SMB customers further down the line that rely on these services and that could be impacted in their turn.
According to IT News reports, 800 Coop chain store supermarkets in Sweden had to close temporarily due to being unable to open their cash registers. Huntress explained in a Reddit explainer that it’s reasonable to suggest that ‘thousands of small businesses may have been impacted by the attack.
“This attack is one of the most widespread criminal ransomware attacks that Sophos has ever experienced” Comments Sophos VP, Ross McKerchar. “We expect a full scope of victim organizations to be higher than the 70 managed service providers that were impacted, and the more than 350 further impacted organizations”
The last estimate of July 6, is between 50 direct customers and between 800 and 1,500 businesses down the chain being affected by this attack.
Kaseya also claims that while the impact of the ransomware is approximately 50 of their clients, the attack was never a threat nor had any impact on critical infrastructure.
Who is responsible for the attack?
The attack is the responsibility of the REvil/Sodinikibi ransomware group, which has claimed responsibility on their Dark Web leak site “Happy Blog”. The operators are believed to have ties to Russia, and in an update, over the weekend they claimed that more than a million systems have been infected.
REvil is asking for $70 million in Bitcoin cryptocurrency (BTC) for an allegedly universal decryption key, supposedly able to unlock all encrypted systems. They also stated that they are open to bargain the price.
This ransomware organization has been linked to other attacks against companies like Travelex, Acer, and JBS.
Are there ransomware payment terms?
The responsible team left a ransomware note claiming that the files are encrypted and unavailable currently. Reportedly, a .csruj file extension was used. The accountable operators are demanding payment in return for a decryption key, there is also a freebie file description on the table to prove that the keys they are offering actually work.
REvil also stated that “It's just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. It's not in our interests. If you will not cooperate with our service --for us, it doesn't matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.”
As of July 8th, Kaseya published two run books to aid their clients in preparing to return to service and patch deployment, these are; "On-Premises VSA Startup Readiness Guide" and “On-Premises VSA Startup Readiness Guide”.
Sadly, the recovery per se is taking longer than initially expected, this is what the company had to say: “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment. We apologize for the delay and changes to the plans as we work through this fluid situation."
What can customers do?
Kaseya released a tool with Indicators of Compromise (IoC), that has two PowerShell scripts; one designed for endpoint scanning and the other one for a VSA server. They should be used in offline mode, they can also scan for REvil’s ransom note and data encryption.
Though the scripts are not for security fixes, they’re only for potential exploit risk detection. Kaseya will release the patches as soon as they can, but in the meantime, all customers can do is wait.
July 22, 2021 — On July 21, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and are working to remediate customers impacted by the incident.
This tool was obtained from a third party and has terms actively helping customers affected by the ransomware to restore their environments, and no reports of any issue or problem associated with the decryption has been made.
July 26, 2021 — Kaseya’s Incident Response team and Emsisoft partners continued their work throughout this past weekend by assisting Kaseya’s customers and others with the restoration of their encrypted data. They have been — and still are — providing the decryptor that they obtained on July 22 to customers that request it, and encourage any customer whose data may have been compromised during the attack to reach out to their contacts in Kaseya.
So far, the decryption tool has proven 100% effective at decrypting the files that were fully encrypted.
After receiving the decryptor last week Kaseya moved as quickly as possible to safely use the decryptor to help their customers recover the encrypted data.
You may be wondering, did they pay the ransom to REvil? No, Kaseya decided not to negotiate with the criminals who perpetrated this attack after consultation with experts, and they have not wavered from that commitment. As such, it’s confirmed without a doubt that Kaseya hasn’t paid the ransom — either directly or indirectly through a third party — to obtain the decryptor, and they don’t plan on doing it as well.