Biden Orders Investigation of Kaseya Ransomware AttackREvil Malware Suspected of Infecting Scores of IT Management Companies, Clients
U.S. President Joe Biden has ordered federal intelligence agencies to investigate the incident involving IT management software vendor Kaseya, which sustained a suspected REvil ransomware attack on Friday. Attackers reportedly compromised Kaseya's remote monitoring system, VSA, forcing the company to urge its managed service provider customers to temporarily shut down their on-premises servers for at least the next 24 to 48 hours.
Kaseya VSA is a remote management platform for MSPs that provides solutions such as automated patch management. According to Kaseya, the platform has been used by more than 36,000 MSP customers worldwide.
On a visit to Michigan on Saturday, Biden was asked about the attack and told reporters "we're not certain" who is behind it. "The initial thinking was it was not the Russian government but we're not sure yet," he said.
In an update late Friday, Kaseya CEO Fred Voccola said the company detected the compromise on its VSA platform on Friday afternoon. He also added the spread of the attack has "been limited to a small number of on-premises customers."
In a Saturday evening update, Kaseya stuck by its conservative estimate. "Due to our teams' fast response, we believe that this has been localized to a very small number of on-premises customers only."
In a Sunday morning update, Kaseya added: "There have been no new reports of compromises since our last report yesterday. We are confident we understand the scope of the issue and are partnering with each client to do everything possible to remediate. We believe that there is zero related risk right now for any VSA client who is a SaaS customer or on-premises VSA customer who has their server offline."
Security firm Huntress Labs, which assessed a ransom note believed to be tied to Kaseya, has linked the attack to the REvil ransomware group - the same group the FBI has said was responsible for attacking meat processing giant JBS in late May. Huntress added that the attack already has compromised eight of Kaseya's MSP customers, and that at least 200 businesses of three of those MSPs have reported that some of their files were forcibly encrypted.
Among the businesses affected: Coop, a Swedish grocery chain, which was forced to close many of its 800 retail stores. "One of our suppliers has been hit by an IT attack and therefore the cash registers do not work," Coop announced to its customers. "We regret this and do everything to be able to open again soon." Later on Sunday, media reports said that some Coop stores had reopened in Stockholm, after incident responders dispatched to those locations had successfully wiped and restored affected systems.
On Friday, Mark Loman, a malware analyst at security firm Sophos, tweeted that hackers had been demanding $5 million in bitcoins as a ransom payment, in exchange for a file decryptor.
Kaseya did not immediately respond to a request from Information Security Media Group seeking more information on the attack. The firm did promise ongoing updates.
Kaseya describes itself as a leading provider of IT and security management solutions for MSPs and small to medium-sized businesses. The privately held company is headquartered in Dublin and operates in over 20 countries.
After discovering the attack on Friday, Kaseya says it immediately shut down its SaaS servers as a precautionary measure and notified its on-premises customers "via email, in-product notices, and phone" to shut down their on-premises VSA servers to prevent them from being compromised. In addition, Kaseya says it directed its on-premises customers to keep those systems offline, pending updates.
Kaseya said that it is working with its internal forensic team and law enforcement agencies to investigate.
"Only a very small percentage of our customers were affected - currently estimated at fewer than 40 worldwide," Kaseya CEO Voccola said. "We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24-48 hours."
In a follow-up update on Saturday morning, the company said it has been working around the clock on "a security assessment, client support, progress update, technical resolution and return to operational status standpoint."
In addition, Kaseya said that "we have been advised by our outside experts that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized."
Kaseya said it will continue to post updates every three to four hours.
On Saturday evening, Kaseya reported that it has brought in cybersecurity firm FireEye and other unidentified incident response firms to identify indicators of compromise tied to the breach. "We have identified a set of preliminary IoCs and have been working with our affected customers to validate them," Kaseya reports.
On Sunday morning, the firm announced initial results of the release of its new Compromise Detection Tool for Kaseya VSA customers.
"The new Compromise Detection Tool was rolled out last night to almost 900 customers who requested the tool," Kaseya said. "Based on feedback from customers, we will be publishing an update to the tool this morning that improves its performance and usability. There are no changes that will require a re-run of the tool on systems that have been scanned."
Kaseya added: "We will be opening up a private download site for end customers to get access to the Compromise Detection Tool once we have ensured the security, integrity, and trackability of the download process."
As of Saturday evening, Kaseya acknowledges only one new report of a compromise occurring because of a VSA on-premises server being left on. "We are confident we understand the scope of the issue and are partnering with each client to do everything possible to remediate," Kaseya says. "We believe that there is zero related risk right now for any VSA client who is a SaaS customer or on-premises VSA customer who has their server off."
Kaseya also says it is working both with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency on an incident-handling process for worldwide customers affected by the cyberattack.
The following message was posted to the FBI's website on Sunday:
"If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov. Please include as much information as possible to assist the FBI and CISA in determining prioritization for victim outreach. Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat."
Patch Being Prepared
In its alerts, Kaseya noted that it identified the source of the vulnerability that may have led to the attack and added that it is working to issue patch for the flaw soon. "We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly," Voccola said. "We will release that patch as quickly as possible to get our customers back up and running."
Loman of Sophos tweeted that the vulnerability is exploited by a malicious update, which contains code to disable Microsoft Defender's real-time monitoring capabilities.
Although complete details of the Kaseya hack have yet to be detailed, this latest incident would mark the second time in recent years that attackers have compromised a high-profile supply chain environment using a malicious software update.
The SolarWinds supply chain hack is believed to have begun in March 2020 when attackers installed the backdoor in an Orion software update. Up to 18,000 customers installed and ran the Trojanized software. Later, attackers launched follow-on attacks on nine U.S. government agencies and about 100 private sector firms, federal investigators say (see: Why Didn't Government Detect SolarWinds Attack?).
REvil, also known as Sodinokibi and Sodin, is a ransomware-as-a-service offering, which means a core group develops and maintains the ransomware code and makes it available to affiliates via a portal.
Those affiliates and the core group of operators share in any profits that result from victims paying a ransom. Recent victims that have made payments include meat processor JBS, which paid $11 million in bitcoins.
Many security experts rank REvil among the most damaging and prevalent RaaS operations, alongside Conti, DoppelPaymer (aka DopplePaymer), Maze offshoot Egregor, and Ryuk. (For more on REvil, see REvil's Ransomware Success Formula: Constant Innovation.)
Targeting MSPs: 'Diabolical Extortion Tactic'
Security experts note that MSPs are a vulnerable target as they are mostly smaller business with relatively less mature security checks and balances in place.
"These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural 'trust' that the traffic to/from them is legitimate and should be allowed," says Chris Grove, technology evangelist with security firm Nozomi Networks. "Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts."
"MSPs leverage Kaseya's software, making them an attractive target because extortionists can quickly increase potential targets," says Rick Holland, vice president of strategy at threat intelligence firm Digital Shadows. "These victims are a desirable target as they may not have the means to eradicate the adversary and restore their IT systems, forcing them to pay the ransom. Targeting an MSP that serves vulnerable SMBs is a diabolical extortion tactic."
Philip Reitinger, CEO and president of the Global Cyber Alliance, says this latest attack is "both different from and similar to the SolarWinds attack." It's similar because it also has a widespread scope and appears as a supply chain attack. But the means and purpose are different, he notes.
"Here we don't have an attack - so far as I see - on the systems of a software provider. We have an attack on its software," Reitinger says. "Most important here is that the software is used by managed service providers, vastly increasing the effect. So, at the end of the day, many entities will suffer, and there is very little - if anything - most could do to prevent it because the primary capabilities to prevent and detect lay with another."
FBI Previews a 'Very Busy Summer'
Threats from ransomware have increased significantly in recent months, with incidents such as the Colonial Pipeline Co. attack and the REvil attack on meat processor JBS causing victims millions of dollars in operational and mitigation losses.
The rising sophistication and proliferation of ransomware threats has also caught the attention of the U.S. government, with several federal agencies and the White House initiating a number of steps to counter them.
For instance, on Wednesday, CISA released its Ransomware Readiness Assessment audit tool to help organizations size up their ability to defend against and recover from attacks (see: CISA Tool Helps Measure Readiness to Thwart Ransomware).
On May 12, the Biden administration issued its cybersecurity executive order that aims to address ransomware and other threats to the U.S. (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
In a session recorded this week for ISMG's upcoming Government Cybersecurity Summit, the FBI's Elvis Chan predicted that this will be a busy summer for ransomware investigations, disruptions and takedowns.
"We have many joint investigations with our foreign partners," says Chan, who leads the FBI's cyber division in San Francisco. "Look for this to be a very busy summer for us, with multiple takedowns across different countries.
"We want to impose as much consequence as possible," Chan says.
Updates: This story was last updated July 4, 2021, at 12 p.m. EDT.