Many cybersecurity professionals across the country missed out on the fun over the 4th of July weekend. Instead, they were actively engaged in investigating and responding to the widespread REvil supply chain compromise that has reportedly impacted over 1,000 companies already. With a current ransom set at $70 million worth of bitcoin, this latest compromise, which some members of the US Homeland Security Committee are calling a “moment of reckoning,” could potentially become the highest payout to cybercriminals yet and further motivate future attackers.
Kaseya: What Specifically Happened?
On Friday, July 2nd, news broke that a widespread supply chain compromise was actively underway using a vulnerability within the Kaseya Virtual System Administrator (VSA) toolset. Kaseya, a provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses, quickly disclosed the discovery and advised its customers to shut down VSA servers since infected systems were being utilized for a coordinated ransomware attack.
In essence, many organizations choose to outsource the management of their network infrastructure to managed service providers. These MSPs then use a series of tools, including Kaseya VSA, to remotely provide their managed services from a streamlined set of consoles. For this current compromise, attackers gained access to VSA through an existing vulnerability, then uploaded a malicious payload before propagating to MSPs by masquerading as a trusted update.
Once infected, the REvil ransomware runs an outdated version of the Microsoft Antimalware Service, which it then uses to sideload and execute malicious code.
Interestingly, Kaseya CEO Fred Voccola, says the company has only identified around 40 customers who were affected by this compromise, all of whom used the on-prem deployment of VSA, but so far putting none of their SaaS customers at risk. This further emphasizes the effectiveness of a supply chain compromise since these 40 VSA customers were then used to compromise over 1000 end user organizations. Poisoning the well is the quickest way to poison those who drink from it, and that’s the same principle here. Cybercriminals continue to focus on supply chain attacks since they yield the highest impact with the least effort.
This situation also highlights some of the security benefits of a SaaS-based operational approach. The centralized nature of SaaS applications provides faster identification of threats, more efficient investigations, and quicker response times. In the case of VSA, Kaseya had the ability to essentially “flip the off-switch” to mitigate this threat within its cloud offering. Unfortunately, it did not have the same level of control over their on-prem deployments that, in turn, acted as the primary distribution points for this attack.
Currently, the Russian based cybercriminal organization known as REvil, or Sodinokibi, has taken credit for this compromise. In its public acknowledgment, it set its demand for $70 million worth of bitcoin and, if met, has promised to release a public decryptor for what it claims to be over one million infected systems. The who, when, or if aspects of the ransom payment are still currently unknown.
Further investigation into the Kaseya ransomware attack indicates that what initially appeared to be solely a supply chain compromise also involved attackers leveraging a zero-day exploit against the VSA product. These attackers initially gained access to victim servers before spreading their ransomware payload as an unauthorized hotfix in a supply chain fashion. This new information highlights the significance of conducting thorough investigations into security incidents.
As with any emergency, the most important aspect is triaging the situation as quickly and effectively as possible. Once this is accomplished, a detailed follow-up investigation is essential to provide key information so organizations can effectively plan for similar incidents in the future. Knowing which vulnerability was exploited within VSA now gives organizations the ability to now identify, patch, and monitor their environments for further attempts to exploit this situation.
How Can We Prevent the Next Attack?
The next attack is not a matter of if, but when, so how can organizations best prepare for it? If anything, this ongoing incident proves once again that there is no silver bullet product or tool to solve cybersecurity. With regards to this situation, in fact, an organization could have done EVERYTHING right—up to date on patches, MFA, proactive hunting, etc.—and, due to the nature of the Kaseya tool having pervasive admin reach, become a victim of this ransomware attack.
That is why Arctic Wolf believes products and tools are only a small part of the cybersecurity solution. Instead of just investing in another tool, we believe a large part of reducing the risk and impact boils down to how fast you can react to an incident, how quickly you can pivot from investigation to containment, and how well you know your environment and what runs within it.
Entirely avoiding future supply chain attacks might be impossible. However, it is possible to reduce that risk and reduce the potential impact if you have strong and effective security operations. That is why Arctic Wolf is dedicated to being the leader in security operations. Using our cloud-native Arctic Wolf platform we provide strong security operations as a concierge service. Our highly trained Concierge Security® experts work as an extension of your team to provide not only the essential 24x7 monitoring, detection, and response for when attacks like this occur, but also the guidance and support that are necessary to ensure your environment is prepared for any future situations.