The manager, Fred Voccola, CEO of Keseya, begins his speech by going back to that fateful Friday, July 2, 2021, when kaseya, a company that has managed for more than six years, noticed some suspicious processes running on your software servers offering services to technology systems management companies or, Managed Service Provider [MSP], in English.
“On Friday, July 2, around 2 pm, we received some reports of suspicious things happening. We didn’t know if it was an attack, we weren’t really sure what it was, but […] we started noticing some strange behavior. Within an hour, we closed the VSA immediately“, says Voccola, in a video posted on Kaseya’s YouTube channel.
VSA is one of the software developed and managed by Kaseya. It offers a remote monitoring and management solution (Remote Monitoring and Management [RMM]). That is, the majority of Kaseya’s customers are Management Service Providers (MSPs) who market this Kaseya-developed RMM software to their customers.
Therefore, Kaseya, which is already a large company, with around 37 thousand direct customers, it also manages the technology infrastructure of over 1 million customers, indirectly, through its mediators MSPs.
Right after the detection of suspicious processes, Voccola realized that this was a cyber attack and decided to shut down the VSA servers, where unauthorized accesses were identified. An act of caution and precaution, which, according to the executive, prevented the attack from spreading to more services and, consequently, compromising more customers.
In a press release, published on Monday (05), the company explains that about 50 Kaseya customers, the MSPs mentioned by Voccola, have downloaded and offered their customers a committed update of the VSA software. Those customers who have downloaded this update total around 1500 companies.
“Of the approximately 800,000 to 1 million small local businesses that are managed by Kaseya’s customers, ‘only’ about 800 to 1500 have been compromised”, justifies Voccola, in his statement.
Also in the same press release, Kaseya said it contacted authorities immediately after shutting down interrupting the VSA’s servers, in addition to starting a forensic investigation to determine the facts and find possible trails left by cybercriminals.
REvil Ransomware
In addition to disrupting the work of around 1500 companies, the attack and shutdown of VSA services shocked the information technology and security professional community. Is this yet another massive supply chain attack, on a par with the attack on SolarWinds?
On the same day as the attack was identified, Mark Loman, a malware analyst at Sophos, while analyzing ransomware hits on some customers, found that the REvil ransomware was linked to the Kaseya attack, which said “We are monitoring an outbreak of the REvil ‘supply chain’ attack, which appears to result from a malicious update from Kaseya,” in a Twitter post.
According to Jen Miller-Osbron, Director of Threat Intelligence at Unit 42, Palo ALto Networks, REvil is a Russian-origin cybercriminal group operating a cybercriminal business model known as Ransomware as a Service (RaaS). “[RaaS] is a subscription-based model that allows affiliates to use ransomware tools to execute attacks and earn a percentage of every successful ransom payment. This allows ransomware gangs to outsource their operations and earn more money,” explains the executive, in an interview with The Hack.
“we found them [REvil] for the first time in 2018, when they worked with a group known as GandCrab […] This group became REvil, has grown and gained a reputation for leaking massive data sets and demanding multimillion-dollar ransoms. It is now among an elite group of cyber extortion gangs responsible for the rise of debilitating attacks that have made ransomware one of the most pressing security threats for businesses and nations around the world“, concludes Jen.
The senior sales engineer at Sophos, Rafael Foster, confirmed during the webinar “The State of Ransomware 2021” broadcast on Thursday (7th), that Sophos, in partnership with another security company, Hunters, were responsible for finding information that linked Kaseya’s attack to the REvil ransomware.
Two days after the attack, on Sunday (04) the suspicion was confirmed by the cybercriminals themselves, on the group’s official website, on dark web. According to The Record, which had access to REvil’s blog, the companies, users of Kaseya’s VSA software, who were infected by the ransomware, reported that cybercriminals are asking for U$50,000 (R$262,000) for the ransom of the encrypted data.
But, as around 1500 victims have been counted so far, the cybercriminal group is offering a universal decryptor, to restore data from all infected, for the equivalent of US$70 million (R$368 million) in Monero, a cryptocurrency that is popular among cybercriminals because of its high levels of encryption, anonymity and untraceability.
The Record got in touch with the Kaseya, who informed that has no intention of paying for the ransom, as well as having no intention of buying the universal decryptor.
Attack the supply chain
As Voccola informed in his address, Kaseya has already fixed the vulnerability exploited by cybercriminals and that it is working with the FBI and US legal and technical authorities to investigate and resolve the issue, along with its clients.
“In about two hours, we identified the specific vulnerability and with the help of partners, we fixed, fixed and tested […] The US government and the FBI are working to ensure that Kasaya, Kasaya’s partners, our customers and many of our external partners that we engage immediately to resolve this issue,” he said.
Invited by The Hack to comment on the case, Lucas Silva, incident response analyst at Trend Micro, explains that a supply chain attack, or an attack on the supply chain, is different from a regular attack, usually aimed at just one. company, therefore, can be even more devastating.
“In a typical attack, cybercriminals target a company and find a unique way to break into that victim’s network. But, during a supply chain attack, cybercriminals infiltrate a trusted company that provides software or IT services to many other companies. The purpose of this attack is to insert malware into the ‘supply chain’ of updates to software installed on your customers’ computers. In these types of incidents, any company can be affected whether it is small, medium or large. The most worrying thing is the increase in this type of attack, we recently had with SolarWinds and now with Kaseya,” the executive told The Hack via email.
The CEO of the Stefanini Group’s cybersecurity division, Leidivino Natal da Silva, contextualizes what was said by Voccola in the video, which it’s just a matter of time before a company is compromised., therefore, it is essential to be prepared in case it happens.
“Cyber attacks have been more and more frequent. It is essential for any company to constantly act in security processes, according to its business. You need to protect the environment and know how to respond to these cyber incidents with speed and efficiency. Security is no longer a support area, it is a business area that needs to ensure the continuity of core business of organizations”, said the executive.
Sources: Kaseya; the record; the record; Mark Loman; The State Of Ransomware 2021, TheHack.