Download Ransomware Q2 Index Update

Kaseya VSA Downed by REvil in Monumental Supply-Chain Attack

Posted on 12th Jul, 2021 | By Surojoy Gupta

On 21 July 2021, Kaseya shared a universal decryptor key with all MSPs and their clients who were affected by the REvil ransomware attack. The decryptor key can restore all encrypted files for free.

On the night of July 2, 2021, as security teams logged off their servers preparing for the Independence Day weekend, Kaseya’s remote management web-based software platform, Kaseya VSA, was breached by the infamous REvil gang, resulting in the single largest ransomware supply-chain attack in the United States. In total, more than 1500 companies were impacted by the Revil ransomware attack across 17 countries, with 60 MSPs and 800+ companies in the United States alone. The Swedish supermarket giant, Coop was the worst hit, having to close 800 of their stores worldwide.   

The event happened when the REvil gang gained backend access and deployed a malicious update to the VSA servers running on the client premises. Not only did that compromise the client’s VSA servers and infect all connected workstations, but also effectively infected the networks of third-party companies that were using the attacked server.  
The effect of the Kaseya attack continues to be felt as third-party dependencies see a swarm of ransomware attacks, not just pertaining to the REvil attack on 3 July, but also other ransomware gangs conducting Cobalt Strike phishing campaigns to exploit the vulnerabilities. There has been a spate of third-party attacks on municipalities such as Leonardtown and North Beach in Alabama and utility sectors such as Wiregrass Electric Cooperative in the wake of the Kaseya VSA supply-chain shutdown. More recently, fake phishing campaign emails containing malicious links or attachments posing as Kaseya security updates have been reported trying to enter recipients’ systems through the backdoor.

 

Could Kaseya have avoided the attacks?

Yes. On 8 July 2021, the Dutch Institute of Vulnerability Disclosure (DIVD), published a timeline of the attack which indicates that the vulnerability was reported to Kaseya as early as April 2021. Six of the seven vulnerabilities were found to be affecting software-as-a-service and on-premise VSA servers. 

In the attack on Kaseya VSA on 3 July 2021, the company was patching one of three critical zero-day bugs, CVE-2021-30116, when the vulnerability was used to bypass authentication on the web panel. Immediately after, SQL commands were run on the VSA appliance and ransomware was deployed to all connected workstations. However, it is still uncertain how the REvil gang got their hands on the classified information on the zero-day bug. 

Most ransomware gangs like REvil are going after organizations whose supply chain, if affected, can cause widespread panic and chaos.

According to our research findings published in CSW’s Ransomware Spotlight 2021 report, the REvil ransomware gang, amongst other ransomware gangs, has targeted organizations with supply chains in order to cause maximum damage. 

More CVE Findings

In our previous blog, we observed how six vulnerabilities—CVE-2012-0507,  CVE-2013-0074, CVE-2018-8453, CVE-2019-11510, CVE-2019-19781 and CVE-2019-2725—were associated with REvil in the attack that befell JBS on 30 May 2021. 

During the more recent Kaseya VSA attack, the Revil ransomware group exploited a zero-day bug, now tagged as CVE-2021-30116, to conduct remote code execution that affected 140 publicly accessible VSA servers. Here is our analysis of the vulnerability:

CVE-2021-30116

  • CVE-2021-30116, is a remote code execution vulnerability (CWE-20) in the Kaseya VSA system that is being actively exploited in the wild. 

  • The FBI and CISA have issued a  joint alert urging organizations to use a Kaseya detection tool to find compromised systems for patching on priority. 

  • Classified under CWE-20 (Improper Input Validation), this critical vulnerability has a severity rating of 9.8 in CVSS v3.1 scoring.

  • A patch for CVE-2021-30116 was released by Kaseya on 11 July 2021.

CVEs used by REvil Ransomware

 

There were six other vulnerabilities mentioned in the DIVD report that Kaseya was also fixing since April 2021. Here are the details: 

  • CVE-2021-30117 is an SQL injection vulnerability that was patched on 8 May 2021. It had a CVSS v3 severity rating of 9.8.

  • CVE-2021-30118 is a Remote Code Execution vulnerability that was patched on 10 April 2021. It had a CVSS v3 severity rating of 9.8. 

  • CVE-2021-30121 is a Local File Inclusion vulnerability that was patched on 8 May 2021. It had a CVSS v3 severity rating of 6.5.

  • CVE-2021-30201 is an XML External Entity vulnerability that was patched on 8 May 2021. It had a CVSS v3 severity rating of 7.5.

  • CVE-2021-30119 is a Cross Site Scripting vulnerability. This vulnerability has a low severity rating of 5.4 on the CVSS v3 score, pointing to the risks low score vulnerabilities may pose.

  • CVE-2021-30120 is a 2FA bypass vulnerability. It has a CVSS v3 severity rating of 9.9.

  • Patches for CVE-2021-30119 and CVE-2021-30120 were released on 11 July 2021.

 

Kaseya VSA Attack Methodology

The initial deployment of ransomware packets onto the Kaseya VSA commenced on 2 July 2021. Here are some details of the server-side intrusion:

  • Attackers conduct authentication bypass to exploit the VSA server to spread ransomware.

  • Two digitally signed malicious files - agent.crt/agent.exe and screenshot.jpg - were uploaded onto the server. Screenshot.jpg, when clicked, removed IIS logs and disabled user sessions and other clean up activities.

  • Once the ransomware was injected into the on-premise client servers, the REvil gang executed a decryptor payload which disabled Windows Defender. 

  • With Windows Defender down, they were able to conduct remote code execution to gain control of the Kaseya VSA server. 

REvil Kaseya Attack Methodology


Kaseya MITRE ATT&CK Mapping

 

IoCs

MD5

agent.crt - 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643

agent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

mpsvc.dll - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

mpsvc.dll - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd


Kaseya Exposure Analysis

 

Our exposure analysis using Shodan for the Kaseya CVE attributes indicate that there are no direct exposures for the affected CVEs. However, Shodan does mention 2942 public-facing instances of Kaseya products that are currently being used around the world.

 

The way forward

 

CISA and FBI issued a joint advisory on 4 July 2021, encouraging MSPs to install a detection tool to analyse their systems to determine if they have been compromised. 

Our research indicates a significant increase in the number of vulnerabilities exploited by or associated with ransomware attacks in the last few months. 

With Revil going after critical sectors such as Banking/Finance, Construction, Defense Industrial Base, Government Healthcare, High Technology, Legel, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Airline, and Utility, all MSPs like Kaseya as well as organizations should adopt a risk-based approach to become resilient against more ransomware attacks. 

CSW’s in-depth research helps organizations become more resilient against ransomware. We recommend organizations to get a Ransomware Assessment done to know the gaps, understand the exposure and become resilient to ransomware attacks in the future.

 

Test your defense to know how secure you are…