Cybercriminals strike again.
This time a ransomware group, presumed to be REvil, set its sites on attacking a trusted IT provider at the same many US companies were operated on skeleton crews just prior to celebrating Independence Day.
Specifically, Kaseya, a provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs), suffered a ransomware attack on its VSA customers. According to an official release from Kaseya, on July 2, at approximately 2 p.m. EST, Kaseya was alerted to a potential attack by internal and external sources. Kaseya shut down access to the software in question within an hour. The attack apparently had limited reach impacting approximately 50 of its 35,000 customers.
“After making the rapid decision to shut down access to the software, an internal incident response team, partnering with leading industry experts in forensic investigations, sprang into action to determine the nature of the attack. Once an attack was established, law enforcement and government cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), were notified and immediately engaged. Soon after the attack, with the assistance from the FBI and CISA, the root cause of the attack was identified.”
In addition to being transparent about the attack, Kaseya continues to offer regular updates around the incident using its Twitter account.
Solar Winds Similarities?
“Even though it seems like the Kaseya attack was not a yearlong dwelling of source code compromise, I still want to draw a direct comparison to the Solar Winds attack,” said Stel Valavanis of onShore Security. “Yes, it's a juicy target because Kaseya is used to centrally manage many networks. Then there are other similarities to the Solar Winds attack such as exploiting an update mechanism and utilizing ‘living off the land’ existing trusted software.”
But, as Valavanis explained, the software had to be trusted to be exploited. “This is true about the update mechanism, the executables, and Microsoft's defense tools too. Apparently, the attackers ran an old version of MS Defender to run payloads undetected. Then of course the Kaseya folders are tagged to not be scanned. This is the similarity with Solar Winds that I want to point out because we need to get past it,” he said.
To Valavanis, this attack is man versus machine. “Maybe it's too complicated to cooperate with anti-malware companies to permit zero-trust scanning. Where are all those lovely behavioral analytics tools we employ and how did they allow old versions of software to run? How is that we allow many thousands of those customer server updates go on automated inserting malicious payloads,” he said. “Maybe we just can't yet see that no code can be trusted. Maybe the cathedral (paradigm of programming) has run its course. My point is that machines are dumb. They can be fooled. They can be manipulated. They can't be trusted. Humans will find ways to trick them and bash them around. I once heard ‘To err is human. To really screw things up requires a machine.’"
Tim Erlin of Tripwire commented in a statement that though the attack details are different, it’s nearly impossible to avoid comparisons between this incident and the Sunburst incident involving Solarwinds.
"As we inevitably do so, it’s more useful to ask how our collective response has improved based on the lessons we’ve learned. No one should be surprised when a successful attack methodology is repeated, but we should aim to make these types of supply chain attacks harder to execute and incrementally less successful," said Erlin. "Attackers are likely to continue with these types of supply chain attacks because they offer a multiplier when successful. A single successful attack can compromise thousands of targets. Supply chain attacks are high reward, but they’re also high risk."
Added Erlin, "It’s important to remember that ransomware needs to be discovered to be successful, so we should always look at a successful ransomware attack as a harbinger of what other, more stealthy attacks might be able to accomplish.”
Acting as a RaaS, REvil relies on affiliates or partners to perform its attacks, explained Adam Enterkin, Chief Revenue Officer, Cybersecurity, BlackBerry in a statement. "The REvil developers receive a percentage of all proceeds from ransom payments. Because the ransomware is distributed by different entities, the initial infection vector can vary; typically, this is either via phishing campaigns, brute force attacks to compromise RDP, or through software vulnerabilities," said Enterkin. """REvil has not yet been caught, and ransomware-as-a-service will only continue to grow."
However, according to Enterkin, organizations can avoid becoming victims by stopping malware at the exploitation stage through increasing resilience, reducing infrastructure complexity, and streamlining security management. "Endpoint detection and response (EDR) focused solutions often take action too late and cannot always stop breaches," said Enterkin. "Prevention is the best strategy; stopping attacks before they execute. This is entirely possible with next generation solutions that use AI to identify and block malware. Organizations must lead with a prevention-first approach using the fullest capabilities of AI.”
Appropriate action
"These are criminals we're dealing with and like all crime the solution is more than detection and protection. It requires policy, regulations, law enforcement, diplomacy, criminal ecosystem disruption, and reducing the benefit of the crime,” said Valavanis. “Kudos to Kaseya for having discovered the vulnerability prior to the attack and reporting quickly. Many targets were spared as a result and their disclosure and quick work should raise confidence unlike Solar Winds who seemed to be in denial for much of the time. We still need to change how we think about cybercrime and work together more than we have.”
As part of its response, Kaseya is actively engaged with various governmental agencies including the FBI, CISA, Department of Homeland Security and the White House. FireEye Mandiant IR, a leading computer incident response firm, is also working closely with Kaseya on the security incident.
“Our global teams are working around the clock to get our customers back up and running,” said Kaseya CEO Fred Voccola, in a statement. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”
Kaseya is hopeful the collaborative effort to remediate the issue will result in identifying and holding the parties responsible accountable. “We are beyond grateful for their assistance getting our customers back online. The immediate action-oriented and solution-based approach of CISA and the FBI, with tremendous overall support from the White House, has proven to be a huge help in ensuring that this attack led only to a very small number of impacted customers. While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated,” said Voccola.