6 Min Read
REvil & Kaseya Shine a Spotlight on Lacking Cyber Protections
Written by Paul Robertson
Note: Mission Secure does not incorporate Kaseya software in any of our 24/7 OT cybersecurity managed services or technology stack and is not at risk for any indicators of compromise (IOCs) associated with the Kaseya ransomware campaign.
The ransomware group behind some of the latest high-profile cyber-attacks, including Kaseya, is dark. In 2021 alone, REvil is reportedly responsible for hacking more than 360 U.S. targets. JBS, one of the largest meat suppliers in the U.S., fell victim to the group in May, and software company, Kaseya, was hit in early July.
“…all of the dark web sites for prolific ransomware group REvil -- including the payment site, the group’s public site, the ‘helpdesk’ chat and their negotiation portal -- are offline.”
But while REvil has disappeared from the online world, the impact of their attacks continues to ripple through organizations and ecosystems. And whether they return or not, REvil, in many ways, has raised the stakes for both cyber adversaries as well as organizations, highlighting the inadequate cyber protections across industries, sectors, and supply chains.
Current Situation – What We Know
On July 2nd, REvil (also known as Sodinokibi) attacked a remote agent and flagship product used by several managed services brands – the Kaseya Virtual System Administrator (VSA).
The Company: Kaseya Limited is an American company that develops software for managing systems, networks, and IT infrastructure. Kaseya has approximately 1,300 employees with headquarters in Miami, Florida, and branch locations across the US, Europe, and the Asia Pacific. Since its founding in 2000, Kaseya has acquired 13 companies, which mostly continue to operate as independent brands under the “a Kaseya company” tagline.
Kaseya primarily provides software or Software-as-a-Service (SaaS) to Managed Services Providers (MSPs), who in turn use it to manage systems for their customers. They have about 36,000 customers, including customers of MSPs who use their software.
The Adversary: REvil is an established ransomware developer providing ransom software or Ransomware-as-a-Service (RaaS) to criminal groups with access to targets. They’ve previously been connected to DarkSide (the attackers of Colonial Pipeline) and have used similar software, tactics, and identical ransom notes. REvil is less publicity-shy than other ransomware actors and less wary about attacking large targets. The Kaseya attack is, however, their most significant attack by far. While REvil claims to bring in $100 million a year, that figure is likely exaggerated; known payments total from $2 million to $30 million annually. In this attack, REvil initially demanded $70 million, later reducing the ransom to $50.
The Attack: Kaseya claims that approximately 60 managed service providers were affected, with about 1,500 businesses utilizing those providers’ services. Kaspersky claims to have seen signs of infection on 5,000 systems in 22 countries. REvil claims it infected “millions” of systems (which seems rather unlikely).
The attack did not infect Kaseya’s software directly but exploited an existing vulnerability two steps down the supply chain. This fact allowed for the large scale of the attack, infecting numerous businesses. However, there is some debate as to whether this qualifies as a “supply chain attack.”
REvil’s initial access was achieved through a combination of three zero-day bugs, although two of them would have been virtually useless without the third, CVE-2021-30116. Critically, CVE-2021-30116 affects Kaseya VSA versions prior to 9.5.7. The vulnerability appears to be a SQL injection bug that leads to authorization bypass. Once used, the other two exploits can be deployed to escalate privileges, gaining more control over the infected system.
Dutch Institute for Vulnerability Disclosure (DIVD) noticed the primary bug months before the attack and reported it to Kaseya. Kaseya was allegedly very responsive, keeping in communication with DIVD and having the group verify preliminary patch versions. Kaseya appears to have taken the prudent steps one should when confronted with a vulnerability of this type.
Unfortunately, the attack came before the patch was released.
The attack started July 2nd at 2 PM when Kaseya’s CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premises customers.” At the same time, Kaseya shut down their VSA servers out of an abundance of caution.
On July 4th, after an investigation by the internal response team, Voccola revised the severity of the incident, calling it a “sophisticated cyberattack.” The following day, a fix was announced and tested on the internal SaaS servers before being deployed to on-premises customers who host their own VSA servers.
“For the very small number of people who have been breached, it totally sucks,” Voccola further commented. “We are two days after this event. We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be. Unfortunately, this happened, and it happens. Doesn’t make it okay. It just means it’s the way the world we live in is today.”
A patch became available July 12th, ten days after the attack started.
According to Palo Alto Networks, the number of visible, possibly exploitable servers have gone from 1,500 on July 2nd to 60 on July 8th, meaning most customers have followed the warnings and disconnected.
Then, on July 13th, REvil’s digital properties went offline. Theories are the cause are numerous and it’s unclear if or how this has impacted those infected by the attack.
Ransomware: Increased impacts and stakes
The scale of the attack did force REvil to take a slightly different approach. Normally, REvil attempts to establish and maintain network access. They will then exfiltrate mass amounts of data and try to disrupt or wipe as many backup systems as possible. After encrypting as many systems as possible, REvil will threaten to release stolen data and deny the decryption key unless a ransom is paid.
This attack targeted around 30,000 systems, any of which might report back to Kaseya and prompt a shutdown, so all systems were attacked at once. The implication is that this attack was automated without real-time human intervention. As a result, data was not stolen at the customer level (or so it appears), and wiping backups was reduced to removing any folder with the term “backup” in its name on all machines and network shares.
However, the automated nature of the attack does not minimize its impacts. Coop, a major Swedish supermarket chain, for example, shut down operations after point-of-sale tills and self-service checkouts stopped working. Several important systems went down and are still offline at this time. Kaseya announced a patch on Sunday, July 12th, and while that is agile by industry terms (the patch was nearly ready at the time of the attack), it still represents ten full days of downtime for anyone with out-of-date backups or who happened to have a backup drive mounted.
The Kaseya cyber-attack is potentially the largest ransomware attack in history. The SolarWinds attack was notable because it targeted confidential government systems. And the Colonial Pipeline and JBS attacks disrupted industrial control systems (ICS) and supply chains. Yet, the Kaseya attack, though simpler in nature, affected more systems than anything previously seen.
The Kaseya attack will likely boost REvil’s status in the criminal underground. It may also encourage other criminal groups to adopt a more brazen attitude and leverage public disclosure as a ransomware method (as opposed to the traditional “secret” negotiating tactics). On the flip side, this attack has also put REvil on the radar of many individuals and organizations around the world, thereby making them a bigger target.
The time for cyber-protection is now
SolarWinds, Microsoft, Colonial Pipeline, JBS, Kaseya – it’s clear cyber adversaries aren’t slowing down any time soon. Quite the opposite. Over the last year, organizations across industries and sectors have seen an increase in the frequency, sophistication, scale, and impact of cyber-attacks. And malware, of which ransomware belongs, continues to be the vehicle of choice.
Just as Kaseya was working on the patch prior to the attack, organizations have no time to waste in bolstering their cyber protections. To aid in protecting against these attacks, Mission secure recommends the following as a starting point:
1. Implement Zero-Trust OT Network Segmentation
Zero-trust network segmentation is an ICS cyber security best practice. It helps stop unbridled access in IT environments and should be widely deployed in OT and ICS networks to do the same. Industrial operations already segment the ICS/OT network from the corporate IT network. But for many, that is where their protection stops.
2. Restrict Unauthorized User and Vendor Access
ICS/OT network operators must implement strict secure remote access policies to prevent unauthorized user access, control third-party vendor access only as needed, and log all network access and actions.
3. Develop Incident Response Capabilities
No security program has perfect protection, so it’s critical to develop and test incident response capabilities and procedures to immediately investigate suspicious activity, respond to confirmed threats, and recover from security incidents.
In an effort to help organizations fight ransomware, the U.S. Government launched a new website resource, StopRansomware.gov. This whole-of-government approach aims to be a resource for public and private organizations in a central location, including alerts, resources, and protection, detection, and response guidance.
Revisit this Blog Post for updates in the coming days.
- http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion (REvil’s leak site)
Originally published July 15, 2021, updated July 15, 2021.