On Friday 2nd July a huge Ransomware attack occurred at Kaseya VSA which was initially reported by their users, as suspicious cases were occurring on endpoints. This has surfaced as a supply chain attack and is expected to impact an extortionate number of businesses.
By default, we have built trust into certain applications and software. The perpetrators know this and use that trusted source to deliver the malicious payload in the form of a scheduled update from the vendor. Also, by default we assume an update being delivered by the trusted vendor is sound and has been fully checked. We assume it will not introduce a possible security hole. In this case the software affected was Kaseya VSA (Virtual System Admin) and an update (CVE-2021-30116).
“Supply chain attacks are scary because they’re really hard to deal with, and because they make it clear you’re trusting a whole ecology,” says Nick Weaver, a security researcher at UC Berkeley’s International Computer Science Institute. “You’re trusting every vendor whose code is on your machine, and you’re trusting every vendor’s vendor.”
WHO IS KASEYA?
Kaseya specialise in remote management software for Managed Service Providers. It’s the tool your IT company will use to manage your IT estate.
Malicious individuals discovered a zero-day exploit in an update (Update CVE-2021-30116) from Kaseya in relation to VSA (Virtual System Administrator). In essence the people who had installed this update had introduced a hole in the end user’s machines.
Whilst this sounds like a good film title it really means it’s a hole that’s not been found before, the software vendor has not fixed or patched this hole yet. They are not aware of it.
WHAT WAS THE EXPLOIT?
The exploit allowed a group of threat actors (REvil) to instruct the remote machines to install some ransomware that would then encrypt the end user’s machines. This could only be freed up by paying the ransom demand or rolling back the machine.
Firstly, they attacked the managed service provider, then they attacked the customers of the said managed service providers, cascading its infection across several hundred organisations.
The threat actors (REvil) understood the Kaseya tool well. They recognised how it worked and how several tweaks to its software avoided Anti-Virus detection. They then used these same tweaks to get its malicious code on the end users’ machines undetected. The threat actors were well prepared and avoided some basic actions that other ransomware attacks perform to avoid raising the alarm. Keeping its actions below the radar. Picking an MSP meant by default it opened up a vast number of companies.
WHO ARE REVIL?
Imagine REvil as a “Cyber-Crime as a Service” type organisation. They sell their code to other people for a share in the profits. This will make it very hard to work out who actually committed the attack. REvil is best known for extorting $11 million from the meat-processor JBS back in May this year after a Memorial Day attack.
WHO WERE AFFECTED?
Based on Sophos telemetry, the Keseya ransomware attack impacted approximately 145 organisations in the US and 77 in Canada, but the scope in both of these countries and globally is much broader overall. The true affect may never be known due to the resistance of people admitting they have been hacked and they are an MSP. Kaseya have advised it affected between 800 and 1,500 companies but researchers have stated it is more like 2,000.
FROM OUR EXPERTS …
If you think you have been affected by this event, follow the nine-step programme recommended by the NCSC. More details can be found here!
This was a clever well-orchestrated attack. The threat actors used the tool designed to protect against this type of event to create the event, then cripple the tool designed to fix it so you couldn’t repair it. Using the supply chain to deliver the payload which allowed the exploit is a nightmare. At some point we have to put our trust in software to look for issues.
At PCS we adopt a multi-layered approach to the Cyber Threat landscape. Dealing with “Not if it happens but when it happens” helps you build a robust recovery plan. Hiding your head in the sand is the worst thing to do – attack the possible issue head on. Ask the awkward question no one wants to ask. ‘Put Cyber Threat on the agenda!’
AN ALL IN ONE DISASTER RECOVERY SOLUTION
PROTECT YOUR BUSINESS WITH ADVANCED THREAT SOLUTIONS
Implementing a high level of security to your business will help protect you in situations like the above. Datto can protect your business from a full disaster scenario in minutes and no additional work is required to perform a rescue when it matters most.
Speak to Pure Cloud who can help tailor a business continuity solution that compliments the way you operate!
Call us on 0333 150 6780, email or fill out the contact form below and a member of the team will be in touch.