REvil gang exploited a zero-day in the Kaseya supply chain attack

Pierluigi Paganini July 04, 2021

Kaseya was addressing the zero-day vulnerability that REvil ransomware gang exploited to breach on-premise Kaseya VSA servers.

A new supply chain attack made the headlines, on Friday the REvil ransomware gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers.

The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.

The investigation is still ongoing, according to security firm Huntress Labs at least 1000 organizations have been impacted, making this incident, one of the largest ransomware attacks in history.

“We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress assesses with high confidence that cybercriminals exploited a vulnerability to gain access into these servers.” reported Huntress Labs.

At the time of this writing, at least 30 MSPs have been compromised as part of this supply-chain attack, but experts believe that the attack might have impacted thousands of companies across the world.

In the last update released by Kaseya, the company continues to strongly recommend on-premise Kaseya partners to keep their VSA installs offline until further notice.

Now new details about the attack are emerging, the Dutch Institute for Vulnerability Disclosure (DIVD) reported a zero-day vulnerability, tracked as CVE-2021-30116] and affecting Kaseya VSA servers, to the company.

Kaseya was validating the patch before they rolled it out to customers but REvil ransomware operators exploited the flaw in the massive supply chain ransomware attack.

“From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing.” states an update provided by the Dutch Institute for Vulnerability Disclosure (DIVD). “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

DIVD researchers confirmed that during the last 48 hours, the number of Kaseya VSA instances that were reachable from the internet has dropped from over 2.200 to less than 140 in their last scan today. The number of exposed installs in the Netherlands has dropped to zero.

Ciaran Martin
, former head of the NCSC, provided disconcerting info about the supply chain ransomware attack that disrupted 20% of Swedish food retail capacity, pharmacies, train ticket sales.

Extraordinary: ransomware attack on American company disrupts 20% of Swedish food retail capacity, pharmacies, train ticket sales & they’re not even direct customers

If you are interested in technical details about the attack let me suggest reading a post writer by the popular researcher Kevin Beaumont who pointed out that Kaseya is designed to allow administration of systems with high-level privileges.

“So ransomware can push itself to systems. The attackers pushed an management agent update, which is automatically installed on all managed systems — which means very wide impact.” states Beaumont. “Additionally, Kaseya recommend antivirus exclusions on some folders used during deployment of this malware”

Kaseya has released a detection tool that could be used to determine if your infrastructure has been compromised.

“The new Compromise Detection Tool was rolled out last night to almost 900 customers who requested the tool.” states the company.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REVIL)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment