Anyone hoping for a quiet 2021 after experiencing a year of the COVID-19 pandemic had no idea what was coming their way. It looks like the year is turning out to be a year of attacks. There was the Sunburst attack, believed to be one of the most sophisticated and severe attacks ever seen in the wild, followed by the “Hafnium” (aka Microsoft Exchange server) attack, and the Colonial Pipeline attack as well as a global surge in ransomware incidents. All these meant that security professionals hardly had a single day of respite. Unfortunately, over the weekend of July 4th, another attack struck yet again.
IT management software company Kaseya, a cloud-based managed security services provider (MSSP) platform that allows MSSPs to perform patch management and client monitoring for their customers, experienced a massive attack over the weekend, affecting numerous organizations by what appears to be a global supply chain attack. Kaseya issued a security advisory on their site, warning all customers to immediately shut down their VSA server to prevent the spread of the attack while they investigated. At least 1,000 businesses are said to have been affected by the attack, with victims identified in at least 17 countries.
It would appear that the timing of the attack was no accident and that the Russian speaking ransomware gang Revil, aka Sodinokibi, deliberately chose the 4th of July weekend to strike.
To breach on-premise Kaseya VSA servers, Revil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure, and Kaseya was validating the patch before rolling it out to customers. However, the Revil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack. The ransom demand ranged from US$45K to US$5 million.
With the attack on Kaseya VSA servers, Revil was targeting the MSSPs and not their customers. However given the nature of a supply chain attack, the victims are not limited to Kaseya’s direct customers (the MSSPs), but also includes their customers who have gotten infected as well.
Threat Actors that deploy ransomware continue to take advantage of national holidays in various countries. During a holiday period or over a weekend, companies often operate with a skeleton crew with fewer staff to keep an eye out for incidents. This helps the threat actors in several ways:
1. It allows the ransomware to be fully deployed before anyone notices.
2. It induces more panic during response operations especially if key players within the victim’s environment are unavailable to respond. This in turn could increase the chances that a ransom demand being paid.
The Forensics of the Attack
The actual attack started by utilizing existing operating system files like PowerShell, and CertUtil. However, the truly unusual part of this attack involves the use of an old version of Microsoft’s own antivirus for encryption. This allowed the encryption to be hidden from most security products that ignore Microsoft’s AV.
Kaseya VSA is cloud-based and allows MSSPs to perform patch management and client monitoring for their customers. Attackers used this fact to drop in a file that was distributed to this set of customers, while disabling various Microsoft Defender security mechanisms, so that the malicious file could launch its encryption process.