On 2 July, just as most offices closed for Independence Day weekend in the United States, Kaseya announced that their system was compromised.
Kaseya is a SaaS company that provides software for Managed Service Providers (MSPs) all over the world; its VSA is used by hundreds of companies who manage everything from billing systems to contracts and finance reports. Most clients of these companies are small businesses who aren’t even aware of what software is running on the servers they’re using, that’s why they contract MSPs to look after their systems. Wietse Boonstra of the Dutch Institute for Vulnerability Disclosure (DIVD), a group of ethical hackers from the Netherlands, discovered a vulnerability of Kaseya VSA and alerted the company in early July.
Engineers at Kaseya started working on patching the problem straight away, but REvil, a ransomware-as-service gang from Russia have also learned of the vulnerability and managed to hack VSA before the patch was released. "If we had a little more time, we would have succeeded," members of DIVD told NL Times.
According to Huntress Research, REvil exploited this zero-day vulnerability through an authentication bypass, and they uploaded code to affected servers without that code being checked. In other words, REvil uploaded their ransomware disguised as a management agent update, and because deployment was automated, the update went live instantly. Sophos noted that “by infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.” When we evaluated Kaseya back in 2017 we decided to advise our customers to select alternative options.. At the time we didn’t expect such a catastrophic breach caused by Kaseya, yet some weaknesses of the system were clear as compared to alternatives.
In a 5 July update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete.
The full scale of the attack is still unknown. Though the attack itself is reminiscent of the JBS and Colonial Pipeline attacks earlier this year, its victims make this attack stand out. The scale of the attack is yet unclear, but in a statement the FBI said that they “may be unable to respond to each victim individually.” This shows that even though hackers got in through a single crack in Kaseya’s system, they managed to shut down potentially hundreds of servers—servers that an untold number of vendors of at least 17 countries rely on for their daily operations.
Coop, a Swedish grocery chain had to close most of its 800 stores for days, and a Swedish petrol station chain, pharmacies, the state railways, and public broadcaster SVT were also affected. An unnamed German IT services company reported that thousands of its customers were compromised, and two Dutch IT services companies, VelzArt and Hoppenbrouwer Techniek, fell victim, too. There is no way accurately to estimate the number of end users who had to halt business as a consequence of the attack. Kaseya CEO Fred Voccola said that the brunt of the burden will be borne mostly by small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”
This is what sets these supply chain attacks apart; while the culprits are anonymous hackers who feed on the chaos they cause, and the fault at least partially lies with multi-million dollar companies, those affected are everyday people running small businesses. NewPush President urges us to look at the human cost of such an attack. “Imagine what it must be like for the victims. Imagine the florist, the dentist, the restaurant owner working hard every day, building something for their families. They’re pushed from every direction; they can’t afford to get into the nitty gritty of cybersecurity, can’t afford not to have an online presence, and they definitely cannot afford to pay huge ransoms.”
The question on the minds of everyone involved is, “What’s next?” It goes without saying that the attackers want money. Originally, REvil posted ransom demands of up to $5 million in varying sums, mostly around $45,000 in crypto. They claimed to have affected more than a million computers. However, perhaps because they misjudged the scale of the attack themselves, they later moved to a single $70 million ransom to decrypt all systems. That amount would make this the highest ever single ransom paid—and not the first to break that record this year.
Demands following ransomware attacks have shot up significantly in 2020, and 2021 managed to beat the previous year every month so far.
Less than a month ago, during their meeting in Geneva, US President Biden took Russian President Putin to task, saying that Russia has harboured cyber criminals long enough. He stated that if the Kremlin doesn’t increase efforts to clamp down on these gangs, that will lead to escalating conflict between them and the rest of the world. On Monday, Putin’s spokesman Dmitry Peskov professed no knowledge of this latest attack, and said that details could be discussed during future consultations—though there are no plans as yet for such meetings.
What’s more, a recent report by Trustwave SpiderLabs uncovered that avoiding Russian language systems was hard coded into the ransomware used in the Kaseya attack. "They don't want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way," said Ziv Mador, Trustwave SpiderLabs' vice president of security research. Trustwave said the ransomware "avoids systems that have default languages from what was the USSR region”.
On Saturday, 3 July, President Biden said he has directed intelligence services to investigate the Kaseya attack. He told reporters on tour in Michigan that he hadn’t l yet learned who was responsible. "The initial thinking was it was not the Russian government but we're not sure yet," he said.
The only thing certain amidst all this chaos is that ransomware is an ever-growing cybersecurity concern, and that IT services are still vulnerable to sophisticated attacks. I think we will continue to see headlines of highest-ever ransom demands, and we have to bear in mind that whatever makes the news is just the tip of the iceberg. Due to the nature of these attacks, both IT services providers and their clients will share as little of the details as possible. Companies need to take cybersecurity seriously and invest in it with adequate resources because the race between gangs of unleashed cyber criminals and cybersecurity firms is on.
The Connective Platform™ integrates a host of cybersecurity tools into one system faster than any of our competitors, but that alone wouldn't give our partners the edge over cybercriminals. Simply gathering all the data from a number of connected elements would still require an army of experts to make sense of it; it's analogous to how gathering stock prices from markets all around the world doesn't tell you where to invest your money next. Our platform goes on to analyse that massive amount of data to give our partners the information they need: where the weak points of their cyber defence are, and how to address them.