The Revil Ransomware - “Kaseya”
The I.T. firm "Kaseya," dated July 2, 2021, has been attacked by a supply chain attack conducted by a Russian hacker group REVIL. The Kaseya "VSA" I.T. management software commonly used by managed service providers who work I.T. Services at many companies was compromised by these attackers, shipping ransomware to all the endpoint companies. The Russian-based group REVIL has so far reportedly hacked eight managed service providers; in turn, these 8 MSP's managed 100's of other companies, and as a consequence, the ransomware has been shipped out to all the companies affected by this onslaught.
According to Sophos Malware Analyst Mark Loman, the industry-wide supply-chain attack leverages Kaseya VSA to deploy a variant of the REvil ransomware into a victim's environment. The malicious binary side-loaded via a fake Windows Defender app to encrypt files in return for a ransom demand of $5 million. The attack chain also involves attempts to disable Microsoft Defender Real-Time Monitoring via PowerShell, Loman added. The trojan software is being distributed in the form of a "Kaseya VSA Agent Hot-fix," Huntress Labs said in a Reddit post detailing the workings of the breach.
The attack occurred on Friday, right before the 4th of July holiday weekend, and the criminals behind the attack claim it infected 1 million systems tied to Kaseya services and are demanding $70 million in bitcoin in exchange for a decryption key. Federal authorities put the number of affected companies in the thousands. The attack is massive and considered the single most prominent global ransomware attack on record. The industries affected are financial services, travel and leisure, and public-sector computer systems located across 17 countries.
Swedish grocer Coop reported that it was forced to close 800 of its stores for more than two days because the attack impacted its cash register software supplier. The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed it had alerted Kaseya to several zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. Kaseya, which has enlisted the help of FireEye to help with its investigation into the incident, said it intends to "bring our SaaS data centers back online on a one-by-one basis starting with our E.U., U.K., and Asia-Pacific data centers followed by our North American data centers." On-premises VSA servers will require installing a patch before a restart, the company noted, adding it's in the process of readying the fix for release on July 5.
“Based on # ESET's telemetry, they have identified victims in the U.K., South Africa, Canada, Germany, USA, Colombia, Sweden, Kenya, Argentina, Mexico, the Netherlands, Indonesia, Japan, Mauritius, New Zealand, Spain, and Turkey, so far.”
Questions that need to be addressed in regards to the Kaseya incident:
How did REvil learn of the VSA exploit?
Did they have access to Kaseya's vulnerability disclosure systems?
Were they provided the exploit by a 3rd-party?
Was that 3rd-party an R.U. intelligence agency or exploit broker?
Was the timing of the attack on the July 4 weekend a decision made for political reasons, or was it REvil's typical modus operandi to hit over big western holiday breaks (which they have done many times before)
Why are they asking for payment for a universal decrypter?
Did they realize that negotiating ransoms with thousands of companies at the same time is not worth the effort?
Will that universal decrypter even works, or are companies going to encounter bugs with large files?
Will Kaseya even consider paying?
Why would REvil pull such a brazen attack right after the Colonial and JBS attacks and the political mess/fallouts from those incidents?
Wouldn't this attack confirm that REvil had some sort of approval from an R.U. agency before doing something this destructive?
Mitigation recommendations posted by CISA include:
Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any compromise (IoC) indicators are present.
Enable and enforce multi-factor authentication (MFA) on every single account under the control of the organization and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
Implement allow-listing to limit communication with remote monitoring and management (RMM) capabilities to known I.P. address pairs.
Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
References:
Most of the above points have been referenced from the articles below.
