Despite warnings about the dangers to software supply chains following the cyberespionage campaign that targeted SolarWinds and the company’s customers, organizations in the U.S. and around the world are dealing with the fallout of yet another attack that took advantage of security weaknesses in these IT ecosystems.
On July 2, just as the U.S. was set to celebrate the Independence Day holiday weekend, a ransomware gang named REvil allegedly targeted software firm Kaseya, which is based in Miami and provides technologies and applications to dozens of managed service providers.
In this case, the cybercriminals took advantage of vulnerabilities in the on-premises version of Kaseya’s Virtual System Administrator, also known as VSA. The application is used by MSPs to help manage the IT infrastructure of their clients.
By leveraging these bugs, the attackers pushed out a ransomware executable instead of legitimate files or updates to about 60 of Kaseya's MSP customers. This allowed the attackers to target about 1,500 of those organizations' clients, which included many small businesses and organizations, such as smaller U.S. municipalities, Swedish grocery chain Coop, and dozens of schools in New Zealand.
On Sunday, July 11, Kaseya pushed out the final set of patches for the vulnerabilities in the on-premises version of the VSA software. The SaaS version also has flaws, but it does not appear that the attackers took advantage of those, according to the company.
How the REvil gang, which is also known as Sodinokibi, reportedly took advantage of these multiple vulnerabilities in Kaseya’s VSA software is still under investigation by the company, the FBI and the U.S. Cybersecurity and Infrastructure Agency, which have all issued warnings about the supply chain attack. Since these ransomware intrusions are so widely distributed, some victims are trying to negotiate directly with the gang while others are exploring other means to recover.
“Managed service providers leverage Kaseya's software, making them an attractive target because extortionists can quickly increase potential targets,” Rick Holland, CISO and vice president of strategy at security firm Digital Shadows, told Dice.
“In addition, companies that leverage MSP are typically less mature and these small and medium-sized businesses usually have less-mature security programs,” Holland added. “These victims are a desirable target as they may not have the means to eliminate the adversary and re-establish their IT systems, forcing them to pay the ransom. Targeting an MSP that serves vulnerable SMBs is a fiendish extortion tactic.”
Supply Chain Security
While both the campaign against SolarWinds—which was uncovered by security firm FireEye in December 2020—and the attacks targeting Kaseya each focused on the company’s software supply chain, there are differences between the two incidents, said Oliver Tavakoli, CTO at security firm Vectra.
In Tavakoli’s view, the SolarWinds campaign was a classic example of a supply chain attack, with the hackers compromising the company’s network and then spending the time to plant a backdoor in a software update to the firm’s Orion network monitoring platform. That update was then sent to customers—ultimately affecting about 100 private firms and nine federal agencies.
While the Kaseya incident shares some similarities, Tavakoli believes that the REvil gang (or one of its affiliates) took a different, less complicated approach compared to the SolarWinds attacks.
“The Kaseya attack was clearly targeted at the MSP sector, but it was not a classic supply chain attack. Kaseya’s network was—as far as we know—not attacked. Instead, the attackers likely reversed Kaseya’s VSA software and found a couple of zero-day vulnerabilities and then proceeded to attack VSA servers which were deployed in the MSPs’ networks,” Tavakoli told Dice. “The hack allowed them to use those MSP-hosted VSA servers which—due to the nature of the VSA product design—were able to propagate software into each of the MSPs’ customers’ networks.”
While investigations into the latest large-scale ransomware event are ongoing, Tavakoli said there are some clear security takeaways from the incident, especially how some businesses are increasingly relying on third parties for both IT and cybersecurity support.
“Technology suppliers of IT infrastructure software—in this case, Kaseya—need to show incredible diligence in finding and patching vulnerabilities in their software and need to advise, and possibly enforce, best practices on how their software is deployed,” Tavakoli said. “And MSPs need to reduce their attack surface to the absolute minimum—reducing their internet-facing footprint—forcing necessary access to such servers through hardened bastion systems with multifactor authentication would be a great start.”
The incident involving Kaseya should also prompt IT and security departments to rethink security when it comes to third parties and MSPs as well as supply chains, said Dirk Schrader, global vice president for security research at New Net Technologies.
One of the prime priorities for organizations is to review how their MSPs and third-party suppliers should contact them about potential security problems and cyberthreats, and what mitigation plans are in place.
“What can be expected or even required by a customer is an early warning system.” Schrader said. “For one, the plan should require the MSP or the supply chain party to inform their customers earlier in the process. It should also be made mandatory for these parties to inform customers about any knowledge of vulnerabilities affecting them plus some mitigation advice—at least for remotely exploitable ones—even if no patch is available yet.”
On these occasions, Schrader said IT and security teams should look over their service-level agreements with third parties and ensure someone on the team has the skills to properly interpret and make sense of these agreements.
“Organizations should verify if there is a section in the SLA that talks about vulnerability disclosure, about how the MSP will inform them about any important security aspect affecting the customer,” Schrader told Dice. “It would be best if it included a clear description as to what is the process at the MSP—the process of handling vulnerabilities. And how they require their third-party vendors to report to them.”
Politics of Ransomware
Another dimension of this latest ransomware attack is the potential political fallout. REvil is suspected of operating within Russia, and President Joe Biden had previously spoken to Russian President Vladimir Putin about ransomware attacks that have targeted U.S. firms, such as the May attack against Colonial Pipeline, which appears tied to Russian cybercriminal organizations.
The Kaseya attack prompted a phone call between Biden and Putin on Friday, July 9, where Biden warned that the U.S. may take further action if these attacks don’t stop, although what those consequences might be remain vague.
“We’re not going to telegraph what those actions will be precisely. Some of them will be manifest and visible, some of them may not be. But we expect those to take place, you know, in the days and weeks ahead,” according to a senior White House official who spoke to reporters following the Biden call to Putin.