Ransomware in Kaseya Systems – What do we know about the attacks?
Once again, a major ransomware attack is shutting down many businesses and even public life in some places. The attack on the previously relatively unknown Kaseya in some cases resembles prominent hacks from earlier this year, such as on SolarWinds, but a closer look reveals a new step in the evolution of ransomware that is of great concern.
Kasey who?
The attack in question is the one on Kaseya, a relatively unknown company that suddenly gets more attention than it might want. This already starts the parallel with SolarWinds. That company was hit with a similar problem earlier this year; the company was hacked and its customers were then hit with malware through its supply chain. A second parallel is that you probably hadn’t heard of Kaseya until now and that both companies make software that can look deep into networks. The difference between the attacks is that SolarWinds was hit by spy malware and that ransomware is distributed via Kaseya.
Kaseya makes software for managed service providers or MSPs. These are companies that in turn do the ICT management for small organisations. As a practical example: imagine a small company that does something in marketing or sales and where 25 people work on laptops with Windows. Those laptops need to be centrally managed, but for such a small business, hiring a system administrator isn’t worth it in many cases. In such a case, the companies outsource their IT management to contractors: managed service providers.
Those contractors in turn use tools for this that they purchase from other manufacturers. Kaseya is one such manufacturer. In particular, the US-based company provides two major management packages: Kaseya BMS for Small Businesses and Kaseya VSA. That last package went wrong.
Kaseya VSA, or Virtual Systems Administrator, is a remote software management tool that can be used, for example, to apply patches, add users, or create backups. It is a powerful tool that has deep rights in the systems of end customers. This makes it a perfect tool to attack computers using the software. That’s exactly what happened; hackers managed to infect companies with malware via Kaseya VSA.
Supply Chain Attacks
Because Kaseya VSA is used by many of the company’s customers, security researchers speak of a supply chain attack. That is an infection in which one company is affected and then affects users of that software. The situation is therefore somewhat similar to that of SolarWinds, the company that was hit earlier this year. That was also an interesting victim for malicious hackers, because that software also had many rights with companies.
The term “supply chain attack” has no fixed definition. There are now also several security experts who believe that this attack is much more than a supply chain attack. They talk about, for example, ‘a managed services chain attack’ , but give the beast a name. The term supply chain attack is commonly used for an attack that involves penetrating a difficult-to-hack company or multiple companies by hitting a smaller supplier. That is easier for the attackers or several customers are hit at once. Such was the case, for example, with NotPetya, the infamous Russian rendering ransomware that targeted Ukrainian industry by infecting a small accounting firm with many customers in that country .
Now, however, it seems to be about something more than that. The attack on Kaseya does target the supply chain, but then two layers deep instead of just one. Not only direct customers of Kaseya are affected, but also customers of those customers. This created a domino effect that has never been seen before.
Kaseya has also been the victim of a supply chain attack before. That happened in 2019 when the infamous GandCrab ransomware hit through the msp . Even then, there were warnings about the rise of supply chain attacks via MSPs, but the damage was very limited and not as extensive as it is now.
How did the attackers get into Kaseya?
Many things are still unknown about the attack itself. The biggest question mark is exactly how the hackers got into Kaseya itself. This is most likely due to a software leak. A striking aspect is that the leak that was used was already known to the company. This was discovered by the security researcher. These researchers are specialized in detecting vulnerabilities in software, often administrative software such as VPNs and firewalls, and therefore also MSP software such as Kaseya VSA.
It discovered the vulnerability in Kaseya VSA some time ago. In fact, a CVE code was already reserved for it, CVE-2021-30116, but details about the nature of the vulnerability are not yet available there. The ethical hackers reported the vulnerability to Kaseya, saying the company was “very cooperative” in handling the responsible disclosure. Kaseya already appeared to be in an advanced state of releasing a patch for the vulnerability.
One or two zero days
The timing is remarkable, to say the least. It is, of course, very coincidental that the attackers used the same, unknown vulnerability as security researchers discovered. In general, it is quite rare that ransomware makers use zero-days or vulnerabilities that are not yet known to anyone and for which there is no patch yet. It is true that gangs can easily buy such leaks because they often have millions in cash, but in practice they do so very little. It is often enough to exploit a vulnerability for which patches are available, but which a company has simply not yet implemented.
About the attack itself
At the moment, little information is coming in about the course of the attack, although many details are still unknown. Kaseya has revealed a little more about it since Monday evening. “The attackers exploited a zero-day in our VSA software to bypass authentication and execute commands. This allowed them to use our standard product features to deploy ransomware to endpoints. There is no evidence that the Kaseya VSA codebase is infected.”
There are also outside companies looking at what happened. One of these is the security company, Huntress. This is specialized in MSP security. Among other things, the company looked at how the attackers entered and saw that all infected servers showed the same pattern.
That pattern is that three files are retrieved via cURL that exploits ‘a significant number of potential SQL injection vulnerabilities. “Following this line,” the company writes, “we can say with great certainty that the attackers were able to bypass authentication in the Kaseya VSA web interface during an authenticated session, after which they downloaded the original payload and sent it through a sql -injection commands. We can confirm that a sql injection is the way the perpetrators carry out their attacks.” Kaseya has not yet confirmed that, and no other security researchers have come to the same conclusion. For now, that remains a bit vague.
Not much is clear about what happens next, and certainly not from the first source. However, some details are known here and there. This seems to give the impression that the attack is not very advanced. Security firm Sophos has written an initial tentative analysis of what it has seen from customers. One thing in particular stands out: Kaseya did not protect systems against itself. The VSA software closed certain folders containing Kaseya files to antivirus and firewall software on the system. In other words, Sophos says, “Everything run by the Kaseya Agent Monitor was ignored because of those exclusions.” As a result, an infected Kaseya download could hit systems relatively easily.
That download file first runs a PowerShell command that disables Microsoft Defender. Then a command is executed that creates a file called certutil.exe. That is a file that allows files to be downloaded directly from the Internet. That is then used to download the payload into the folder where the rest of Kaseya’s software resides. This includes an infected dll. It does about the same as previous REvil attacks, Sophos says. It first makes the device visible to other Windows machines on the network via the netshcommand and then starts encrypting files.
The ransomware has two aspects that stand out, Sophos says. First of all, Volume Shadow Copies are not deleted. Most ransomware never did that until a few years ago, but now vss files are deleted by default. This does not happen with the Kaseya attack, which some experts say may mean that it may be possible to restore a backup more easily.
No data theft
It is also striking that no data appears to have been stolen during the attack. This has been the standard modus operandi of ransomware gangs for a year or two. These not only encrypt systems but also threaten to disclose stolen data if victims do not pay. This additional threat increases the willingness to pay.
The details of the hack are still vague at this point. More information about how the malware works is likely to be revealed in the coming weeks. Kaseya has now made a detection tool available. This works on the basis of Huntress’s findings and scans for indicators of compromise that that company has identified, and therefore not on the basis of data from Kaseya itself.
Scope of the attack
Kaseya is used by many companies, but the exact scope of the attack is difficult to analyze. In an update, Kaseya even dares to speak of ‘a very small number’ of victims. On a support page, it even speaks of ‘less than forty worldwide’. That would be due to the company’s ‘fast team action’. Now Kaseya obviously benefits from keeping the number of victims as low as possible. Similarly, REvil wants us to believe that it has made a lot of victims; the criminals speak of a million infected systems. Later, Kaseya CEO Fred Voccola told the AP news agency that he expects there to be 800 to 1,500 victims.
The size is difficult to measure because it concerns a supply chain attack. Kaseya’s “low count” is meaningless because it refers only to the company’s own customers, not the potential thousands of companies that then become customers of the customers. The consequences of these infections are also difficult to map. The best-known example is that of the supermarket chain Coop, which had to close hundreds of supermarkets in Sweden . That was because the payment provider for the tills and self-scanning tills was affected. So Coop wasn’t even a direct customer of Kaseya himself. That’s one of the many ways in which supply chain issues trickle down to hundreds and possibly thousands of companies.
Estimates
Some security companies dare to make estimates. Huntress researchers estimate about a thousand infected companies, but those are only companies known to be victims. Hundreds of other victims may be announced in the coming weeks.
Who is behind the attack?
The attack has since been claimed by REvil, a well-known ransomware gang. That doesn’t say it all; REvil offers its ransomware as a ransomware-as-a-service. Criminals can rent the malware, including the command-and-control servers behind it, in exchange for a share of the proceeds. The makers of REvil ask about fifteen percent commission and earn a nice pocket money. It is not known who exactly is behind REvil, but most experts and authorities point to Russia. But because REvil uses a so-called RaaS model, it is not clear whether the original makers are also behind this attack.
Independence Day
The attack began last Friday, July 2. That was certainly no coincidence. On July 4, Americans celebrate their Independence Day and many employees take that Friday off for a nice long weekend. REvil struck when Security Operation Centers were running low and most system administrators were firing the barbecue early. That is a modus operandi that is not unique to ransomware spreaders.
Security researchers have been seeing that pattern for a few years now. In May last year, security company FireEye wrote that 76 percent of ransomware infections occurred in the evening or at night. Holidays are a popular time to strike. Criminals are getting better at finding the right moment to strike. This does not happen haphazardly on the basis of luck or logical thinking, but hard data. FireEye discovered ransomware attacks in which the criminals created a Group Policy Object via Active Directory, which caused the ransomware to strike specifically when users were logged out of the systems.
Then pay?
REvil demands a lot of ransom. The criminals want no less than 70 million dollars, converted 59 million euros, and paid in bitcoin. In the meantime, the criminals would have lowered their claim to 50 million dollars or 42 million euros. But the attackers are offering a pretty unique deal. Rather than extorting hundreds or thousands of companies one by one, the perpetrators have stated on their dark web blog to use only one general price to publish the decryptor for the ransomware. Companies can also contact REvil separately to discuss a price, but there are no known examples of this happening.
It is not often that ransomware developers sell the complete decryptor instead of individual keys. However, there have been more cases where ransomware propagators stopped their activities and offered the decryptor for free online. At this point, one can only speculate what the thinking behind it is. The criminals may not feel like having to negotiate separately with hundreds of different companies. Another possibility is that the attackers want to make ‘one last blow’ and then retire. Gangs stop more often, as GandCrab once did, although many forks often return.
Finally
The attack on Kaseya appears to be a turning point in the battle between businesses and ransomware criminals. Security experts have been warning for some time that ransomware is taking on terrifying proportions. The combination of the effectiveness of ransomware and the low probability of being caught makes gangs richer and more powerful, and with that money, they can carry out bigger and more violent attacks. Can an IT department with a budget of a few hundred thousand euros a year really compete against criminals who have millions to spend? Even if the Kaseya hack is REvil’s last major blow, the misery isn’t over. There are plenty of gangs willing to fill that gap.