Kaseya VSA Ransomware Attack: A Bombshell Supply-Chain Hit
What happened?
During the weekend of July 4th, 2021, Kaseya VSA and multiple managed service providers (MSPs) were brutally hit by a supply-chain ransomware attack. Kaseya provides technology that helps other companies manage their information technology, essentially, the digital backbone of their operations. Kaseya sells its technology to third-party service providers, which outsource IT for other companies.
According to Kaseya’s incident, on Friday, July 2nd, Kaseya received reports from customers and others suggesting unusual behavior occurring on endpoints managed by the Kaseya VSA on-premises product. The alert later evolved as customers reported ransomware had been executed on endpoints. The first steps in the incident response were to send notifications to on-premises customers to shut off their VSA servers while Kaseya shut down their VSA SaaS infrastructure. This action proved effective in minimizing the rapid spread of the malware while curbing the number of affected systems.
The attack is said to have been executed by a Russian-speaking hacking group known as REvil. REvil has been around since 2019, deploying ransomware tactics to hack targets around the world and making a fortune from ransomware payments. REvil has taken its tactics to a higher level, deploying its ransomware via a supply-chain attack that exploits internet services’ interconnectivity to leverage a larger attack surface.
What vulnerabilities were exploited?
REvil exploited zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. A zero-day vulnerability is a software or hardware flaw unknown to the developer, leaving no opportunity for detection. Once a threat actor detects this flaw, it is exploited by releasing malware into the target system. Attackers find a zero-day attack through painstaking efforts scouting through applications and codes probing through networks, software to find some weakness or flaws. The attacker deploys reverse engineering tools and techniques, forcing the software to reveal cracks in the defenses that provide them a way to execute codes secretly. Since zero-day attacks are previously unknown, they provide an element of surprise.
Reports suggest that unmitigated vulnerabilities could have triggered and facilitated the exploit; however, Kaseya has not confirmed the allegations as they are focused on releasing a patch to fix the vulnerability.
“Our global teams are working around the clock to get our customers back up and running,” said Fred Voccola, CEO at Kaseya.
There is still no evidence on how REvil was enabled to deploy the zero-day attack. It is unknown if REvil discovered the zero-day vulnerability or if it was stolen, purchased from researchers or brokers; whatever the strategy, it shows the gang’s determination to continue executing sophisticated ransomware attacks.
Impact of the Kaseya VSA ransomware attack.
It is estimated that this ransomware attack could cost millions of dollars and could have affected more than 1,500 companies leveraging IT services from 60 Kaseya customers. The attackers have requested a $70 million payment in bitcoin in exchange for the decryption key. The attack might not have directly impacted American life like the Colonial Pipeline ransomware attack. Still, it caused a major Swedish grocery store to shut down for more than 24 hours and infected 11 schools in New Zealand. While attacks on these kinds of providers are not new, MSPs represent a significant opportunity for hackers because of how they interact with other companies’ networks.
Ransomware is a cankerworm
Ransomware has become the most predominant cyber threat, with attack vectors deploying more advanced digital infrastructure to hijack their victims’ data and then demand a ransom in exchange for the decryption key. Cryptocurrency is the preferred payment option for attackers since it is an untraceable payment method. According to studies, the energy sector, information technology, finance, emergency services, transportation, education, and the health fields are the preferred targets for ransomware attacks due to the critical systems they inhabit.
For more information on ransomware attacks and how you can protect yourself or your organization from ransomware attacks, click on this link
Active Measures
As you look at large ransomware or other such attacks that are promulgated and perpetuated by hackers through /third-party vendors critical to infrastructure and/or business operations. It is important to manage risk from third-party vendors by establishing a risk management process and a baseline for secure operations.
Essentially that means developing and maintaining a risk register using standards-based assessments (NIST, ISO, SIG, CAIQ). Developing a documented business continuity/ disaster recovery plan and Incident response plan. Developing a process of running tabletop tests, documenting and remediating any gaps that have been identified. Document all aspects of secure business operations and allow individuals in the company access to conduct regular testing in development (DevOps) and technology operations to test for vulnerabilities. Develop and maintain a strong patching program for all layers of the infrastructure.
Security is the responsibility of everyone in the organization. The best way to assure that everyone participates in this effort would be to provide appropriate training, Developing strong phishing and social engineering program for employees
The post Kaseya VSA Ransomware Attack: A Bombshell Supply-Chain Hit first appeared on SecureFLO.
*** This is a Security Bloggers Network syndicated blog from SecureFLO authored by Sri G. Read the original post at: https://secureflo.net/2021/08/09/kaseya-vsa-ransomware-attack-a-bombshell-supply-chain-hit/?utm_source=rss&utm_medium=rss&utm_campaign=kaseya-vsa-ransomware-attack-a-bombshell-supply-chain-hit
