Kaseya VSA supply-chain ransomware attack hit hundreds of companies

Pierluigi Paganini July 03, 2021

A supply attack by REvil ransomware operators against Kaseya VSA impacted multiple managed service providers (MSPs) and their clients.

A new supply chain attack made the headlines, this afternoon, the REvil ransomware gang hit the cloud-based MSP platform impacting MSPs and their customers.

Kaseya has 40,000 customers, not all use the VSA tool which is used by MSPs to perform patch management and client monitoring for their customers.

The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.

The investigation is still ongoing, according to security firm Huntress Labs at least 200 organizations have been impacted, making this incident, one of the largest ransomware attack in history.

At the time of this writing, at least 20 MSPs have been compromised as part of this supply-chain attack, but experts believe that the attack might have impacted thousands of companies across the world.

The time of the attack could make the investigation more complex, threat actors launched the attack on Friday ahead of the July 4th holiday.

The company shut down their SaaS infrastructure and is investigating the incident with the help of the FBI and other security firms.

“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.” states a noticed published by Keseya.

“We are in the process of investigating the root cause of the incident with an abundance
of caution but we recommend that you IMMEDIATELY shutdown your VSA server until
you receive further notice from us
. It’s critical that you do this immediately because one of the first things the attacker does is shutoff administrative access to the VSA.

A specific Reddit page was set up to provide news about the attack and share updates on the investigation.

Researchers from Sophos published a security advisory for their customers running Kaseya,  telling them what should they look for. 

Mark Loman, a Sophos malware analyst, who is investigating the incident explained that the REvil ransomware operator disables antivirus software to deploy a fake Windows Defender app that runs ransomware binary.

Loman added that owners of endpoints infected in this campaign received an initial ransom demand of 44,999 USD.

John Hammond, the cybersecurity researcher at Huntress Labs, told BleepingComputer that Kaseya VSA will drop an agent.crt file to the c:\kworking folder, which is being distributed as an update called ‘Kaseya VSA Agent Hot-fix.’ Then a PowerShell command is launched to decode the certificate file using the legitimate Windows certutil.exe command and extract an agent.exe file to the same folder.

The agent.exe is digitally signed using a certificate issued for “PB03 TRANSPORT LTD” and includes the REvil encryptor. 

Kaseya VSA claims to have identified the source of the vulnerability and is working to release security updates to secure on-premises installs.

“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.” continues the Kaseya’s notice.

US CISA also published a security advisory on Kaseya supply chain ransomware attack.

“CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.” states CISA.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment