Kaseya Ransomware Attack: How It Happened and What You Need to Know
A particularly aggressive cyber attack on Kaseya during the pandemic resulted in over 1000 companies in their supply chain being attacked with ransomware. Pragma explores what happened and what could have been done to mitigate damage.
What is Kaseya?
Kaseya is a leading enterprise IT firm that specialises in software development for managing networks, systems, and IT infrastructure, including their flagship product, Kaseya Virtual System Administrator (VSA). VSA is a powerful remote monitoring and management software designed to provide security solutions to customers globally and is primarily used by Managed Service Providers (MSPs) to remotely manage their customers' IT infrastructure.
What happened in the ransomware incident?
On the 2nd of July 2021, Kaseya was informed that customers experienced unusual behaviour on endpoints managed by the Kaseya VSA server and several machines were subject to a ransomware attack. The indication was that Threat Actors had been able to exploit a zero-day vulnerability on the customer-run on-premises servers. This means that the vulnerability had not previously been seen, although, since the incident, there are reports that this vulnerability had been reported several years earlier.
The Kaseya attack is reminiscent of the SolarWinds attack where the malicious threat actor launched remote code executions, leading to the launch of ransomware endpoint machines. Data at many organizations was left encrypted with no ability to access the data.
According to Kaseya, the number of affected organizations was around 60, although the downstream impact was found to be much more extensive as MSPs manage many organizations’ IT infrastructure. To mitigate the risks and assist affected customers, Kaseya issued a security advisory urging all its customers to shut down their VSA servers immediately.
What is a Supply Chain Attack?
A supply chain attack is an attack on a service provider when updates bundled with ransomware are sent out to customers thereby, leaving them vulnerable. Rather than infiltrating an organisation directly, a supply chain attacker exploits the trusted access a third party has with the organisation. The attacker thus gains hold of an environment rather than just one company.
It is worth mentioning that there is mixed opinion whether the Kaseya incident was a supply-chain attack as a lot of information suggests that it involved a vulnerability in VSA servers that was exploited by attackers.
The attackers used a code injection into Kaseya’s updates that were pushed out to its clients, resulting in the compromise. This was different as there was an unknown vulnerability in the servers that was already running in the client environment and exploited. Thus, leaving them vulnerable to the execution of malicious processes and rendering them with many devices encrypted with large amounts of data unavailable.
What is the impact of these attacks?
The Kaseya incident caused widespread damage to clients who considered their cybersecurity a priority. The incident caused the compromise of servers resulting in compromised endpoint machines that were managed by those servers, leaving many victims affected through little or no fault of their own.
See the image below: (Courtesy of Truesec)
What could Kaseya have or have not done to reduce the impact of the incident?
There are many articles available on this matter, including articles from cybersecurity journalist Brian Krebs that indicate that Kaseya was made aware of the vulnerability in 2015. There are several measures that Kaseya could have taken to reduce the impact of the incident. For example:
- Patching the vulnerability: If Kaseya had identified and patched the vulnerability, the attackers would not have been able to exploit it to gain access to customer systems.
- Timely communication: Kaseya could have communicated the incident to its customers in a timely and transparent manner. This would have allowed them to take necessary measures to secure their systems and data.
- Regular backups: If Kaseya had encouraged its customers to maintain regular backups of their data, the impact of the incident could have been reduced. This would have enabled affected customers to restore their data from backups rather than paying the ransom.
- Security awareness training: Kaseya could have provided security awareness training to its customers to educate them on the importance of cybersecurity best practices such as strong passwords, regular software updates, and suspicious email detection.
- Incident response planning: Kaseya could have had a comprehensive incident response plan in place to help them respond to the incident quickly and effectively.
It is worth noting that Kaseya did take some measures to reduce the impact of the incident, such as releasing a patch for the vulnerability and working with law enforcement agencies to investigate the attack. However, there is always more that can be done to prevent and mitigate the impact of such incidents.
Going forward, all Kaseya customers should ensure that they install the most recent updates. It is a timely reminder for all users in all organisations to carry out regular patching of systems. This will ‘patch’ or repair vulnerabilities and keep you more secure.
Exploiting a Zero-Day Vulnerability
A zero-day exploit is simply one that has never been seen or reported before. Normally, when a vulnerability is identified, it is publicly registered and given a Common Vulnerabilities and Exposures number (CVE) and patched to remove the vulnerability. Essentially in the Kaseya incident, it is reported that the vulnerability had not been seen before and existed in the on-premises servers.
What types of businesses are the most vulnerable to zero-day? How do you avoid them?
Everyone is vulnerable to a zero-day vulnerability.
A zero-day vulnerability could be present in a piece of software that we use commonly, and we could all be exploited. The best way to protect yourself is to try to use only the software that you need to fulfil your business objectives, enforce the principle of least privilege, and ensure that you patch regularly to remove vulnerabilities as soon as they are identified.
The Windows PrintNightmare zero-day vulnerability was identified at around the same time as Kaseya, which had the potential to affect far more users. This reminds us that we are all vulnerable to similar vulnerabilities.
REvil: Leading "Ransomware-as-a-Service" Providers
Little is known about REvil as they are a criminal organisation that maintains their anonymity for obvious reasons, however, they are believed to be based in Russia because they do not actively target victims in Russia.
Ransomware Lifecycle (Courtesy of CERT NZ)
REvil provides ransomware as a service which means that rather than spending all their time launching their attacks, they lease out their expertise and infrastructure to other criminals, giving even those without technical ability a means to profit from ransomware. In return, REvil takes a dividend of the paid ransom.
What is RaaS and how does it work?
Ransomware as a service (RaaS) is an adoption of the Software as a service design but here criminal groups can rent attack tools over the dark web, facilitating the developer who created the attack tool to receive a dividend or a ‘fixed subscription cost’ normally around 20-30% of the ransom. The first known ransomware as a service was called Stampado, a ransomware rental with lifetime access for $39 on the dark web.
While ransomware was initially just about encrypting the victim’s data and asking for a ransom, companies got smarter and created a backup. Thus, companies could restore their data on their own. But attackers aced their game and brought about double ransomware, where the attackers could download the data, encrypt the client’s data, and threaten to expose it if the ransom were not paid.
However, times have changed, and a triple extortion model evolved where attackers download and encrypt the data and threaten to expose the data if the ransom is not paid. They insist the victim pay the ransom else they release the information or sell it to the dark web.
Do I need to be worried?
Research shows that this vulnerability was only present on Kaseya VSA on-premises servers, and therefore if you are not a Kaseya VSA user and do not have an on-prem VSA server then there is no cause for concern.
But this is a wake-up call to take cybersecurity extremely seriously and to remember it is likely to be a case of when, and not if your organisation will be victim to a cyber incident.
If a global security solution provider can fall victim to a ransomware incident, then it is likely to be a case of when, and not if your organisation will be victim to a cyber incident of some sort.
What does Pragma recommend for your company when impacted by a Ransomware attack?
It is strongly advised never to pay a ransom in the event of a ransomware attack. However, this can be a contentious issue and may depend heavily on the circumstances surrounding the attack. Seeking professional assistance is highly recommended if you are affected by ransomware. Even if you can decrypt your data, identifying the root cause of the attack and closing the attack vector is critical to preventing future attacks.
At Pragma, we are experts in investigating ransomware incidents and conducting thorough forensic analyses to determine the root cause of the attack. Our experienced CIRT team works closely with our clients to contain and eradicate the threat actor. If you are experiencing a similar issue or would like to discuss your Incident Response plan, please contact us directly.
If you are currently affected by a ransomware incident, it is important to isolate the affected machine from the network and seek professional assistance. Leaving the machine powered on will retain important evidence that can be examined by forensic investigators.
What is the pragmatic way to reduce the risk or prevent this from happening to your business?
There are several pragmatic ways to reduce the risk of a ransomware attack or prevent it from happening to your business:
- Use reputable anti-virus software and keep it updated. Make sure to enable the auto-update feature, so you are always protected against the latest threats.
- Regularly update your software and patch up vulnerabilities. Cybercriminals often exploit outdated software to gain access to your system. So, it's essential to update your software regularly and fix any known vulnerabilities.
- Use strong passwords and implement Multi-Factor Authentication (MFA) on all accounts. Weak passwords can easily be hacked, and MFA provides an additional layer of security to prevent unauthorized access.
- Back up your data regularly, including the operating system, applications, and data. Follow the 3-2-1 backup rule: have three copies of your data, two backups, and one production version. Store one of those backups off-site, like in the cloud.
In addition to these preventive measures, it's essential to have an incident response plan in place. It's best to work with a professional team that specialises in incident response and can provide you with the necessary support if an attack occurs. They can help you contain the attack, identify the root cause, and eradicate the threat actor. It's also essential to train your employees on good cyber hygiene practices and keep them informed about the latest threats. By taking these pragmatic steps, you can significantly reduce the risk of a ransomware attack and protect your business from potential damage.