UPDATE 3
The worldwide July 2 attacks on the Kaseya Virtual System/Server Administrator (VSA) platform by the REvil ransomware gang turn out to be the result of exploits for at least one zero-day security vulnerability, and the company is swinging into full mitigation mode, with patches for the on-premise version coming on Sunday, July 11, it said.
The VSA software is used by Kaseya customers to remotely monitor and manage software and network infrastructure. It’s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.
The attacks on the VSA (details on the multiple zero-day bugs believed used are below) are now estimated to have led to the encryption of files for around 60 Kaseya customers using the on-premises version of the platform – many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses.
That MSP connection allowed REvil access to those customers-of-customers, and there are around 1,500 downstream businesses now affected, Kaseya said in an updated rolling advisory. It’s estimated that more than a million individual systems are locked up, and Kaspersky on Monday said that it had seen more than 5,000 attack attempts in 22 countries at that point.
“The VSA server is used to manage large fleets of computers, and is normally used by MSPs to manage all their clients,” explained researchers at TruSec, in a post on Sunday. “Without separation between client environments, this creates a dependency: If the VSA server is compromised, all client environments managed from this server can be compromised too.”
It added, “Additionally, if the VSA server is exposed to internet, any potential vulnerability could be leveraged over the internet to breach the server. This is what happened in this case. The threat actor, an affiliate of the REvil ransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server. The vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server, therefore reaching all the end clients. The script delivered the REvil ransomware and encrypted the systems.”
Thus, while customers wait for patches, “All on-premises VSA servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” Kaseya said. “A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.”
Meanwhile, “we have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized,” the firm added.
The company has also released a new version of a compromise detection tool for companies to analyze a system (either VSA server or managed endpoint) and determine whether any indicators of compromise (IoC), data encryption or the REvil ransom note are present.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI also offered joint protection advice over the weekend for those not yet affected by the attacks.
Kaseya also took the software-as-a-service (SaaS) platform offline, reducing significantly the number of customers exposed to the internet and therefore for to attacks. Though it was scheduled to be back online Tuesday (the kickoff will be a staged comeback that will see functionality turned back on in waves), but Kaseya said that it ran into a problem with the update. It now plans to start restoring SaaS services no later than Sunday — as well as release the on-prem patch in that timeframe.
The company has published a runbook of the changes customers must to make to their environment to prepare for the patch release; there’s also one for SaaS customers to get prepared.
Planned Enhanced Security Measures
According to Kaseya, the enhanced security measures that will be brought online with the SaaS update are:
- 24/7 independent SOC for every VSA with the ability to quarantine and isolate files and entire VSA servers.
- A complementary CDN with WAF for every VSA (including for on-premise users that opt-in and wish to use it)
- Customers who whitelist IPs will be required to whitelist additional IPs.
This “greatly reduces the attack surface of Kaseya VSA overall,” the company said.
REvil Lowers Ransom for Universal Decryptor
REvil is offering a universal public decryption key that will remediate all impacted victims, it said. While the initial ransom price was $70 million, the gang has lowered its asking price to $50 million according to one researcher.
Absent a universal decryptor, some impacted companies are turning to individual negotiations with REvil, according to reports. For instance, researcher Marco A. De Felice described (in Italian) a set of observed chat logs, with various individual company ransoms being listed at $550,000 (and then lowered to $225,000), and in another case the ransom was less than $50,000.
Unfortunately, for those already infected by the REvil ransomware, the ability to remediate an attack will come down to case-by-case security postures, such as having offline backups of files in place.
“REvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm,” according to Kaspersky researchers. “Decryption of files affected by this malware is impossible without the cybercriminals’ keys due to the secure cryptographic scheme and implementation used in the malware.”
Zero Days, Not SolarWinds Part 2
The attack itself appears to be more akin to the Accellion attacks that cropped up all spring rather than the devastating SolarWinds supply-chain attack earlier this year.
The former had to do with zero-day vulnerabilities that were present in the Accellion legacy File Transfer Appliance product. Bad actors with connections to the FIN11 and the Clop ransomware gang hit multiple Accellion FTA customers in the financially motivated attacks, including the Jones Day Law Firm, Kroger and Singtel. All received extortion emails threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website.
SolarWinds meanwhile was an attack that the U.S. attributed to the Russian government, which involved tampering with SolarWinds’ back-end systems in order to push a boobytrapped software update to unsuspecting customers containing a backdoor. Follow-on espionage attacks then were attempted targeting tech firms and several U.S. government agencies.
In the Kaseya case, adversaries are exploiting at least one zero-day security vulnerability, to push ransomware to Kaseya’s customers.
“The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,” the company noted in its technical incident analysis. “This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified.”
Kaseya knew about one bug (CVE-2021-30116) before the attacks started – it had been reported to the company by the Dutch Institute for Vulnerability Disclosure (DIVD).
“During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched,” according to a DIVD advisory. “They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”
Separately, researchers at Huntress Labs identified a zero-day used in the attack, though it’s unclear if it’s separate from CVE-2021-30116: “Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers,” it said.
TruSec meanwhile noted that “[while] not all details have been confirmed yet, but we can say with high confidence that the exploit involved multiple flaws: Authentication bypass; arbitrary file upload; code injection.”
According to Kaspersky, the exploit involves the attackers deploying a malicious dropper via a PowerShell script. That script disables Microsoft Defender features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique, according to the firm.
Other technical details on the bug and attack chain are scant, for now.
Kaseya is due to post another update Tuesday morning, and Threatpost will update this post accordingly.
Update 3: This post was updated at 3 p.m. ET on July 8 to reflect a revised patch timeline and runbook information.
Update 2: This post was updated at 2:15 p.m. ET on July 7 to reflect a revised patch timeline and expected debut of a runbook for preparing for the patch.
Update 1: This post was updated at 10:30 a.m. ET on July 7 to include a revised patch timeline and planned enhanced security measures.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.