- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
REvil gang exploited a zero-day in the Kaseya supply chain attack
Kaseya was addressing the zero-day vulnerability that REvil ransomware gang exploited to breach on-premise Kaseya VSA servers.
A new supply chain attack made the headlines, on Friday the REvil ransomware gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers.
The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.
The investigation is still ongoing, according to security firm Huntress Labs at least 1000 organizations have been impacted, making this incident, one of the largest ransomware attacks in history.
“We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress assesses with high confidence that cybercriminals exploited a vulnerability to gain access into these servers.” reported Huntress Labs.
At the time of this writing, at least 30 MSPs have been compromised as part of this supply-chain attack, but experts believe that the attack might have impacted thousands of companies across the world.
In the last update released by Kaseya, the company continues to strongly recommend on-premise Kaseya partners to keep their VSA installs offline until further notice.
Now new details about the attack are emerging, the Dutch Institute for Vulnerability Disclosure (DIVD) reported a zero-day vulnerability, tracked as CVE-2021-30116] and affecting Kaseya VSA servers, to the company.
Kaseya was validating the patch before they rolled it out to customers but REvil ransomware operators exploited the flaw in the massive supply chain ransomware attack.
“From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing.” states an update provided by the Dutch Institute for Vulnerability Disclosure (DIVD). “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”
DIVD researchers confirmed that during the last 48 hours, the number of Kaseya VSA instances that were reachable from the internet has dropped from over 2.200 to less than 140 in their last scan today. The number of exposed installs in the Netherlands has dropped to zero.
During the last 48 hours, the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2.200 to less than 140 in our last scan today. https://t.co/mEM4EmCtwJ
— Victor Gevers (@0xDUDE) July 4, 2021
Ciaran Martin, former head of the NCSC, provided disconcerting info about the supply chain ransomware attack that disrupted 20% of Swedish food retail capacity, pharmacies, train ticket sales.
Extraordinary: ransomware attack on American company disrupts 20% of Swedish food retail capacity, pharmacies, train ticket sales & they’re not even direct customers
Extraordinary: ransomware attack on American company disrupts 20% of Swedish food retail capacity, pharmacies, train ticket sales & they’re not even direct customers https://t.co/ESwEFNqgrW
— Ciaran Martin (@ciaranmartinoxf) July 3, 2021
If you are interested in technical details about the attack let me suggest reading a post writer by the popular researcher Kevin Beaumont who pointed out that Kaseya is designed to allow administration of systems with high-level privileges.
“So ransomware can push itself to systems. The attackers pushed an management agent update, which is automatically installed on all managed systems — which means very wide impact.” states Beaumont. “Additionally, Kaseya recommend antivirus exclusions on some folders used during deployment of this malware”
Kaseya has released a detection tool that could be used to determine if your infrastructure has been compromised.
“The new Compromise Detection Tool was rolled out last night to almost 900 customers who requested the tool.” states the company.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine