With 1,500 businesses impacted Kaseya hack prompts thinking on do you know your vendor

According to advisories posted on the Kaseya website, its VSA product has unfortunately  been the victim of a sophisticated cyberattack. This has been localized to a number of on-premises customers.  In an effort to be transparent with customers, Kaseya is sharing information concerning the recent ransomware attack in an Incident Overview and Technical Details document.

To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised. We have had no new reports filed of compromises for VSA customers since Saturday July 3rd.

VSA is the only Kaseya product affected by the attack and all other IT Complete modules are not impacted. The patch for on-premises customers has been developed and is currently going through the testing and validation process. We expect the patch to be available within 24 hours after our SaaS servers have been brought up. We will be releasing VSA with staged functionality to bring services back online sooner.

Kaseya met with the FBI CISA tonight to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers. A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service on July 6th.

All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.

US based Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.

CISA and FBI recommend affected MSPs:

Download the Kaseya VSA Detection Tool. This tool analyzes a system either VSA server or managed endpoint and determines whether any indicators of compromise IoC are present.
Enable and enforce multi-factor authentication MFA on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
Implement allowlisting to limit communication with remote monitoring and management RMM capabilities to known IP address pairs, and or
Place administrative interfaces of RMM behind a virtual private network VPN or a firewall on a dedicated administrative network.
CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. These actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.
Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.
Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available.
Implement Multi-factor authentication and Principle of least privilege on key network resources admin accounts.

We are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack

While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses

Ram Narayanan, Country Manager, Check Point Software Technologies Middle East.

This 4th of July weekend ransomware attack, apparently conducted by the Russian speaking group REvil represents a catastrophic combination of 2021’s most notorious cyber-attack trends, supply chain attacks and ransomware. 2021 has already broken records for cyber-attacks, with an all-time high of 93% increase of ransomware and over 97% in all cyber-attacks in the EMEA in just 12 month. This Independence Day offensive has reached a record of ransomware victims, with an unknown scope of attacks mostly in the US, and we saw some victims in Europe as well.

REvil is one of the most prominent ransomware families on the planet, responsible for dozens of major breaches since 2019, operating under a role to avoid attacks in the CIS. They chose this weekend and this method for a reason. They looked for a back door to over a thousand companies- one target through which they infect numerous others in a pandemic-like chain, and they picked the weekend as they know that company IT staff go offline and that companies are often on a skeleton crew, where eyes are not watching.

This attack should sound alarm for all companies. When you let your guards down, the attackers arrive. We should expect more attacks to strike during holidays and weekends, and with remote work generating the new normal, today’s hackers are more effective than ever.

This helps the threat actors in a few ways:

It allows the ransomware to be fully deployed before anyone notices
It induces more panic during response operations if key players within the victims environment are unavailable to respond, possibly increasing the chances that a ransom demand will be paid.
If you are running Kaseya VSA, unplug it from the network RIGHT NOW, although it might be too late
Use EDR, NDR and other security monitoring tools to verify the legitimacy of any new files in the environment since 02 July
Check with security product vendors to verify protections are in place for REvil ransomware
If help is needed, call in a team of experts to help verify the situation within the environment

Kevin Reed, CISO at Acronis.

Far as we are aware, REvil’s systems involve a high degree of automation – humans are only involved if a victim wants to negotiate a price. So, they may not really need to scale to cover the long tail of $45,000 ransoms. Victim pays to a predefined Bitcoin wallet, they detect the payment and release the decryption key for the victim – no human involved at this stage. I think the offer of a universal decryptor is a PR stunt. If they indeed encrypted one million systems, assuming 1,000 systems per victim, it’s in the range of 1,000 victims – which correlates with some of the earlier findings reported.

With an average of $45,000 per victim – was their standard fee in this case – that makes up $45 million. Yes, some victims were individually targeted and had higher ransoms, but I doubt the total target reached $70 million. Also, those individually targeted victims will be handled by humans anyway and their numbers seem not large enough at this point to impose the REvil scale-out problem.

So, $70 million does not look like a discount for the mass decryption, nor is it cheaper in any way – so either they are being stupid, or they’re just playing to see if this will work. Similar stunts worked for them in the past. They may not even expect to get the money and are just using this to occupy the news cycle longer. In their recent interview they’ve said, their way to scale is to attract more affiliates than to do the actual hacking, and riding the news wave certainly helps them with that.

While they will cash a significant sum, I doubt they’ll be getting the $70 million from the insurers – that would take cooperation and flexibility I find unlikely on both sides.

Peter Grimmond, Head of Technology, International at Veritas Technologies.

The Kaseya VSA ransomware attack clearly demonstrates that, without the right data protection, everyone is at risk of ransomware. Recent high-profile ransomware incidents – Colonial Pipeline, JBS, HSE – could easily have given the impression that hackers have all become snipers, targeting individual high-value organisations that can’t afford any kind of downtime. The Kesaya attack shows that, in reality, there’s a huge amount of scattergun activity going on too.

The end-user companies caught in the crossfire of this attack are largely there by misfortune but this can be just as profitable for the hackers. Thousands of $45,000 payments quickly add up to huge hauls for the hackers and, if they can get victims to band together to make a single $70m payment, they’ll not only be pocketing a massive sum of money, they can also outsource the rollout of the decryption process to that collective.

Either way, Kaseya should serve as a warning to organisations of all sizes that no one can afford to be complacent; accident or coincidence can put anyone in the line of fire so everyone needs to make sure that their data is protected.

Ross McKerchar, Vice President and Chief Information Security Officer, Sophos.

This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions.”

Mark Loman, Director of Engineering, Sophos.

Sophos is actively investigating the attack on Kaseya, which we see as a supply chain distribution attack. The adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type. This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more.

In other widescale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely used IT management are the conduit.Some successful ransomware attackers have raked in millions of dollars in ransom money, potentially allowing them to purchase highly valuable zero-day exploits. Certain exploits are usually only deemed attainable by nation-states. Where ‘nation-states’ would sparingly use them for a specific isolated attack, in the hands of cybercriminals, an exploit for a vulnerability in global platform can disrupt many businesses at once and have impact on our daily lives.

A day after the attack, it became more evident that an affiliate of the REvil Ransomware-as-a-Service leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s Virtual Systems Administrator software. Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environments.”Based on Sophos threat intelligence, REvil has been active in recent weeks, including in the JBS attack, and is currently the dominant ransomware gang involved in Sophos’ defensive managed threat response cases.

Lior Div, CEO and Co-founder, Cybereason.

The global Kaseya attack is a reminder that the public and private sector need to change the way cyber conflict is fought. The truth is that attackers still enjoy the advantage. The goal isn’t to block and prevent all attacks — operations like Kaseya and SolarWinds demonstrate that’s not always possible – but rather, the goal is to quickly detect suspicious or malicious activity, and ensure you have the visibility, intelligence, and context to understand and remove the threat.

Cybereason and other modern security companies have the technologies — like EDR (Endpoint Detection & Response) that can end these ransomware attacks. I believe it is our job to disrupt these operations. Technology, coupled with public & private partnerships is a step in the right direction to help in this fight against the REvil ransomware gang and others like them.

We need to shift focus from dealing with ransomware after the fact to disrupting the earliest stages of attacks through behavioral detections – this is the operation centric approach to cybersecurity. We can’t just focus on the ransomware attack – by then it is too late. Look at the earlier stages of the attack when criminals are inserting malicious code into the supply chain for instance. The ransomware is the symptom of the larger disease we need to treat.

This newest attack will once again start the debate about whether it makes sense to rip and replace legacy computer networks used by public and private sector organizations. That simply isn’t going to fix the problem. We have spent trillions of dollars on cybersecurity over the past 20 years. And in many ways, we’re no safer today. We could spend another $250 billion or $250 trillion and it will only incrementally help. What matters is how the money is spent.

In the coming days we will learn the names of companies impacted by the Kaseya ransomware attack. We will also learn if companies are meeting the ransom demands of the REvil gang. In general, it doesn’t pay to pay ransoms. A recent Cybereason global research study found that 90 percent of UAE companies that paid a ransom were hit a second time.

Overall, paying ransoms only emboldens threat actors and drives up ransom demands. Still, whether or not to pay a ransom is an individual choice each company needs to make. Consult with your legal team, insurer and law enforcement agencies before making any decision. In those rare life or death situations, paying a ransom could very well be the right decision.”

Ben Carr, CISO, Qualys.

MSPs are a high-value target. If an MSP manages a company’s security, it’s once removed from the company itself, which can mean the actual company is less aware of what is happening. And, as an MSP, you have a ton of data from multiple customers — much of it mission critical, so the ransom payment request is high ($5M), as it is in this case.

Supply chain attacks should be top of mind for all companies, including those using MSPs. It’s essential to do due diligence on who is hosting and managing your data. While you can outsource the work, you can’t outsource the risk — almost everyone is susceptible to supply chain attacks.

Still, companies need to make sure they have the proper protocols and robust third-party risk assessments in place ahead of these attacks so they can respond efficiently. This way, if there is an attack, you have options for redundancies ready to be put in place, and you can pivot to an alternative solution with minimum impact on your business.”

Hitesh Sheth, CEO at Vectra AI.

The Kaseya attack extends a clear pattern we’ve been too slow to recognize. As in the SolarWinds incident, REvil infiltrated one service provider connected to a long list of targets. It’s an efficient way to inflict multiple clusters of damage in a single blow. Because SolarWinds was so successful, we should have seen a rerun coming.

I hope this attack prompts hard questions from customers of MSPs or SaaS vendors. When your business relies on a product like Kaseya VSA, you’re only as secure as your provider. When more businesses outsource critical functionality to the cloud, the Kaseya case suggests heightened risk.

How much do these businesses really understand about their vendors’ security posture? Is there sufficient emphasis on rapid attack detection? The answers matter as much to customers as to the MSPs themselves – because in a security failure, it’s the customers who field the ransom demands.”

Craig Sanderson, VP of Product Management, Infoblox.

The Kaseya attack, which paralysed companies such as the supermarket chain Coop in Sweden, shows that anyone can be targeted. Instead of being blackmailed by cyber criminals, organizations need to proactively prepare defenses to mitigate against paying a painful ransom and reputation loss among customers and partners. To prevent such damages, companies should make their security strategies as proactive as possible and keep back-ups in case a system reset is needed. Because attackers commonly use DNS for communicating with malicious domains, DNS security can help block those communications while providing indispensable visibility into the activity of impacted machines, helping customers understand the scope of a breach for quick response.

We are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack

While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses

Raj Samani, McAfee fellow and Chief Scientist.

McAfee Threats Report examines cybercriminal activity related to malware and the evolution of cyber threats in the first quarter of 2021. The quarter saw cyber adversaries shift from low-return, mass-spread ransomware campaigns toward fewer, customized Ransomware-as-a-Service (RaaS) campaigns targeting larger, more lucrative organizations. A proliferation in 64-bit CoinMiner applications drove the growth of cryptocurrency-generating coin mining malware by 117%. Additionally, a surge in the growth of new Mirai-based malware variants drove increases in malware targeting Internet of Things (55%) and Linux (38%) systems.

“Criminals will always evolve their techniques to combine whatever tools enable them to best maximize their monetary gains with the minimum of complication and risk,” said Raj Samani, McAfee fellow and chief scientist. “We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see Ransomware as a Service supporting many players in these illicit schemes holding organizations hostage and extorting massive sums for the criminals.”

Each quarter, McAfee assesses the state of the cyber threat landscape based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.

Ransomware

Ransomware declined by 50% in Q1 due in part to a shift by attackers from broad campaigns attacking many targets with the same samples to campaigns attacking fewer, larger targets with unique samples. Campaigns using one type of ransomware to infect and extort payments from many victims are notoriously “noisy” in that hundreds of thousands of systems will, in time, begin to recognize and block these attacks. By allowing attackers to launch unique attacks, RaaS affiliate networks are allowing adversaries to minimize the risk of detection by large organizations’ cyber defenses and then paralyze and extort them for large ransomware payments. This shift is reflected by the decline in prominent ransomware family types from 19 in January 2021 to 9 in March 2021.

Despite the high profile attacks from the DarkSide RaaS group exposed in Q2 2021, REvil was the most detected in Q1, followed by the RansomeXX, Ryuk, NetWalker, Thanos, MountLocker, WastedLocker, Conti, Maze and Babuk strains.

Coin Miner Malware

While prominent ransomware attacks have focused attention on how criminals use ransomware to monetize their crimes with payments in cryptocurrency, a first quarter 117% surge in the spread of cryptocurrency-generating coin mining malware can be attributed to a sharp spike in 64-bit CoinMiner applications.

Rather than locking up victims’ systems and holding them hostage until cryptocurrency payments are made, Coin Miner malware infects compromised systems and silently produces cryptocurrency using those systems’ computing capacity for the criminals that designed and launched such campaigns. The advantage to cybercriminals is that there is zero interaction required of both the perpetrator and the victim. While the victim’s computers may operate slower than usual due the coin miner’s workload, victims may never become aware that their system is creating monetary value for criminals.

“The takeaway from the ransomware and coin miner trends shouldn’t be that we need to restrict or even outlaw the use of cryptocurrencies,” Samani continued. “If we have learned anything from the history of cybercrime, criminals counter defenders’ efforts by simply improving their tools and techniques, sidestepping government restrictions, and always being steps ahead of defenders in doing so. If there are efforts to restrict cryptocurrencies, perpetrators will develop new methods to monetize their crimes, and they only need to be a couple steps ahead of governments to continue to profit.”

Threats & Victims

Overall Malware Threats. The first quarter of 2021 saw the volume of new malware threats average 688 threats per minute, an increase of 40 threats per minute over Q4 2020.

IoT & Linux Devices. A variety of new Mirai malware variants drove increases on the Internet of Things (IoT) and Linux malware categories in Q1. The Moobot family (a Mirai variant) was observed to be mass-spread and accounted for multiple Mirai variants. These variants all exploit vulnerabilities in IoT devices like DVRs, webcams and internet routers. Once exploited, the malware is hidden on the system, downloads later stages of the malware and connects with the command-and-control server (C2). When the compromised IoT devices are connected to their botnet, they can be commandeered to participate in DDoS attacks.

Industry Sectors. McAfee tracked a 54% increase in publicly reported cyber incidents targeting the technology sector during the first quarter of 2021. The Education and Financial/Insurance sectors followed with 46% and 41% increases respectively, whereas reported incidents in Wholesale/Retail and Public Sector declined by 76% and 39% respectively.

Regions. These incidents surged in 54% in Asia and 43% in Europe, but declined 13% in North America. While reported incidents actually declined 14% in the United States, these incidents grew 84% in France and 19% in the United Kingdom.

Key Findings

McAfee sees attackers shift from mass-spread campaigns to fewer, more lucrative targets
Cryptocurrency coin miner malware increases 117% due to growth in 64-bit CoinMiner applications
New Mirai malware variants drove increases in Internet of Things and Linux threats
Overall newly detected malware threats averaged 688 per minute