Another major ransomware supply chain attack has occurred over the holiday weekend. On July 2nd, the IT Solutions Provider Kaseya issued a statement saying they had suffered a ransomware attack. This attack only affected 0.1% of Kaseya’s customers, but their customers are Managed Service Providers (MSPs), which means hundreds of smaller businesses were also affected by this ransomware attack. This attack follows in the wake of several other large ransomware attacks in the past few months, including the Colonial Gas Pipeline attack and the attack on the meat supplier JBS. Before we get the specifics on this attack, let’s first learn about who Kaseya are and what a ransomware attack is.
What is Kaseya?
Kaseya is an IT solutions provider who offers different software to Managed Service Providers and enterprises. These MSPs in turn offer their own services to other small customers, such as Software as a Service, PKI as a Service, and other similar services. This is one of the reasons that this attack was so effective, as each of these MSPs have several hundred small companies of their own that they accidentally affected with this ransomware. An example of the software that Kaseya provides is VSA, which is used to monitor and manage networks and endpoints.
What is ransomware?
Ransomware is a type of malware which encrypts all the files in a victim’s system. Once the files are encrypted, the threat actors normally leave a ransom note, telling the victim how much and where to send the ransom, while they in turn send the decryption key back to the victim. It is recommended to never pay the ransom to a threat actor who has encrypted your data, as they can either not give you the encryption key, they can download the information anyways and blackmail you in the future, or they may not even know how to decrypt it.
What happened in this attack?
On July 2nd, 2021, Kaseya announced that an attack had hit their tool, the VSA, and affected “a small number of on-premise customers.” Even though only a small number of customers were affected, that is still a significant number of victims. As we previously mentioned, many of the tools created by Kaseya are utilized by MSPs, and thus their clients were affected as well. Victims were recommended by Kaseya to shut off admin access to the hijacked tool, and they also pulled their SaaS servers and data centers offline.
The attack itself manipulated a vulnerability within Kaseya’s VSA tool where the attackers used an authentication bypass vulnerability within the tool’s web interface to distribute their malware. This let the threat actors get around security controls, upload their payload, and use SQL injection to execute their code within the VSA tool. To do this, the attackers utilized a rogue certificate. Once the endpoint of the MSP or user was infected, the endpoint would write a file into its working directory. From there, the machine would then run a number of PowerShell commands which work to stop and turn off a number of malware services on a Windows computer. The file in the working directory is then turned into an executable file, thus releasing the ransomware.
However, to use the executable file, a legitimate signature was still needed, which is where the rogue certificate comes in. The certificate was found to belong to an organization called PB03transport, which is a legitimate organization. This indicates that the threat actors had access to the private key of this organization, most likely obtained via phishing or a Man in the Middle attack. Once the ransomware infected an MSP, the malware was then given to other customers through an automated update containing the ransomware. The ransomware in question is called REvil ransomware and was uploaded to the VSA tool by the creators, the threat actors known as REvil or Sodinikibi. It is unknown at this time if the victims have all paid the attackers.
Stopping this Type of Attack
The sad truth of this attack is that it could have been prevented. Utilizing a rogue certificate, these threat actors crippled thousands of companies, when proper certificate management could have stopped this. Using a managed certificate management system or PKI-as-a-Service, like the kind Encryption Consulting offers, this rogue certificate would not have been created in the first place. With proper certificate monitoring and key inventorying, the stolen key could have been detected and subsequently deactivated. Instead, many companies may have to pay a ransom just to get their data back.
