Kaseya VSA Downed by REvil in Monumental Supply-Chain Attack

{Updated on October 28, 2021}: With the US government leading a global law enforcement effort to fight ransomware attacks, a hack-back operation on the REvil ransomware gang was successfully carried out by a government-backed operator on October 22, 2021. 

During the operation, the ransomware’s Tor servers and public-shaming blog were seized. An interesting discovery in the wake of the hack-back was threat hunters noticing that the REvil gang was using the Darkside ransomware encryption tool for their human-operated ransomware attacks. Competing ransomware groups responded to the takedown, by moving their cryptocurrency reserves.

{Updated October 04, 2021}: On September 25, 2021, another voice over Internet Protocol (VoIP) provider, Bandwidth.com, was taken down by a DDoS attack similar to VoIP.ms a few weeks back. The attackers identified themselves as ‘REvil’. However, it is still uncertain if they are affiliates, an impersonator group, or the REvil gang themselves. The frequency of attacks made by impersonator groups has been an interesting and recent trend that we need to watch out for.

{Latest update: September 24, 2021}: After mysteriously coming back to life following a hiatus of almost two months, the REvil ransomware gang was back in full attack mode by mid-September. Initially, they went after two ITSPs in the UK, primarily VoIP Unlimited and Voipfone, on August 31, 2021, before carrying out a full-blown DDoS attack on VoIP.ms with a ransom demand of 100 bitcoins (approximately $4.3 million). 

CSW researchers noted that the REvil gang has developed new tactics and attack patterns ever since they came back to life, probably to account for the universal REvil decryption key that was revealed after the Kaseya attack in July 2021. An updated infographic is posted above.

{Updated: September 1, 2021}: Since July 26, 2021, news about three new zero-day vulnerabilities in Kaseya Unitrends Service, a backup and recovery add-on for Kaseya VSA, have been doing the rounds. While the vulnerability details are yet to be publicly disclosed, Kaseya has issued a patch to mitigate two of these vulnerabilities with its latest server software version 10.5.5-2. As a workaround for the third client-side vulnerability, Unitrends has released firewall rules. Users are advised to act on these immediately to avoid becoming a victim to future attacks.

On 21 July 2021, Kaseya shared a universal decryptor key with all MSPs and their clients who were affected by the REvil ransomware attack. The decryptor key can restore all encrypted files for free.

On the night of July 2, 2021, as security teams logged off their servers preparing for the Independence Day weekend, Kaseya’s remote management web-based software platform, Kaseya VSA, was breached by the infamous REvil gang, resulting in the single largest ransomware supply-chain attack in the United States. In total, more than 1500 companies were impacted by the Revil ransomware attack across 17 countries, with 60 MSPs and 800+ companies in the United States alone. The Swedish supermarket giant, Coop was the worst hit, having to close 800 of their stores worldwide.   

The event happened when the REvil gang gained backend access and deployed a malicious update to the VSA servers running on the client premises. Not only did that compromise the client’s VSA servers and infect all connected workstations, but also effectively infected the networks of third-party companies that were using the attacked server.  
The effect of the Kaseya attack continues to be felt as third-party dependencies see a swarm of ransomware attacks, not just pertaining to the REvil attack on 3 July, but also other ransomware gangs conducting Cobalt Strike phishing campaigns to exploit the vulnerabilities. There has been a spate of third-party attacks on municipalities such as Leonardtown and North Beach in Alabama and utility sectors such as Wiregrass Electric Cooperative in the wake of the Kaseya VSA supply-chain shutdown. More recently, fake phishing campaign emails containing malicious links or attachments posing as Kaseya security updates have been reported trying to enter recipients’ systems through the backdoor.

Could Kaseya have avoided the attacks?

Yes. On 8 July 2021, the Dutch Institute of Vulnerability Disclosure (DIVD), published a timeline of the attack which indicates that the vulnerability was reported to Kaseya as early as April 2021. Six of the seven vulnerabilities were found to be affecting software-as-a-service and on-premise VSA servers. 

In the attack on Kaseya VSA on 3 July 2021, the company was patching one of three critical zero-day bugs, CVE-2021-30116, when the vulnerability was used to bypass authentication on the web panel. Immediately after, SQL commands were run on the VSA appliance and ransomware was deployed to all connected workstations. However, it is still uncertain how the REvil gang got their hands on the classified information on the zero-day bug. 

Most ransomware gangs like REvil are going after organizations whose supply chain, if affected, can cause widespread panic and chaos.

According to our research findings published in CSW’s Ransomware Spotlight 2021 report, the REvil ransomware gang, amongst other ransomware gangs, has targeted organizations with supply chains in order to cause maximum damage. 

More CVE Findings

In our previous blog, we observed how six vulnerabilities—CVE-2012-0507,  CVE-2013-0074, CVE-2018-8453, CVE-2019-11510, CVE-2019-19781 and CVE-2019-2725—were associated with REvil in the attack that befell JBS on 30 May 2021. 

During the more recent Kaseya VSA attack, the Revil ransomware group exploited a zero-day bug, now tagged as CVE-2021-30116, to conduct remote code execution that affected 140 publicly accessible VSA servers. Here is our analysis of the vulnerability:

CVE-2021-30116

• CVE-2021-30116, is a remote code execution vulnerability (CWE-20) in the Kaseya VSA system that is being actively exploited in the wild. 

• The FBI and CISA have issued a  joint alert urging organizations to use a Kaseya detection tool to find compromised systems for patching on priority. 

• Classified under CWE-20 (Improper Input Validation), this critical vulnerability has a severity rating of 9.8 in CVSS v3.1 scoring.

• A patch for CVE-2021-30116 was released by Kaseya on 11 July 2021.

There were six other vulnerabilities mentioned in the DIVD report that Kaseya was also fixing since April 2021. Here are the details: 

• CVE-2021-30117 is an SQL injection vulnerability that was patched on 8 May 2021. It had a CVSS v3 severity rating of 9.8.

• CVE-2021-30118 is a Remote Code Execution vulnerability that was patched on 10 April 2021. It had a CVSS v3 severity rating of 9.8. 

• CVE-2021-30121 is a Local File Inclusion vulnerability that was patched on 8 May 2021. It had a CVSS v3 severity rating of 6.5.

• CVE-2021-30201 is an XML External Entity vulnerability that was patched on 8 May 2021. It had a CVSS v3 severity rating of 7.5.

• CVE-2021-30119 is a Cross Site Scripting vulnerability. This vulnerability has a low severity rating of 5.4 on the CVSS v3 score, pointing to the risks low score vulnerabilities may pose.

• CVE-2021-30120 is a 2FA bypass vulnerability. It has a CVSS v3 severity rating of 9.9.

• Patches for CVE-2021-30119 and CVE-2021-30120 were released on 11 July 2021.

Kaseya VSA Attack Methodology

The initial deployment of ransomware packets onto the Kaseya VSA commenced on 2 July 2021. Here are some details of the server-side intrusion:

• Attackers conduct authentication bypass to exploit the VSA server to spread ransomware.

• Two digitally signed malicious files - agent.crt/agent.exe and screenshot.jpg - were uploaded onto the server. Screenshot.jpg, when clicked, removed IIS logs and disabled user sessions and other clean up activities.

• Once the ransomware was injected into the on-premise client servers, the REvil gang executed a decryptor payload which disabled Windows Defender. 

• With Windows Defender down, they were able to conduct remote code execution to gain control of the Kaseya VSA server. 

Kaseya MITRE ATT&CK Mapping

Kaseya Exposure Analysis

Our exposure analysis using Shodan for the Kaseya CVE attributes indicate that there are no direct exposures for the affected CVEs. However, Shodan does mention 2942 public-facing instances of Kaseya products that are currently being used around the world.

The way forward

CISA and FBI issued a joint advisory on 4 July 2021, encouraging MSPs to install a detection tool to analyze their systems to determine if they have been compromised. 

Our research indicates a significant increase in the number of vulnerabilities exploited by or associated with ransomware attacks in the last few months. 

With Revil going after critical sectors such as Banking/Finance, Construction, Defense Industrial Base, Government Healthcare, High Technology, Legel, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Airline, and Utility, all MSPs like Kaseya as well as organizations should adopt a risk-based approach to become resilient against more ransomware attacks. 

CSW’s in-depth research helps organizations become more resilient against ransomware. We recommend organizations to get a Ransomware Assessment done to know the gaps, understand the exposure and become resilient to ransomware attacks in the future.

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!