Kaseya VSA is a common software solution that MSPs (Managed Service Providers) use to manage their clients’ systems. On July 2, an auto update was delivered to Kaseya’s VSA product with REvil ransomware lying in wait. By design, VSA has administrator rights to its client systems, so MSPs that became infected via the auto update unknowingly pushed the ransomware to its clients, resulting in REvil’s hitting more than 1,000 companies in this MSP supply chain attack, raising another alarm across the industry for scrutinizing supply chain security. Download this PDF for a summary of IronNet's analysis.
How did this REvil ransomware attack happen?
It appears as if the initial payload was delivered via a software update that the actor manipulated via a vulnerability within the Kaseya Software. The malicious update was not delivered directly from Kaseya but rather was enabled through a suspected authentication bypass zero day vulnerability in the VSA web panel that allowed the attacker to push the malicious ransomware payload to all connected clients. Details are still coming out but this vulnerability is currently being tracked as CVE-2021–30116.Once the update was received, the adversary immediately disabled administrator access to VSA (in order to thwart any attempts to stop the attackers). Two files then were dropped onto a client’s systems:
- Mpsvc.dll - is side-loaded into a legitimate Microsoft Defender copy
- MsMpEng.exe
Since Kaseya software is allowed administrative privileges of client systems, the ransomware could push itself to all clients registered in the VSA systems. The following command is run (with the adversary as an admin via VSA), in turn disabling the following in Microsoft Defender:
- Disables Real Time Monitoring
- Disables IPS
- Disables Cloud Lookup
- Disables script scanning
- Disabled Controlled Folder Access (ransomware prevention feature)
- Disables Network Protection
- Stops cloud sample submission
A ransomware attack?
The ransomware portion of this attack by REvil targets backup systems first in order to stop any attempt to restore critical business files to ensure that enacting a ransom becomes a viable opportunity. As Bleeping Computer has noted, “MSPs are a high-value target for ransomware gangs as they offer an easy channel to infecting many companies through a single breach, yet the attacks require intimate knowledge about MSPs and the software they use. REvil has an affiliate well versed in the technology used by MSPs as they have a long history of targeting these companies and the software commonly used by them.”
At present, Kaseya has stated that they have shut down their SaaS servers and are working with other security firms to investigate the incident.
This latest incident is not a first in terms of this notorious ransomware gang’s targeting MSPs. “In June 2019, an REvil affiliate targeted MSPs via Remote Desktop and then used their management software to push ransomware installers to all of the endpoints that they manage. This affiliate is believed to have previously worked with GandCrab, who also successfully conducted attacks against MSPs in January 2019.”
Ransomware attacks: the new “insider threat”?
IronNet Threat Intelligence Analyst Joey Fitzpatrick states that Remote Monitoring & Management Software is “the new insider threat.” As demonstrated with SolarWinds, instead of focusing a lot of effort on a single entity, if adversaries can determine which management software its target uses, it becomes much easier for them to exploit this third-party point of entry.
Unfortunately, SolarWinds proved how devastating supply chain attacks can be with network management tools. Adversaries love this biggest bang for their buck. Even the most well-patched environment is susceptible to these types of attacks because a trusted process or program is being exploited.
What does this latest REvil ransomware attack mean for businesses?
RMMs allow both Managed Service Providers and large-scale businesses to monitor and manage thousands of devices with ease. But, because of the wide breadth of customers that MSPs serve and the domain admin level access these tools inherently have, MSPs have become prime targets for adversaries. Even with the most sophisticated defenses, MSPs and the enterprise end-users they support are challenged: Once an adversary gains access to one’s RMM, they do not need to evade defense or escalate privileges. In other words, they already have become “king of the castle” and can dominate their targets’ crown jewels as they please.
Although infrequent, supply chain attacks like this further stress the notion that it’s not if your company is going to be breached, it’s when. We always knew how devastating an insider threat such as a sysadmin gone rogue would wreak havoc against a business.
What do we know about the REvil ransomware attack?
The REvil ransomware gang, aka Sodinokibi, was first reported by Huntress as a notorious private ransomware-as-a-service (RaaS) operation in Russia’s arsenal of Russian cyber attack threat actors. A Russian-speaking gang that has made some of the largest ransomware demands on record in recent months, REvil was behind the JBS cyberattack that resulted in an $11 million payout for the nefarious actor by the company that manages about a fifth of the U.S. meat supply. And in May 2021, REvil had its sharp eye on a nuclear weapons contractor:
“REvil ransomware operation listed companies whose data they were auctioning off to the highest bidder. One of the listed companies is Sol Oriens, where REvil claims to have stolen business data and employees' data, including salary information and social security numbers. As proof that they stole data during the attack, REvil published images of a hiring overview document, payroll documents, and a wages report. As a way to pressure Sol Oriens into paying the threat actor's extortion demands, the ransomware gang threatened to share ‘relevant documentation and data to military angencies (sic) of our choise (sic).’”
What might be the ransomware attacker's motivation?
Two words: Quick cash. What is interesting is that REvil could have pivoted and set up implants, but they seemingly chose not to. Perhaps they weighed the cost vs. benefits and figured it was easier to hit 200 companies at once for quick cash.
Signature-based detections fall short for ransomware attacks
Given the growing threat of supply chain attacks, detection toolsets such signature-based endpoint solutions or traditional network security tools would not have caught this latest REvil effort. Much like the SolarWinds attack, which was detected by IronNet behavioral analytics, endpoint security tools that are monitoring interesting behaviors of ALL software with broad detection capabilities/queries would be the first to alert on this behavior. Immediate notification of powershell running a command to disable Microsoft Defender should have sent off the alarms in any SOC, which the adversary did do. It ran powershell to disable many of the defenses in place to defend against ransomware.
Tracking early intrusions with behavioral analytics
IronNet’s behavioral analytics are designed to detect behavior indicators in advance of the ransom, alerting IronNet’s customers of early indicators before the ransom stage. The lifecycle of ransomware includes six phases: the attack, embedding and persistence, scanning, encryption, and the ransom itself. Implementing 360° visibility into your network traffic increases your chances of catching ransomware early in the kill chain. Applying behavioral analytics to look for anomalies in your network allows our analysts and threat hunters to detect, prevent, and mitigate the attack lifecycle of ransomware early in the process of a typical ransomware attack’s six phases:
Learn more about how to catch a ransomware attack early with IronNet with IronDefense network detection and response, upping the defense game even more with a Collective Defense approach that correlates adversarial campaigns across sectors in real time via a cyber radar view.