Just as the security community was recovering from the SolarWinds supply-chain attack, over July 4th holiday weekend Kaseya IT management software, commonly implemented by Managed Service Providers (MSPs) fell victim to a series of supply-chain attacks.
Kaseya is the Focus of New Supply Chain Ransomware Attack
According to a report from Bleeping Computer, on July 2, 2021, the REvil ransomware gang was actively targeting managed services providers (MSPs) and its customers via a Kaseya VSA supply-chain attack to deploy ransomware on enterprise networks. Kaseya is a popular software developed for Managed Service Providers that provide remote IT support and cybersecurity services for small- to medium-sized businesses that often cannot afford to hire full-time IT employees, due to their limited size or budgets.
Hundreds of worldwide businesses, including Coop supermarkets in Sweden, confirmed to the BBC they have been impacted by the Kaseya attack, although they are not customers of Kaseya, and have shut down hundreds of stores in Sweden since yesterday evening. This is because they have lost their Point of Sale facilities, which are managed by a company that is a Kaseya customer.
Figure 1. What the infected systems look like
The attackers initially gained access by using a zero-day vulnerability in Kaseya VSA via a malicious automatic update to the software which eventually would deliver the ransomware. Once active in the IT environments, the ransomware would encrypt the different contents of the systems on the network. This would cause widespread operational disruption to any organization that uses this software. Even if the latest version of Kaseya VSA was implemented at the time of the attack, the cyber criminals could remotely execute commands on the VSA appliance.
How the Ransomware is delivered
As per the DoublePulsar Blog Post on the Kaseya attack: “Delivery of ransomware is via an automated, fake, software update using Kaseya VSA.
The attacker immediately stops administrator access to the VSA, and then adds a task called “Kaseya VSA Agent Hot-fix”.
This fake update is then deployed across the estate — including on MSP client customers’ systems — as it’s fake management agent update.
This management agent update is actually REvil ransomware.
To be clear, this means organizations that are not Kaseya’s customers were still encrypted.
The Following Command is Run:
powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
What this does:
Disables Real Time Monitoring
Disables Cloud Lookup
Disables script scanning
Disabled Controlled Folder Access (ransomware prevention feature)
Disables Network Protection
Stops cloud sample submission
Throughout their attack, the cybercriminals shut off administrative access to VSA, and several protections within Microsoft Defender were disabled, including Real-Time Monitoring, Script Scanning, and Controlled Folder Access. Kaseya and the US Cybersecurity and Infrastructure Company have both advised clients functioning the VSA software on their servers to shut those servers down as soon as possible.
Figure 2. The Ransom Note
How MSPs Can Open The Door For Attackers
Large organizations that often have a budget for IT and security can easily adopt a robust security strategy to prevent cyber attacks. Smaller organizations or companies that are not security-minded will tend to turn to MSPs to provide them with IT and security services. In order for MSPs to provide their services, they are given remote and administrator access to their client’s networks and environments. The different remote access and credentials that are provided to MSPs are extremely attractive for cyber criminals.
Figure 3. The Anatomy of an MSP Cyberattack
Given the large number of clients that each MSP is working with, a successful cyber attack could be very profitable and attractive for a cyber criminal. Once the attacker has exploited the MSP system they could easily move laterally across MSP client’s systems and environments. In short, by attacking and successfully exploiting an MSP, cyber criminals have the opportunity to quickly gain access to all their client’s networks, systems and data without being noticed.
While the typical MSPs is a security expert when it comes to securing their clients’ networks and ensuring they are well protected, they also need to ensure their own system is secure from cyber criminals. Security patches must be applied in a timely order, vulnerabilities must be mitigated as quickly as possible and they need to adopt security solutions for any kind of attack to ensure that their system is protected.
In general, customers should set more control limits to their MSPs. For example, endpoints that do not need remote monitoring and management, should not have an agent installed on them. This reduces the risk in such attacks, and less devices will be affected.
It’s A Busy Summer Ahead
Over the past few months, there has been a major increase in the number of successful ransomware attacks. The Colonial Pipeline attack and the REvil attack of meat processor JBS resulted in millions of dollars in operational and mitigation loss. While these attacks are just two examples of successful ransomware, we expect cyber criminals to continue to exploit the different products and services that we use on a daily basis.
With each attack becoming more sophisticated and successfully exploiting well-known organizations, it has caught the attention of the U.S. government. On May 12th, United States President Joe Biden signed an executive order (EO) to improve the cybersecurity of the United States and the private sectors. This executive order seeks to increase its efforts in detecting and responding to different attacks and threat actors in the cyber espionage landscape.
Additionally, the US government plans to play a significant role when it comes to incident responding to ensure better security guidelines in the private sector. For example, in the case of the Kaseya attack, U.S. President Joe Biden has ordered federal intelligence agencies to investigate the supply chain attack. In a statement on Saturday, the U.S. Cybersecurity and Infrastructure Security Agency said it was "taking action to understand and address the recent supply-chain ransomware attack" against Kaseya's VSA product.
Be Prepared - Not For “If” But “When”
While the Kaseya attack so far hasn’t affected OT systems, it has brought up the subject of organizations needing improved security strategies. Cyber criminals are becoming more sophisticated when targeting different organizations. As long as the security hygiene of an organization or its third-party vendors isn't up to par, cyber criminals will increase the number of attacks to exploit organizations' vulnerabilities to truly hurt their victims.
To be prepared for incoming cyberattacks, organizations need to think like cyber criminals and implement a more concrete security strategy with the proper security solutions for any kind of attack. Instead of checking the box in their security checklist, organizations should test their systems and networks to see where they are vulnerable. More importantly, security teams need to change their security mindset from “if we will be attacked” to “when and how we will be attacked”, and prepare accordingly.
The huge difference between the secure and the exploited is how effectively their organization handled a potential cyber attack. By being prepared with basic security practices in place, it will allow security teams to prevent potential attacks from being successful.
We recommend organizations increase their visibility into their entire network as it’s difficult to protect what you can not see. Additional recommended practices are to adopt security network monitoring solutions that provide network segmentation and micro-segmentation as this will help organizations prevent similar ransomware attacks moving forward.
To learn more about these products and see short product demos, click here: https://l.scadafence.com/demo