Threat Signal ReportGlobal Ransomware and Supply Chain Attack on Kaseya VSA Affecting Multiple Organizations
Description
Update as of July 7th: This sophisticated supply-chain ransomware attack initially leveraged a vulnerability in the Kaseya VSA software to gain access to victim organizations, and then used REvil's RaaS to infect those organizations with ransomware. For that reason, FortiGuard Labs is providing a separate Outbreak Alert analysis for both the initial exploitation of the Kaseya vulnerability and for the subsequent REvil ransomware attack. Each Outbreak Alert includes information about the attack itself, Fortinet product versions that provide protection, which products could break the attack sequence, threat hunting techniques and other information. Go here for the Kaseya Outbreak Alert and here for the REvil Outbreak Alert.
FortiGuard Labs is aware of a new ransomware campaign affecting management service provider Kaseya, and their product Kaseya VSA, which is a remote monitoring and management software solution. In a nutshell, Kaseya VSA allows IT administrators to remotely monitor and deploy software, updates, etc. to multiple machines simultaneously in a multi user environment. Reports of the attack first surfaced when Huntress Labs, a managed detection and response (MDR) provider first discovered the attack and posted their findings on Reddit.
According to the Kaseya advisory, Kaseya VSA was the victim of a sophisticated cyberattack, involving ransomware. While there has been no absolute confirmation on attribution, many unofficlal reports have stated that the REvil ransomware threat actors are allegedly behind this campaign. REvil has been attributed to the DarkSide actors who most recently attacked Colonial Pipeline and JBS foods back in May.
What are the Details of the Attack Vector and or Vulnerability Used?
Unofficial, unconfirmed reports state that this was a supply chain attack where a malicious update was being deployed by the attacker to the Kaseya VSA interface as an update or hot fix for the Kaseya VSA agent. This fake update is the ransomware file that was deployed to various machines and what is likely customers of MSP providers using Kaseya VSA. It is important to note, at the time of writing there are no details or confirmation from Kaseya regarding vulnerability details or confirming the attack vector.
What Kaseya Products Are Affected?
On premises versions of Kaseya VSA are affected. Preliminary reports state that the SaaS cloud versions are not affected. As a precautionary note, it is suggested by Kaseya that all on premise VSA servers be taken offline immediately.
Is this the Work of REvil?
At this time, multiple reports have cited that this maybe the work of the threat actors behind REvil. However, at the time of writing there is no confirmation from either Kaseya or other credible sources with intimate details of this attack. According to reports, multiple law enforcement agencies are involved with the investigation and in the next few days' further details should surface.
Is there a Patch Available?
At the time of writing, no. According to the Kaseya advisory:
"ALL ON-PREMISES VSA SERVERS SHOULD CONTINUE TO REMAIN OFFLINE UNTIL FURTHER INSTRUCTIONS FROM KASEYA ABOUT WHEN IT IS SAFE TO RESTORE OPERATIONS. A PATCH WILL BE REQUIRED TO BE INSTALLED PRIOR TO RESTARTING THE VSA."
For further details, please refer the Kaseya advisory "Information Regarding Potential Attack on Kaseya VSA" in the APPENDIX section.
How Serious of an Issue is This?
HIGH.
How Widespread is this Attack?
At the time of writing the most recent Kaseya advisory update (July 3rd 10:30EDT) states:
"Kaseya's VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams' fast response, we believe that this has been localized to a very small number of on-premises customers only. "
Reports state that Kaseya services are resold by multiple organizations, so the exact amount of victims are unknown. As this is a rapidly developing situation, more details are likely to emerge over the next few days highlighting the total number of victims.
What is the status of AV and IPS coverage?
FortiGuard Labs has AV coverage for known publicly available samples as:
W32/Sodinokibi.EAD4!tr.ransom
W32/Sodinokibi.8859!tr.ransom
W32/Sodinokibi.5421!tr.ransom
FortiGuard Labs has IPS coverage in place as:
Kaseya.VSA.Remote.Code.Execution
For FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.
The FortiGuard EDR team has published a Knowledge Base article "How FortiEDR detects Kaseya supply chain ransomware attack"
For FortiSandbox, all publicly known ransomware samples are detected by our behavior-based protection.
Any Other Suggested Mitigation?
According to the Kaseya advisory, all on premise servers running VSA should be taken offline until further notice or when a patch is available. As this is a developing situation, please refer to the Kaseya advisory "Information Regarding Potential Attack on Kaseya VSA" for running updates in the APPENDIX section.
Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.
Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.
Outbreak Alert
A recent high profile exploit involing Kaseya VSA product was linked to the REvil ransomware. This report summarizes the Fortinet Security Fabric coverage for the REvil ransomware itself. Refer to the separate report for more detail about the Kaseya vulnerability.
View the full Outbreak Alert Report
This report focusses on the Kaseya vulnerability itself -- A separate (dedicated) report is available for the REvil ransomware which exploits this vunlerability. Kaseya VSA product is the victim of a sophisticated cyberattack causing many of its customers to be infected with ransomware. On July 2, the SaaS version was temporarily shutdown, and Kaseya warned all its customers to immediately stop using the on-premise version until a patch is available. Nearly 40 of its MSP customers were reported hacked, who themselves manage hundreds or thousands of businesses underneath. https://www.nbcnews.com/tech/security/ransomware-attack-software-manager-hits-200-companies-rcna1338 Background
Appendix
Information Regarding Potential Attack on Kaseya VSAÂ (Kaseya)
Kaseya VSA Supply-Chain Ransomware Attack (US-CERT)
Crticial (sp?) Ransomware Incident in Progress (Reddit post by HuntressLabs)
