Threat Update
On July 2nd, 2021, Kaseya’s Remote Monitoring and Management Platform “Kaseya VSA” was exploited with signs of a sophisticated Supply Chain attack. Kaseya VSA is now actively being used by threat actors to distribute ransomware. Kaseya has taken down all cloud servers dedicated to VSA. It is recommended that any organizations with the Kaseya VSA on-prem solution disable those servers immediately.
Technical Detail & Additional Information
WHAT IS THE THREAT?
On 7/2/2021, the Kaseya VSA RMM platform was discovered to have been the victim of a suspected supply chain attack. Threat actors have exploited the software platform to spread malicious updates via the “Auto-Update” feature on on-premises instances of the software. Preliminary investigation of this malware shows that the malware attempts to disable Microsoft Defender via PowerShell commands, utilizes legitimate filenames and paths for the VSA platform, and is digitally signed by valid Microsoft certificates, making this threat difficult to detect for endpoint protection services.
The SKOUT Red Team has implemented automated mitigation action by global quarantine of the malicious IOCs associated with this Ransomware for partners and customers who utilize SKOUT Endpoint Protection. The team is performing threat hunts across all partners and customers. The team has also implemented custom monitoring rules to detect and alert for the malicious hash values in real time across all SKOUT partners and customers.
WHY IS IT NOTEWORTHY?
This attack is substantial as it exhibits signs of sophisticated supply chain exploitation and is configured to auto deploy as an update to the VSA platform. The embedded malware also takes steps to effectively evade detection from signature-based endpoint protection services. Kaseya VSA is a widely used RMM tool, making the potential attack surface significant.
WHAT IS THE EXPOSURE OR RISK?
Early indications point to the widely known threat group REvil being behind this attack. REvil ransomware is notorious for being highly effective and causing major interruptions for its victims. Ransomware infections could lead to financial, infrastructure, data, and reputational damages.
WHAT ARE THE RECOMMENDATIONS?
Kaseya has shut down their cloud-services as an emergency mitigation effort, however, on-premises instances of the Kaseya VSA platform remain vulnerable. Please see the below recommendations to mitigate risk.
- Turn off any on-premises VSA appliances until a security patch is released from Kaseya.
- Block the port 5721/TCP which is used by VSA to communicate.
Updates will be provided as additional information becomes available.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
If you have any questions, please contact our Security Operations Center.
