Threat Signal Report

Global Ransomware and Supply Chain Attack on Kaseya VSA Affecting Multiple Organizations

Description

Update as of July 7th: This sophisticated supply-chain ransomware attack initially leveraged a vulnerability in the Kaseya VSA software to gain access to victim organizations, and then used REvil's RaaS to infect those organizations with ransomware. For that reason, FortiGuard Labs is providing a separate Outbreak Alert analysis for both the initial exploitation of the Kaseya vulnerability and for the subsequent REvil ransomware attack. Each Outbreak Alert includes information about the attack itself, Fortinet product versions that provide protection, which products could break the attack sequence, threat hunting techniques and other information. Go here for the Kaseya Outbreak Alert and here for the REvil Outbreak Alert.


FortiGuard Labs is aware of a new ransomware campaign affecting management service provider Kaseya, and their product Kaseya VSA, which is a remote monitoring and management software solution. In a nutshell, Kaseya VSA allows IT administrators to remotely monitor and deploy software, updates, etc. to multiple machines simultaneously in a multi user environment. Reports of the attack first surfaced when Huntress Labs, a managed detection and response (MDR) provider first discovered the attack and posted their findings on Reddit.


According to the Kaseya advisory, Kaseya VSA was the victim of a sophisticated cyberattack, involving ransomware. While there has been no absolute confirmation on attribution, many unofficlal reports have stated that the REvil ransomware threat actors are allegedly behind this campaign. REvil has been attributed to the DarkSide actors who most recently attacked Colonial Pipeline and JBS foods back in May.


What are the Details of the Attack Vector and or Vulnerability Used?

Unofficial, unconfirmed reports state that this was a supply chain attack where a malicious update was being deployed by the attacker to the Kaseya VSA interface as an update or hot fix for the Kaseya VSA agent. This fake update is the ransomware file that was deployed to various machines and what is likely customers of MSP providers using Kaseya VSA. It is important to note, at the time of writing there are no details or confirmation from Kaseya regarding vulnerability details or confirming the attack vector.


What Kaseya Products Are Affected?

On premises versions of Kaseya VSA are affected. Preliminary reports state that the SaaS cloud versions are not affected. As a precautionary note, it is suggested by Kaseya that all on premise VSA servers be taken offline immediately.


Is this the Work of REvil?

At this time, multiple reports have cited that this maybe the work of the threat actors behind REvil. However, at the time of writing there is no confirmation from either Kaseya or other credible sources with intimate details of this attack. According to reports, multiple law enforcement agencies are involved with the investigation and in the next few days' further details should surface.


Is there a Patch Available?

At the time of writing, no. According to the Kaseya advisory:


"ALL ON-PREMISES VSA SERVERS SHOULD CONTINUE TO REMAIN OFFLINE UNTIL FURTHER INSTRUCTIONS FROM KASEYA ABOUT WHEN IT IS SAFE TO RESTORE OPERATIONS. A PATCH WILL BE REQUIRED TO BE INSTALLED PRIOR TO RESTARTING THE VSA."


For further details, please refer the Kaseya advisory "Information Regarding Potential Attack on Kaseya VSA" in the APPENDIX section.


How Serious of an Issue is This?

HIGH.


How Widespread is this Attack?

At the time of writing the most recent Kaseya advisory update (July 3rd 10:30EDT) states:


"Kaseya's VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams' fast response, we believe that this has been localized to a very small number of on-premises customers only. "


Reports state that Kaseya services are resold by multiple organizations, so the exact amount of victims are unknown. As this is a rapidly developing situation, more details are likely to emerge over the next few days highlighting the total number of victims.


What is the status of AV and IPS coverage?

FortiGuard Labs has AV coverage for known publicly available samples as:


W32/Sodinokibi.EAD4!tr.ransom

W32/Sodinokibi.8859!tr.ransom

W32/Sodinokibi.5421!tr.ransom


FortiGuard Labs has IPS coverage in place as:


Kaseya.VSA.Remote.Code.Execution


All known network IOC's are blocked by the WebFiltering client.

For FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.


The FortiGuard EDR team has published a Knowledge Base article "How FortiEDR detects Kaseya supply chain ransomware attack"


For FortiSandbox, all publicly known ransomware samples are detected by our behavior-based protection.


Any Other Suggested Mitigation?

According to the Kaseya advisory, all on premise servers running VSA should be taken offline until further notice or when a patch is available. As this is a developing situation, please refer to the Kaseya advisory "Information Regarding Potential Attack on Kaseya VSA" for running updates in the APPENDIX section.


Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.


Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.