On Friday, July 2, a vulnerability in Kaseya’s on-premises VSA software was used to launch a REvil “supply-chain” ransomware attack. The attack impacted 50 MSPs and up to 1,500 small businesses that are managed by Kaseya’s customers, according to Kaseya.
This is yet another high-profile attack by REvil, which illustrates the group’s ability to leverage Advanced Persistent Threat (APT)-like attacks across the internet.
Here’s a breakdown of what happened and how IT and security teams can learn from the attack.
This was not a supply-chain attack like Solarwinds in which the organization itself was exploited and then pushed down across the environment over an extended period of time. Rather, the supply-chain component of this attack is associated with REvil being able to use the MSP’s Remote Monitoring and Management (RMM) tools to push across their software delivery and patching supply chain.
The attackers were able to identify a chain of vulnerabilities in the Kaseya VSA on-prem solution which organizations often run in their DMZs. This, in combination with the fact that REvil ransomware moves quickly once a foothold is gained, resulted in fast action by Kaseya and similar MSP partners such as Huntress to notify all Kaseya VSA users to shut off their servers.
This attack reintroduces the pain point of unknown unknowns in the attack surfaces which are exposed to the internet that can result in zero-day exploitation. In this case, the Kaseya VSA RMM distribution is hosted on-premises within MSPs’ DMZs so endpoints can check in from the internet. We now know that Kaseya VSA had a number of previously unknown vulnerabilities as well as one vulnerability known to Kaseya that was not yet patched.
These vulnerabilities — ranging from Improper Authentication Validation to SQL Injection — were exploited in a chain that allowed REvil to push their first stage of attacks across all connected agents.
In cases where MSPs had Web Application Firewalls (WAF) in front of their Kaseya VSA, they likely were able to mitigate the attacks, whereas organizations with only general Intrusion Prevention and/or firewalling would have been quite vulnerable.
Any internet-facing application is a prime target for attackers. As ransomware groups like REvil move into APT-like tactics, the purchasing of exploits becomes a quick and lucrative method to expand the victim pool.
Applications like RMMs, VPNs, MDMs, and business-centric solutions that result in shared attack surface are significant targets to groups like REvil. This is especially true for RMM, because threat actors can leverage these applications without performing additional pivots to deploy ransomware.
With these changes in threat modeling by ransomware groups, organizations of all sizes — from SMB up to enterprise — are directly in the path of attack. Just the fact that these organizations ran an RMM solution in their DMZ that enabled their business needs resulted in broad exfiltration and encryption of their data.
It is essential for everyone in IT and information security to review their attack surface and understand where threats could be introduced to their environments — no matter the size.
Moving forward, you should adhere to some best practices to prevent future ransomware and APT-like attacks:
To prevent ransomware, it’s crucial to understand the behaviors that lead up to a ransomware attack, and then detect those behaviors. A detection and response platform like Blumira will quickly alert and detect indicators of compromise, prioritizing alerts to prevent alert fatigue and unnecessary noise.
Blumira detects many indicators of ransomware, including password spraying and unauthorized RDP access, enabling IT and security teams to catch a ransomware attack in its early stages. Blumira also takes ransomware prevention a step further by providing security playbooks to guide customers through remediation steps, as well as providing access to a team of security experts to give context and advice.
Try Blumira for free; our trial is easy to deploy and can provide immediate security value to your organization.