Managed service providers and organizations using the cloud or on-premises version of Kaseya’s VSA remote monitoring and IT management tool are waiting for decisions from the company Monday on if and when they can resume using the tool following a hack that has led to ransomware attacks on customers.
Kaseya told customers on Friday, July 3 that it had been victimized by a sophisticated cyber-attack and had to shut down the software-as-a-service version of VSA. More importantly, it urged IT administrators to take on-prem versions offline and rolled out a compromise detection tool. Kaseya believes only on-premises users of VSA are at risk.
On Sunday afternoon the company said the attack had involved “a very small number of on-premises customers only.” But CTV News quoted Kaseya CEO Fred Voccola telling the Associated Press that the victims number in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”
Voccola said in the interview that only between 50 and 60 of the company’s 37,000 customers were compromised. But 70 per cent were managed service providers who use the VSA software to manage multiple customers.
Researchers at Huntress Labs said Sunday it knows of 30 managed service providers and 1,000 organizations that have been victimized. All used the on-prem version of VSA. On Sunday Sophos said more than 70 managed service providers were impacted so far, resulting in more than 350 further impacted organizations.
At this point, it isn’t known if any victim firms are Canadian.
Threat intelligence firm DarkTracer posted on Twitter a claim from the REvil ransomware group that more than 1 million systems had been infected. The price for a universal decryptor that can be used for all victims is $70 million in bitcoin. Either Kaseya is expected to pay this, or REvil expects all victim companies will chip into a pool of funds to pay the ransom, a new tactic.
In an interview with ITWorldCanada, Johannes Ullrich, dean of research at the SANS Institute, said the full number of victims in the U.S. may not be known until Tuesday, when IT staff return to work after the Independence Day long weekend.
Kaseya VSA customers have been without service for three days, raising the question of whether they will switch to a new service. Ullrich doubts managed service providers will, because of the time it will take to roll out a new product. “I don’t think they’ll make that decision quickly,” he said. Nor should IT departments using the on-premises version rush into a decision, Ullrich added.
SaaS service to restart first
In its Sunday statement, Kaseya said restoration of the cloud version of VSA will start first, followed by instructions for restoring on-prem installations.
Kaseya’s executive committee met late Sunday to decide on a timetable for restarting Kaseya servers hosting the SaaS version of VSA. A tentative schedule to begin restoring servers in European Union, the U.K. and Asia-Pacific regions around 4 a.m. Eastern has been shelved. The executive was scheduled to meet again this morning at 8 a.m.
“All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the Sunday afternoon statement said. “A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase security posture.”
“Due to our teams’ fast response, we believe that this [attack] has been localized to a very small number of on-premises customers only,” Kaseya said. However, according to the news service The Record, one of Sweden’s largest supermarket store chains shut nearly 800 stores across the country after one of its contractors was hit by ransomware.
No data theft
According to the Bleeping Computer news service, the REvil ransomware group [also known as Sodinokibi or Sodin] is taking credit for the attack and is targeting managed service providers (MSPs) — but not their customers. The news service also says REvil has told victims that they only encrypted networks, suggesting that in this attack no corporate or customer data was stolen.
Researchers at Huntress Labs who looked at compromised servers said they “have high confidence that the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection. We can confirm that SQL injection is how the actors began code execution.”
In a statement, Canadian-based managed security provider eSentire said it detected the Sodin/REvil ransomware dropper in one customer’s IT environment and was able to shut that system down before the ransomware could be deployed. eSentire has customers in several countries. The statement didn’t specify where this customer was located.
This isn’t the first time Kaseya has faced a breach of its security controls, the eSentire statement added. In 2018 it discovered an unknown threat actor attempting to deploy a Monero cryptocurrency miner to multiple eSentire customers through VSA. eSentire believes the threat actor figured out a zero-day in Kaseya and gained administrative access to Kaseya’s system. Then VSA was leveraged to download the Monero miner to victims’ endpoints.
“Gaining access to administration-level credentials for a remote management solution that distributes software, like Kaseya, and targeting managed service providers is a very efficient way of deploying ransomware to many organizations,” Eldon Sprickerhoff, eSentire ‘s chief innovation officer and founder, said in a statement. “Essentially, the MSPs do all the hard work for the threat actors because they unknowingly deploy the malicious software (in this case, the Sodin [REvil] ransomware dropper) out to all their customers. This current attack could very well be just a variation on the same attack tactic they used in 2018.”
Security teams whose organizations use the on-prem version of Kaseya VSA should check for indicators that the Sodin ransomware dropper or ransomware has already been installed onto their computer systems, he added.
Could have been worse
Sprickerhoff believes the latest attack on Kaseya could have been worse. The attack began early enough on Friday for it to be detected and acted on by Kaseya, he said. This was a long weekend in the U.S., so had the attack started on Saturday, when fewer IT and security teams would have been around in many organizations, there might not have been such a robust response.
In a statement issued Sunday, managed service provider Secureworks said it is “not seeing significant impact across our customer base. Less than 10 organizations appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software. We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers.
“Based on what we know right now,” Secureworks added, “we believe that this was an orchestrated attack against a subset of Kaseya VSA clients, largely managed IT service providers (MSPs). The evidence we have does not indicate that Kaseya’s software update infrastructure has been compromised. That does mean that, while we have seen limited impact across our customer base, there may be larger clusters of victims elsewhere based on use of common MSPs.”
James Shank, chief security architect for community services at threat intelligence firm Team Cymru, who was also a member of the Ransomware Task Force Committee, noted in a statement that threat actors have turned their attention to supply chain attacks. Kaseya is only the latest in a series that includes SolarWinds and CodeCov, he noted.
“This is not the first and it won’t be the last,” he said. “It is time to add another item to the already overwhelmed corporate security teams: audit suppliers and integrations with your supply chain providers. Limit exposure to the absolute minimum while still enabling business operations.”