It was a LONG weekend — Here’s the vital info on REvil and Kaseya VSA – Cisco Blogs
The past few days have been a lot for people in the security industry. On Friday in the US, people were just about to clock off for what would hopefully be a relaxing Fourth of July long weekend. Only for cybercriminals to have other plans.
This week I spoke to Cisco Talos’ US Outreach Team lead Nick Biasini to talk about the unfolding events surrounding the REvil ransomware campaign and Kaseya VSA supply chain attack. We also spoke about the impact for organizations around the world. This is a transcript of that live chat. You can also watch the video replay below:
There’s been a lot of coverage on this, and it’s quite a complicated scenario, so here are the facts of the event as we understand them today. To stay up to date on this attack, please take a look at the Talos response post which is being continually updated.
Nick, can you break down what happened for us?
Sure. The attack timeline started on July 2. We started to see chatter about there being potentially a ransomware campaign underway, and shortly after that the involvement of Kaseya began to come to light.
The Kaseya VSA supply chain attack and REVil ransomware campaign are a two-part incident. There are two completely different, but related parts to this attack.
The first part involved a zero-day vulnerability in the Kaseya VSA software. VSA is an MSP software management platform, and is used primarily for monitoring, and the management of endpoints. As you can imagine, it has a very high level of access.
The adversaries compromised these servers with a zero-day exploit. They then used their access to the servers to deploy REvil ransomware. This is what was actually encrypting and ransoming these systems to their victims.
The attack itself was relatively short lived; it only occurred during a small window. One of the biggest things to call out though is that a zero-day was involved. As such, it’s very hard to determine who else may have had access to this exploit, and may have been exploiting it before, during, or immediately after this particular incident occurred.
The immediate recommendation after the attack was to shut off your VSA server. That is definitely one of the most important things you can do. So if you do have one of these systems, make sure that until there’s a patch available, you have the system shut down.
This isn’t the first time that we’ve seen remote management software being used as the entry point to a ransomware campaign. We’ve seen this exact software being used before. Can you talk about how this attack sits in that context?
Unfortunately, what we’re seeing time and time again, is that these ransomware cartels will use any means necessary to get into these networks. We’ve seen them across a whole suite of things from brute force attacks, to active exploitation to phishing, to everything in between. And this is yet another example of that what they’re trying to do, which is abuse trust.
We’ve seen MSPs compromised before, and we’ve seen MSP software abuse before. This is not new. What organizations need to understand is that trust is a necessary part of doing business. But it’s something that you need to continually evaluate. That’s why we’ve moved more and more into a Zero Trust style framework. Trust is a great thing, but it can be abused if it’s not validated and vetted on a continual basis.
What do we know so far about the REvil ransomware? What can you tell us about it, and what was it designed to do?
The best way to think about REvil is that it’s ransomware as-a-service. They use an affiliate model. And this is something that we’re seeing adversaries do more and more. Basically, their approach is, “I’m going to outsource my infections, and give you a percentage of what I make, based on your ability to infect people.”
Because of that, you, again, have to defend against a wide variety of attack vectors, largely because you have a lot of adversary groups approaching this from different angles. Some groups may rely on exploitation, other groups may focus on social engineering. They’re going to use whatever means necessary to get in.
For organizations, increasingly, you really need to understand your border, what’s exposed, what potential issues you could have, and make sure you do the essential things like patching, and segmenting your networks. These things might be basic but they are really important to defend against these groups.
What does this kind of ransomware look like from a victim perspective?
Ransomware generally is going to be really, really noisy. You’re going to get pop ups on your screen, things are going to stop operating, you’re going to have very clear indicators that you’ve been affected. Depending on the group, there are a couple of different ways that they can coerce you into paying.
Some of it is just purely, “We’ve ransomed your systems, you need to pay us to get access back to the data.” Now, more recently, we’ve seen more and more doxing of data. Here, they’ll exfiltrate a large amount of data and say that you have to pay us to get your files back. And you have to pay us to make sure we don’t release all of this sensitive information that we’ve obtained.
Additionally, some are now publicly disclosing who they breached, and trying to build relationships with press and other outlets to try and potentially influence the users into paying their ransoms.
You mentioned earlier that there are the few different types of strategy involved in this attack. Does that mean to say that there’s some customization here? In other words, was this a targeted attack against certain types of organization?
It wasn’t necessarily targeted any more than it affected customers of Kaseya VSA. But because it’s a supply chain attack, it’s a very difficult thing to defend against.
This is why we always talk about the endpoint being the last bastion and the place where you really need to focus your detection. And that’s one of the reasons why initially, we focused our detection on Cisco Secure Endpoint. That made sure that we have protection on the endpoint, which then cascades into other products.
Is there anything particularly notable about this attack that is perhaps a little bit different from the TTPs that we typically observe during these ransomware attacks?
There is one thing. We typically see associated command and control server activity associated with an attack like this, or as we call it, C2 activity. Here, it appears that the C2 connectivity was disabled. There was no real external connectivity once they had compromised using the Kaseya VSA server. So that made it particularly difficult to detect once the attack had actually started.
One of the reasons why they did this, is because they were using a supply chain. They were deploying their ransomware using a tool that’s designed to deploy software. Because of this, they didn’t really need to be sure that they were infecting systems – their success rate was already going to be incredibly high. They knew who they were infecting.
Typically, attacks do have C2 communications, because they do need to understand how many victims they have. But with this particular circumstance, it was a different type of attack which didn’t really necessitate that type of communication.
In the coverage, people may have seen the term “synchronized attack” which involved computing the current time. What do we mean by that?
This is another interesting thing that they did. When they were deploying the ransomware, they used a varying amount of Ping. Ping is basically a communication between two systems to say, “Hey, are you there?” And you respond and say, “Yes, I am.”
They set a specific number of Ping requests based on when they were infecting the system, to try and get all the systems to infect around the time of 14:30 UTC on July 2.
How widespread is this attack?
It’s hard to say with any complete certainty, but Kaseya said that they saw 60 direct compromises, and then approximately 1500 downstream businesses potentially impacted because of that. But the true scope likely won’t be known for the days and weeks ahead, as we learn more and more about what’s going on.
Have there been any more reports of any further compromises of VSA customers since the attack began over the weekend?
I have not seen any, and if you think about it, logically, that kind of makes sense. Their recommendation is to power off the servers. So if you’re following their recommendation, there isn’t an attack vector for them to get through anymore.
Are there any other mitigation steps that organizations should take at this stage?
Once a patch is available, you should apply the patch as soon as possible. After that, I would begin triage and looking through logs. This was a zero-day, and this particular group used it in a very noisy manner that really opened the door to everybody seeing what it was. However, that doesn’t mean that they’re the first group to have used this exploit.
So, look through the logs, and as more details emerge about how this exploit works, go back in time and look at your logs to find out if you had a potential incident previous to this that you weren’t aware of.
One of the most important things you can do is make sure you have a technology like Cisco Secure Endpoint running, and that you’re updating your signatures and you make sure protections are in place.
If you’re concerned about how many different places you have to look in, please check our blog. We’re still evaluating what’s going on with this incident and continuing to release new coverage as time goes on. So checking that blog is going to get you the latest and greatest on what coverage has been released, what products it’s available in, what we’ve found during our investigation, and what we’ve continued to find.
What are your key takeaways from this attack, in terms of what it tells us about the current threat landscape?
It’s an escalation from the ransomware cartels, because this is a full supply chain attack. Unfortunately, these actors are not going away, there is hundreds of millions of dollars flowing into this illicit kind of marketplace right now. And unfortunately, things are going to get worse.
So, defenders, if you’re not doing so already, you really need to get out there, check your boundary, see what potential issues are there, go back and re evaluate the risk. Small vulnerabilities that you don’t patch can be devastating in these types of attacks. Weak credentials are what these adversaries are after.
And with affiliate groups growing more and more prevalent, there’s going to be more and more people that are very skilled at looking at organizations that aren’t used to being targeted by this level of adversary.
Be proactive, work ahead, and address any issues before ransomware cartel finds them.
If you’re currently experiencing a cybersecurity emergency, the Cisco Talos Emergency response numbers are:
United States: 1-844-831-7715
Europe: +44 808 234 6353
Asia Pacific and Australia/New Zealand: +61 89 4677 811
Cisco Talos Incident Response is also available for proactive services. No matter what your current level of security is, they can help, whether that’s building a response plan from the ground up, or refining your current one, and of course, helping you test it.
We also have a number of free trials available for Cisco Secure products, including Cisco Secure Endpoint. Learn more at www.cisco.com/go/securityfreetrials
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: