On July 2, threat actors launched a cyber attack against users of IT management software company Kaseya’s “VSA” remote monitoring and management application. The hackers compromised the VSA application and used it as a springboard to deploy REvil/Sodinokibi ransomware on some VSA users.
One security researcher has characterized the incident as a “colossal and devastating supply chain attack”. According to the Washington Post, “because of the vast number of companies potentially affected, the attack could prove to be one of the biggest in history,” as the majority of victims of the attack – now thought to number at least 50-60 – are managed security software providers (MSSPs) which now have unwittingly created potential exposure to all of their customers as well. The VSA software allows administrators to remotely manage systems, so once the MSSP is compromised, their customers are potentially at significant risk.
By July 4, victims in 17 countries had been identified, with more reports sure to appear after the weekend. One of the largest companies affected so far is Swedish supermarket chain Coop, which was forced to close over 500 of their 800 stores as a result of the attack. Illustrating the seriousness of the supply chain attack, Coop is not even a Kaseya customer: Coop uses IT service provider Visma Esscom – one of the early victims of the attack – for their post-of-sale and cash register services. Once Visma Esscom’s services went offline, their customers’ systems followed suit. As a Swedish language news service explained: “The most critical consequence is that stores cannot charge their customers when the cash registers are infected.”
Political tensions are already rising in the wake of the attack. There is no early indication of state involvement in the incident, but U.S. President Joseph Biden – who discussed cybersecurity concerns with Russian President Vladimir Putin in their June 16 summit in Geneva – has reportedly ordered a probe to get more information on this major attack. President Biden has vowed that the United States will respond in the event of any further state-sponsored cyber attacks on U.S. interests, after the recent Colonial Pipeline and JBS incidents.
That said, the motive behind the attack does appear to be strictly financial. All indications suggest the notorious REvil/ Sodinokibi ransomware gang – which was behind the ransomware attack on meatpacking giant JBS – is coordinating the Kaseya attack as well.
The ransoms have varied greatly depending on the size of the victim. According to a report by Reuters, MSSPs that have been breached are receiving demands in the millions of U.S. dollars. Meanwhile, smaller downstream victims have reportedly received much more modest threats, some as low as $44,999 (USD). But the ransom demands per se may present risks. Kaseya’s update portal reports: “We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they be weaponized.”
As of July 4, a fix to the VSA software had not yet been released, but Kaseya has rolled out a Compromise Detection Tool that is available to customers upon request. Kaseya’s President and CEO Fred Voccola says that Kaseya is 100% confident that they have identified the flaw and expect to have a patch available soon. Until then, Kaseya has been emphatic that customers should turn off their VSA servers until a patch is available: “We recommended that you IMMEDIATELY shut down your VSA server… It’s critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA,” according to an early blog post. “All On-Premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.”
The shutdown message appears to be getting through to the global community. According to the Dutch Institute for Vulnerability Disclosure (DIVD), the researchers who first identified the vulnerability, the number of VSA instances visible on the Internet dropped from 2200 at the time of the incident to less than 140 by July 4. This response – particularly over a holiday weekend in the United States – is a clear signal of the importance of threat intelligence sharing and communication.
An unfortunate footnote to this attack is that it came close to being prevented in the first place. DIVD’s CSIRT had actually identified the vulnerability and notified Kaseya days before the incident, and the software manufacturer had been in the process of validating a patch before the zero-day attack occurred on July 2.
“[Kaseya] showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” according to the DIVD CSIRT website.
Rest assured that ISA Cybersecurity does not use Kaseya VSA software internally, or for our managed/hosted services customers. For our customers who use the Kaseya VSA product independently, we strongly encourage you to follow the guidance on Kaseya’s advisory page, which is being updated at least once or twice daily as the situation develops.
News on this attack is evolving rapidly. ISA Cybersecurity will continue to monitor the investigation of the hacking incident, as well as any updates from Kaseya.
If you have further questions, or require assistance or guidance in assessing your exposure, please do not hesitate to contact ISA Cybersecurity to discuss any concerns. ISA Cybersecurity is here to help.