On July 21, 2021, Kaseya shared a universal decryptor key with all MSPs and their clients who were affected by the REvil ransomware attack. The decryptor key can restore all encrypted files for free.
On the night of July 02, 2021, as security teams logged off their servers preparing for the Independence Day weekend, Kaseya’s remote management web-based software platform Kaseya VSA was breached by the infamous REvil gang, resulting in the single largest ransomware supply chain attack in the United States. In total, more than 1,500 companies were impacted by the REvil ransomware attack across 17 countries, with 60 MSPs and 800+ companies in the United States alone. The Swedish supermarket giant Coop was the worst hit, having to close 800 stores worldwide.
The event happened when the REvil gang gained backend access and deployed a malicious update to the VSA servers running on the client premises. Not only did that compromise the client’s VSA servers and infect all connected workstations, but also it effectively infected the networks of third-party companies that were using the attacked server.
The effect of the Kaseya attack continues to be felt as third-party dependencies see a swarm of ransomware attacks, not just pertaining to the REvil attack on July 03 but also other ransomware gangs conducting Cobalt Strike phishing campaigns to exploit the vulnerabilities. There has been a spate of third-party attacks on municipalities such as Leonardtown and North Beach in Alabama and utility sectors such as Wiregrass Electric Cooperative in the wake of the Kaseya VSA supply chain shutdown. More recently, fake phishing campaign emails containing malicious links or attachments posing as Kaseya security updates have been reported trying to enter recipients’ systems through the backdoor.
Could Kaseya Have Avoided the Attacks?
Yes. On July 08, 2021, the Dutch Institute of Vulnerability Disclosure (DIVD) published a timeline of the attack, which indicates that the vulnerability was reported to Kaseya as early as April 2021. Six of the seven vulnerabilities were found to be affecting software-as-a-service and on-premise VSA servers.
In the attack on Kaseya VSA on July 03, 2021, the company was patching one of the three critical zero-day bugs, CVE-2021-30116, when the vulnerability was used to bypass authentication on the web panel. Immediately after, SQL commands were run on the VSA appliance, and ransomware was deployed to all connected workstations. However, it is still uncertain how the REvil gang got its hands on the classified information on the zero-day bug.
Most ransomware gangs like REvil are going after organizations whose supply chain, if affected, can cause widespread panic and chaos.
According to our research findings published in Securin’s Ransomware Spotlight 2021 report, the REvil ransomware gang, amongst other ransomware gangs, has targeted organizations with supply chains in order to cause the maximum damage.
More CVE Findings
In our previous blog, we observed how six vulnerabilities—CVE-2012-0507, CVE-2013-0074, CVE-2018-8453, CVE-2019-11510, CVE-2019-19781, and CVE-2019-2725—were associated with REvil in the attack that befell JBS on May 30, 2021.
During the more recent Kaseya VSA attack, the REvil ransomware group exploited a zero-day bug, now tagged as CVE-2021-30116, to conduct remote code execution that affected 140 publicly accessible VSA servers. Here is our analysis of the vulnerability:
CVE-2021-30116
-
CVE-2021-30116 is a remote code execution vulnerability (CWE-20) in the Kaseya VSA system that is being actively exploited in the wild.
-
The FBI and CISA have issued a joint alert urging organizations to use a Kaseya detection tool to find compromised systems for patching on priority.
-
Classified under CWE-20 (Improper Input Validation), this critical vulnerability has a severity rating of 9.8 in CVSS V3.1 scoring.
- A patch for CVE-2021-30116 was released by Kaseya on July 11, 2021.
There were six other vulnerabilities mentioned in the DIVD report that Kaseya has been fixing since April 2021. Here are the details:
-
CVE-2021-30117 is an SQL injection vulnerability that was patched on May 08, 2021. It had a CVSS V3 severity rating of 9.8.
-
CVE-2021-30118 is a Remote Code Execution vulnerability that was patched on April 10, 2021. It had a CVSS V3 severity rating of 9.8.
-
CVE-2021-30121 is a Local File Inclusion vulnerability that was patched on May 08, 2021. It had a CVSS V3 severity rating of 6.5.
-
CVE-2021-30201 is an XML External Entity vulnerability that was patched on May 08, 2021. It had a CVSS V3 severity rating of 7.5.
-
CVE-2021-30119 is a Cross-Site Scripting vulnerability. This vulnerability has a low severity rating of 5.4 on the CVSS V3 score, pointing to the risks low-score vulnerabilities may pose.
-
CVE-2021-30120 is a 2FA bypass vulnerability. It has a CVSS V3 severity rating of 9.9.
-
Patches for CVE-2021-30119 and CVE-2021-30120 were released on July 11, 2021.
Kaseya VSA Attack Methodology
The initial deployment of ransomware packets onto the Kaseya VSA commenced on July 02, 2021. Here are a few details of the server-side intrusion:
-
Attackers conducted authentication bypass to exploit the VSA server to spread ransomware.
-
Two digitally signed malicious files, agent.crt/agent.exe and screenshot.jpg, were uploaded onto the server. Screenshot.jpg, when clicked, removed IIS logs and disabled user sessions and other clean-up activities.
-
Once the ransomware was injected into the on-premise client servers, the REvil gang executed a decryptor payload that disabled Windows Defender.
-
With Windows Defender down, the gang was able to conduct remote code execution to gain control of the Kaseya VSA server.
Kaseya MITRE ATT&CK Mapping
| IoCs | |
|
Kaseya Exposure Analysis
Our exposure analysis using Shodan for the Kaseya CVE attributes indicates no direct exposures for the affected CVEs. However, Shodan mentions 2,942 public-facing instances of Kaseya products that are currently being used around the world.
The Way Forward
The FBI and CISA issued a joint advisory on July 04, 2021, encouraging MSPs to install a detection tool to analyze their systems to determine if they have been compromised.
Our research indicates a significant increase in the number of vulnerabilities exploited by or associated with ransomware attacks in the last few months.
With REvil going after critical sectors such as Banking and Finance, Construction, Defense Industrial Base, Government Healthcare, High Technology, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Airline, and Utility, all MSPs like Kaseya, as well as organizations, should adopt a risk-based approach to become resilient against more ransomware attacks.
Securin’s in-depth research helps organizations become more resilient against ransomware. We recommend organizations get a Ransomware Assessment done to know the gaps, understand the exposure, and become resilient to ransomware attacks in the future.
{Updated on September 01, 2021}: Since July 26, 2021, news about three new zero-day vulnerabilities in Kaseya Unitrends Service, a backup and recovery add-on for Kaseya VSA, has been doing the rounds. While the vulnerability details are yet to be publicly disclosed, Kaseya has issued a patch to mitigate two of these vulnerabilities with its latest server software version 10.5.5-2. As a workaround for the third client-side vulnerability, Unitrends has released firewall rules. Users are advised to act on these immediately to avoid becoming a victim of future attacks.
{Updated on September 24, 2021}: After mysteriously coming back to life following a hiatus of almost two months, the REvil ransomware gang was back in full attack mode by mid-September. Initially, it went after two ITSPs in the UK, primarily VoIP Unlimited and Voipfone, on August 31, 2021, before carrying out a full-blown DDoS attack on VoIP.ms with a ransom demand of 100 bitcoins (approximately $4.3 million).
{Updated on October 04, 2021}: On September 25, 2021, another Voice over Internet Protocol (VoIP) provider, Bandwidth.com, was taken down by a DDoS attack similar to VoIP.ms a few weeks back. The attackers identified themselves as “REvil.” However, it is still uncertain if they are affiliates, an impersonator group, or the original REvil gang. The frequency of attacks made by impersonator groups has been an interesting and recent trend that we need to watch out for.
{Updated on October 28, 2021}: With the US government leading a global law enforcement effort to fight ransomware attacks, a hack-back operation on the REvil ransomware gang was successfully carried out by a government-backed operator on October 22, 2021.
During the operation, the ransomware’s Tor servers and public-shaming blogs were seized. In the wake of the hack-back, threat hunters noticed that the REvil gang was using the Darkside ransomware encryption tool for its human-operated ransomware attacks. Competing ransomware groups responded to the takedown by moving their cryptocurrency reserves.
Securin’s researchers noted that the REvil gang had developed new tactics and attack patterns ever since it came back to life, probably to account for the universal REvil decryption key that was revealed after the Kaseya attack in July 2021. An updated infographic is posted below.
