NOTE TO CLARIFY ON AN EARLIER COMMUNICATION:
SKOUT Cybersecurity’s product offerings do not use Kaseya in any means and are not impacted by this incident. If you have any questions, please contact the Security Operations Center.
Threat Update
Kaseya has publicly announced that they believe the attack is limited to a small group of their on-premises customers only. They will not resume VSA service until a patch is released and will keep software-as-a-service (SaaS) offline as they have preemptively disabled them until further notice. Kaseya has also expressed that customers who have received communication from the attackers should not engage with any links as they are most likely malicious.
Technical Detail & Additional Information
WHAT IS THE THREAT?
On July 2nd, 2021, Kaseya’s VSA products were exploited and used as a means to compromise Managed Service Providers (MSPs) and their clients. REvil, a notorious ransomware group, is likely behind the execution of this supply chain attack. Once the target’s network is accessed, the threat actors behind the attacks are disabling administrative access to the VSA remote monitoring solution rendering it difficult to remove the ransomware. Currently, Kaseya’s VSA cloud servers are shut down and they strongly recommend all on premises servers be disabled until further notice.
WHY IS IT NOTEWORTHY?
Kaseya has deployed their service to more than 36,000 consumers, most of which are by way of the MSP. The sophistication of this supply chain attack via a zero-day vulnerability is disturbing as it stems from a compromised Kaseya auto update. According to The Record, the VSA on premises servers receive the auto update via the internal scripting engine and the ransomware is deployed to all connected client systems.
WHAT IS THE EXPOSURE OR RISK?
The malware disables the hosts’ antivirus and then deploys a legitimate copy of Microsoft Defender that has been sideloaded with an infected dynamic link library (dll). This makes host malware detection difficult as Windows Defender is deemed safe. Once executed the threat actors are holding files for ransom for sums of $50,000 to 5 million. This can financially dismantle any organization.
WHAT ARE THE RECOMMENDATIONS?
As previously stated, Kaseya has taken the steps to keep the consumers safe as best as they can. They have preemptively disable all SaaS services and VSA hosted servers. They have also terminated all cloud services until further notice however all on premises VSA servers currently enabled are at great risk of compromise. SKOUT recommends:
- Turn off any on-premises VSA appliances until a security patch is released from Kaseya.
- Block the port 5721/TCP which is used by VSA to communicate.
- Do not engage any link that is received from the threat actor.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html
- https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://venturebeat.com/2021/07/03/supply-chain-attack-on-kaseya-infects-hundreds-of-victims-with-ransomware-what-we-know/
If you have any questions, please contact our Security Operations Center.