Published on July 08, 2021

The rising danger of ransomware: the Kaseya case, how it happened, and how to defend yourself

By Alberto Pelliccione, CEO – ReaQta

The Revil hacker group managed to obtain a 0-Day to gain access to Kaseya VSA, a management software for IT infrastructures, using it as a conduit to spread ransomware to those MSPs using the platform. Supply-chain attacks are extremely effective and such threats are rising in frequency and complexity. In response, our preventative monitoring capabilities must be substantially strengthened as well.

The supply-chain attack on Kaseya represents one of the largest attacks in this category, second – in terms of damage – only to what happened with WannaCry and then NotPetya in 2017. In this case, however, the attack was not conducted to acquire intelligence but only for extortion. The group known as REvil – which, in an interview last Saturday, claimed to generate $100 million a year in revenue – through an authentication bypass in Kaseya VSA, managed to compromise over 1500 businesses.

New call-to-action

The role of MSPs in the Kaseya attack

MSPs typically manage dozens or hundreds of businesses, so attackers were able to take advantage of the MSP’s privileged position to spread the ransomware to all of their customers, which, with the latest information available, would appear to be over 1,500. REvil has announced that it has compromised over 1 million devices, demanding $70M in ransom. This news, if confirmed, would bring this operation to the second place on the list of the largest ransomware attacks.

The ransom demand comes with a promise to publish a universal decryptor valid for all victims, meaning that REvil would be able to avoid having to individually negotiate with 1000+ different businesses.

With the information still fragmented, it’s difficult to immediately reconstruct the complete attack scenario. But let’s unpack what happened.

On 2/July Kaseya reported a possible attack on their platform:

How the cyber attack on Kaseya happened

However, the impact of the attack is still unclear, so much so that the company itself talks about “a small number of on-premise installations” and they recommend taking servers offline to avoid problems, since attackers immediately disable administrative access once they gain access to the VSA platform.

At the same time, the DIVD (Dutch Institute for Vulnerability Disclosure) gets in touch with Kaseya, as the institute was already working on the analysis of the VSA platform and had identified a number of critical vulnerabilities. One of these was reported as CVE-2021-30116. At the time of writing this piece, the vulnerability has not yet been publicly announced, but we know it is the same one used by REvil to breach MSPs using Kaseya VSA.

The vulnerability appears to be an SQL injection that allows to bypass the platform’s authentication flow, allowing anyone to log in with maximum privileges. It’s unclear how REvil got hold of the vulnerability. We only know that Kaseya was actively working on patching the issue but the group behind REvil managed to run their attack before a patch was distributed. It is possible that REvil identified the problem at the same time as the DIVD, as well as it is possible that the report provided to the company was leaked via other channels.

At this point, the DIVD, which had already performed a mass-scan of the entire internet to identify all open Kaseya VSA installations (2200 in that moment), started to contact both CERTs and potentially vulnerable customers, asking them to immediately shut down their servers. Within a few hours, the 2200 online installations became just 140. This operation managed to significantly reduce the total impact of the attack even though the numbers involved are still important.

While Kaseya and the DIVD took care of notifying potential victims, REvil proceeded to compromise the remaining online installations. The attackers exploited the authentication bypass to gain initial access and to start the transmission of a file called “Kaseya VSA Agent Hot-fix” that once started takes care of disabling some security components of the endpoint and then side-loads the actual ransomware. To reduce the detection profile, the ransomware was signed with a legitimate certificate from “PB03 TRANSPORT LTD.”

The Kaseya tool

Kaseya has released a tool to help possible victims identify their vulnerable instances and to identify possible compromised endpoints. The attack chain in any case carries the sign of an operation planned in a relative rush , suggesting that REvil may have gained access to the vulnerability extremely recently, perhaps right after the first reports. 

What we learn from this ransomware attack on Kaseya

This attack demonstrates how, as revenue grows – REvil is asking for $70 million to unlock everyone – ransomware groups manage to research or obtain 0-day vulnerabilities that are then used to launch high-impact attacks. This isn’t the first time we’ve seen ransomware use a 0-day vulnerability, and it certainly won’t be the last, but it’s the first time we’ve seen one used to carry out a supply-chain attack on such a scale.

New call-to-action

MSPs remain highly desirable targets, whether for espionage operations or extortion purposes, given the level of access they have to their customers’ infrastructure. By now, when it comes to ransomware, we know that these are no longer opportunistic attacks, but rather targeted operations with an increasing level of sophistication that increasingly resemble the high-profile attacks we are used to seeing with APT groups.

Businesses, especially medium and small ones, are now facing a rapidly growing threat that is proving increasingly difficult to eradicate. Supply-chain attacks are extremely effective, as we’ve seen in the case of SolarWinds, and securing an infrastructure from these types of threats is an extremely complex path that we can no longer underestimate.

How do you protect against a supply-chain attack and ransomware?

This attack opens the door to a series of questions that still have no concrete answer: How do you protect yourself from supply-chain attacks and ransomware? Why do ransomware groups operate unpunished on the international scene?

The answer to these questions is far from immediate and, as it happens more frequently, is formed by a mix of technologies, processes and policies that must become part of the DNA of every entity that manages data and infrastructures. Supply-chain attacks are extremely complex to identify because they exploit the trusted channel that exists between the vendor and the customer. Vendors have no interest in harming their customers and customers have no reason not to trust them. A viable, albeit complex, route is to profile every single application in an infrastructure and alert the security team whenever an update changes the application’s behavior significantly.

In 2018 at ReaQta, during a study on mitigating supply-chain attacks through behavioral analysis, we compiled a statistic finding that a generic infrastructure of 1000 computers, comes in contact with an average of 6000 new executable files (new or as a result of updates) every 30 days.

This number puts application profiling beyond the reach of most facilities, and requires a highly automated approach to avoid overwhelming analysts who have to identify high-impact but rare events. But this approach is certainly not a panacea; ransomware follows every available path and attacks whatever location they are able to reach.

Part of the problem is fundamentally geopolitical, in fact, these groups operate with impunity from a very restricted set of territories, with a more or less tacit pact to not cause damage to the country they belong to. This is a modus operandi that seems to work well because it creates an asymmetry that makes the host country safe from a series of problems, and disturbs the operations of other countries, which must spend time and resources to make themselves safe from these threats, losing resources and competitiveness. Such operations can also support local intelligence services by sharing sensitive information that has been stolen from victims.

Therefore, it is necessary to act in a strong way when the origin of an attack can be attributed with a high level of security to a specific country. The threat of severe and coordinated sanctions, as is the case for some states that finance or protect terrorist organizations, is a strong disincentive to offer asylum to attack structures that are no longer limited to stealing data but create massive damage with major repercussions.

Ransomware attacks are evolving faster and faster. REvil has hinted that even the modalities themselves are about to change to make ransomware faster and more efficient than it already is. Service and security providers are being attacked and used to amplify the attack power of such groups, so right now we are on the weaker side of the fence, but this is not the time to shake. As we’ve just seen, the DIVD approach helped reduce the impact of the attack significantly. Those one million devices claimed by REvil could have become 10M or 100M if there wasn’t a coordinated effort to take vulnerable machines offline.

The key to reducing these risks is to develop a real-time threat-sharing infrastructure, followed by identification, response and remediation tools, along with training to teach how to handle disaster scenarios like the ones we’ve just seen. Protection must therefore come from two fronts, an internal one, putting together the factors just seen, and an external one aimed at making the ground under the feet of attackers much less stable. If the attacker does not have the certainty of impunity, he will have one more problem to worry about.

New call-to-action

Delivering security without complexity

ReaQta’s active defense intelligence platform, ReaQta-Hive, aims to solve for the rising number of businesses falling victim to malicious activities from cyber criminals and threat actors. While traditional legacy protection methods stand vulnerable to sophisticated attack techniques, ReaQta’s revolutionary platform stops threats – both known and unknown – in real-time. Through deep learning, the platform constantly improves on defining normal behavior tailored to each business per endpoint, allowing it to block any anomalous behavior.  

ReaQta-Hive not only detects threats, but also delivers a seamless, automated threat response in real-time. ReaQta was recently named a 2020 Cool Vendor by Gartner in Network and Endpoint Security for its unique approach in tackling cyber threats of all forms.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.