Sophos researchers recently unearthed a supply chain attack that uses Kaseya to deploy a variant of the REvil ransomware into a victim’s environment. The attack is geographically dispersed with organizations running Kaseya VSA potentially impacted.
Kaseya stated that the attack started around 14:00 EDT/18:00 UTC on Friday, July 2, 2021 and they are investigating the incident.
There’s been a noticeable shift towards attacks on perimeter devices in recent years, while vulnerabilities in common internet facing devices allow attackers to compromise large numbers of systems at once with very little effort
According to the Sophos analysts, it appears the attackers used a zero-day vulnerability to remotely access internet facing Virtual Server Agent (VSA) Servers. As Kaseya is primarily used by Managed Service Providers (MSPs), this approach gave the attackers privileged access to the devices of the MSP’s customers. Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks. As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.
Commenting on the ransomware attack, Ross McKerchar, Sophos VP and Chief Information Security Officer, termed it “one of the farthest reaching criminal ransomware attacks that Sophos has ever seen.”
“At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions,” said McKerchar.
Mark Loman, Sophos Director of Engineering, said that the company “is actively investigating the attack on Kaseya, which we see as a supply chain distribution attack.”
“The adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type. This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more. In other wide scale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely used IT management are the conduit,” said Loman.
“Some successful ransomware attackers have raked in millions of dollars in ransom money, potentially allowing them to purchase highly valuable zero-day exploits. Certain exploits are usually only deemed attainable by nation-states. Where ‘nation-states’ would sparingly use them for a specific isolated attack, in the hands of cybercriminals, an exploit for a vulnerability in global platforms can disrupt many businesses at once and have an impact on our daily lives.
“A day after the attack, it became more evident that an affiliate of the REvil Ransomware-as-a-Service (RaaS) leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s Virtual Systems Administrator (VSA) software. Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environments.”
Based on Sophos threat intelligence, REvil has been active in recent weeks, including in the JBS attack, and is currently the dominant ransomware gang involved in Sophos’ defensive managed threat response cases.
What should customers look for?
In order to stay protected and ahead of the attackers, Sophos has come with with various recommendations.
If a Sophos customer is running Kaseya they can be alerted to the attack via one or more of the following events
- A behavioral detection of “HPmal/Sodino-A”, or “Impact_4a (mem/sodino-a)” from Sophos Central Intercept X, Sophos Central Endpoint Protection, or Sophos Enterprise Console (SEC)
- The following features of Sophos Intercept X blocking the ransomware functionality
- CryptoGuard blocking the encryption of files
- DynamicShellCode Protection and HeapHeapProtect intercepting the attack chain
SophosLabs and the Sophos Security Operations Team have compiled a list of Indicators of Compromise. They are listed below and can be used by threat hunters to perform searches in their own environments.
What should customers do?
For Sophos MTR customers, the MTR team is monitoring the situation, assessing customer impact, and addressing issues as they appear.
If you use Kaseya in your environment:
- Currently, Kaseya is indicating this is impacting a number of on premises customers and are advising to shutdown their VSA server until further notice from the vendor.