10 Big Things To Know About The Kaseya Cyberattack

From the largest ransom demand of all-time to a potentially linked attack on Microsoft cloud customer apps via Synnex to how this hack was nearly avoided altogether, here are 10 things to know about the Kaseya cyberattack.

Ransomware Rampage

The REvil gang has pulled off one of the biggest ransomware heists in years, exploiting a vulnerability in Kaseya’s on-premise VSA remote monitoring and management tool Friday to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end user customers.

For the Kaseya customers who weren’t themselves compromised, the attack left more than 36,000 MSPs without access to Kaseya‘s flagship VSA product for at least four days as the company worked on a patch for the on-premises version of VSA and kept the more widely-used SaaS version of VSA offline as a precautionary measure.

Victims of the attack span 17 countries, with the United States, Germany, Canada, Australia, and the U.K. most heavily represented. From the largest ransom demand of all-time to a potentially linked attack on Microsoft cloud customer apps via Synnex to how this compromise was nearly avoided altogether, here’s a look at 10 vital things the channel community should know about the Kaseya cyberattack.

10. FBI, CISA Urge MSPs To Use MFA, Whitelisting

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) urged MSPs affected by the Kaseya attack to enforce multi-factor authentication on every account that’s under their control as well as for customer-facing services. Federal authorities said MSPs should use whitelisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs.

Alternatively, the FBI and CISA said Sunday that MSPs can place RMM administrative interfaces behind a virtual private network or behind a firewall on a dedicated administrative network. MSPs – particularly those without an RMM service running due to the Kaseya attack – should ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network, feds said.

MSPs should additionally adopt a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available, the FBI and CISA said. All told, CISA and FBI said MSPs should implement multi-factor authentication as well as the principle of least privilege on key network resources admin accounts.

9. Supermarkets, Schools Around The World Impacted

Swedish supermarket chain Coop - which makes up 20 percent of the country’s food retailer market – had to shut down hundreds of stores even though they’re not a Kaseya customer. Coop’s point-of-sale tills and self-service checkouts stopped working since those machines are managed by a company that’s a customer of Kaseya, according to the BBC.

Similarly, the Kaseya ransomware attack meant that 390-store Swedish pharmacy chain Apotek Hjärtat couldn’t take payments even though they too aren’t a Kaseya customer. And government-owned Swedish rail operator SJ has been unable to use the payment facilities on its train point of sales terminals due to indirect impact from the supply chain attack (SJ isn’t a Kaseya customer either).

At least 11 schools in New Zealand had their data encrypted in the Kaseya cyberattack, according to local news outlet Stuff. One of the schools, St Peter’s in Cambridge, told the news organization that all their data had been successfully backed up several hours before the attack took place.

8. REvil Seized Upon Kaseya’s Anti-Malware Software Exclusions

REvil exploited a zero-day vulnerability, possibly with a SQL Injection, to remotely access internet-facing VSA servers, which gave the attackers privileged access to the MSP’s customers, Sophos said. VSA has a high level of trust on customer devices since it’s normally used to deploy software and automate tasks, meaning that controlled devices will perform whatever tasks the VSA Server requests without question.

A zero-day exploit of Kaseya’s platform allowed a malicious update payload to get sent out to VSA severs, and in turn to the VSA agent applications running on managed Windows devices, Sophos said Sunday. This made it possible for REvil to compromise businesses through a trusted channel and take advantage of the software exclusions that Kaseya requires for set-up of its applications and folders.

These exclusions means that anything executed by the Kaseya Agent Monitor is ignored by anti-malware software, meaning that REvil could deploy its dropper without scrutiny, according to Sophos. REvil encoded a malicious payload in its malware intended to prevent malware defenses from performing static file analysis with pattern scanning and machine learning when the malware was first deployed.

7. VSA Flaws Allowed Hackers To Bypass Authentication

Kaseya disclosed Monday that the hackers were able to exploit vulnerabilities in the VSA tool to pass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints, according to Kaseya. There is no evidence that Kaseya’s VSA codebase was maliciously modified, the company said.

Kaseya first heard something was wrong Friday when it received customer reports that ransomware was being executed on endpoints managed by the VSA on-premises product. Kaseya brought in FireEye’s Mandiant incident responders to investigate and assess the manner and impact of the cyberattack. The company said it’s also cooperating with federal law enforcement’s investigation into the attack.

Going forward, Kaseya said it’ll reduce the attack surface for its VSA product by providing an around-the-clock independent SOC for every VSA with the ability to quarantine and isolate files as well as entire VSA servers. Customers who whitelist IPs will be required to whitelist additional IPs once the VSA is back up-and-running, according to Kaseya.

6. U.S., Russian Officials To Talk Ransomware Next Week

Ransomware attacks on U.S. businesses like Kaseya will be discussed at a meeting of senior U.S. and Russian officials next week, according to White House spokeswoman Jen Psaki. “If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action, or reserve the right to take action, on our own,“ Psaki told the press Tuesday, Reuters reported.

Psaki said President Joe Biden (pictured) would meet with officials from the Justice Department, State Department, the Department of Homeland Security, and the intelligence community on Wednesday to discuss ransomware and U.S. efforts to counter it. Psaki said that while the Biden administration discourages ransom payments, questions about decisions made in this particular case should be directed to Kaseya.

A U.S. official told Politico Tuesday the Kaseya attack probably didn’t cross any Biden administration red lines, both because it didn’t appear to target critical infrastructure and because there was no clear link to the Kremlin. But this official also said the Biden administration needs to be clearer with the Russians about what its red lines truly are.

5. AWS IP Addresses Might Be Launch Point For Attack

Huntress said Monday afternoon that it’s working with Amazon Web Services and law enforcement to investigate an AWS IP address that might have been used as a launch point for the Kaseya attack. The IP address in question provides shared hosting, meaning that REvil might have compromised a legitimate AWS webserver and used it as a launch point for their attack.

Huntress discovered Friday that one of the IP addresses the attackers were using belongs to AWS, and the company said it’s been in contact with internal hunt teams at AWS. Across all of the compromised servers we are aware of, one commonality has been GET and POST requests from AWS IP address 18[.]223.199.234 using curl to access a series of files sequentially.

AWS didn’t respond to a CRN request for comment.

4. Kaseya Nearly Fixed The Flaw REvil Exploited

The zero-day vulnerability exploited by REvil had previously been disclosed to Kaseya by researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and the company was validating a patch before rolling it out to customers. But REvil beat Kaseya to the punch and used that same vulnerability to compromise MSPs using the on-premises version of the company’s VSA product.

“During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched,” wrote DIVD’s Victor Gevers. “They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Since Kaseya was in the process of fixing the same vulnerability that was exploited by the hackers, researchers speculated that REvil might‘ve been monitoring the company’s communications from the inside. But Voccola told Reuters that Kaseya doesn’t believe REvil was in the company’s network prior to the attack, while Gevers said on Twitter that the vulnerability in question was simple to exploit.

3. Kaseya VSA Down For More Than Four Days

Kaseya expects to restore service to its VSA SaaS remote monitoring and management software late Tuesday, with a patch expected for the on-premises product Wednesday. The company expects to bring its SaaS servers back online between 4 p.m. ET and 7 p.m. ET Tuesday, with a patch for the compromised on-premises version of VSA slated for release within 24 hours of SaaS service restoration.

Both SaaS and on-premises customers will be required to implement a set of systems and network hardening measures prior to restarting their VSA service, said Kaseya, who is devising the requirements in concert with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). VSA customers will not have access to classic ticketing, classic remote control, and the user portal when service returns.

The restoration of service for the more than 36,000 customers of Kaseya’s flagship VSA product following the ransomware attack has taken significantly longer than expected. Kaseya CEO Fred Voccola said Friday evening that the company expected to restore service to its SaaS customers within the next 24 hours since the SaaS version of the VSA product was never compromised.

2. REvil Makes Largest Ransom Demand Of All-Time

Notorious ransomware operator REvil made the largest ransom demand of all-time over the weekend, demanding $70 million to decrypt the nearly 1,500 victims in the Kaseya ransomware attack. The offer to publicly provide a decryptor to all victims represented a shift in tactics for REvil, which up until then had been demanding separate smaller payments from each of the victims.

REvil initially demanded $5 million from larger companies, $500,000 from smaller firms with multiple locked file extensions, and $45,000 from smaller companies where locked files have the same extension. A universal decryptor would provide victims with a faster path to recovery, and REvil is likely hoping that insurers see $70 million as a small price to pay for eliminating downtime, said Emsisoft’s Brett Callow.

The ransomware gang lowered the price for a universal decryptor overnight Monday from $70 million to $50 million, equal in size to the ransom demand REvil made in March after compromising Taiwanese PC giant Acer. Organizations have become increasingly willing to fork over large ransoms, with Colonial Pipeline paying Darkside $4.3 million in May and meatpacking giant JBS paying REvil $11 million in June.

1. Synnex Attack Might Be Linked To Kaseya Compromise

Hackers attempted to use Synnex to gain access to customer applications within the Microsoft cloud environment in an attack possibly tied to the Kaseya ransomware campaign. The Fremont, Calif.-based distributor said it’s been working with Redmond, Wash.-based software giant Microsoft as well as a third-party cybersecurity vendor to conduct a thorough review of the attack since it was identified.

“We do not know if this is related to the Kaseya ransomware attack [against] MSPs and some end customers,” Michael Urban, Synnex’s president of worldwide technology solutions distribution, said in an emailed statement. “That is part of the review. SYNNEX is not an MSP, and we have no relationship with Kaseya and do not use its systems.”

Given the nature of supply chain attacks, Synnex could have been compromised as part of the Kaseya campaign if the distributor works with a supplier that uses an on-premises version of Kaseya VSA. For instance, the Russian foreign intelligence service gained access to Malwarebytes’ internal company emails as part of the SolarWinds campaign even though Malwarebytes isn’t a SolarWinds customer.