The Kaseya VSA IT management and patching platform has been compromised and used by Russia-based “ransomware-as-a-service” group REvil (aka Sodinokibi and Sodin) to distribute a malicious powershell script to disable Microsoft Defender on the targeted host and execute the REvil encryption tool, rendering the host inoperable. A ransom, reportedly of up to $5m, is then demanded for a decryption tool and key. Kaseya responded quickly by shutting down their SaaS platform while investigations were carried out by both Kaseya and FireEye, who have been engaged to support the analysis of the attack. Because of this action it appears that only customers running an on-premise version of the tool remain at risk. It is estimated that over 1000 businesses have been affected via 20 MSPs to date.
Kaseya is a widely used tool, largely delivered as SaaS but with some on-premise customers running their own infrastructure. It is these customers thought to remain at risk, with Kaseya advising that all servers are shut down until full investigations have been completed and a fix developed. This attack is the latest in a series of high-profile attempts to compromise and exploit Managed Service Provider systems to amplify the impact of an attack. It is a “supply chain compromise” similar in goal to the recent SolarWinds breach – to gain access to many customers by attacking just one service provider. The Kaseya attack differs slightly in that it does not appear to target the systems of the MSP itself, allowing them to stay operational in order to unwittingly distribute the ransomware to customers.
The REvil group, thought to be responsible for the ransomware used in this attack are also strongly linked to the recent successful ransom of meat processor JBS, where $11m was paid to the group to recover encrypted systems. REvil has worked with other organisations to target MSPs in the past (notably GandCrab) and appears to have developed a specific working knowledge of MSP tools and practices.
ITC Managed Service customers benefit from bespoke detection rules implemented by our SOC analysts. Manual detection or configuration of stand-alone security systems to search for the following Indicators of Compromise (file hashes) is also effective:
agent.crt – 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643
agent.exe – d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll – e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
mpsvc.dll – 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
Further, for Kaseya VSA customers, a compromise detection tool has been developed by Kaseya and is available by emailing [email protected] with the subject “Compromise Detection Tool Request”
ITC is ready to support anyone affected by this compromise or concerned that they may be. Our 24/7 SOC is available to provide advice and guidance. Our Incident Responders are on-hand to help restore your services quickly and safely.
The REvil ransomware affects most versions of Microsoft Windows in endpoint and server configurations. A compromise of the Kaseya VSA tool is the delivery mechanism, using a malicious update to the targeted hosts. The prompt disabling of the Kayesa SaaS platform means that customers running on-premise implementations remain at the most risk, particularly as this attack has been timed to coincide with the weekend and a US public holiday when resources and vigilance are often reduced.
The risk of compromise is mitigated by the shutting down of Kaseya services.
Until a fix is released by Kaseya, it is recommended that customers leave their on-premise servers shut down. Kaseya have stated that the SaaS version of their platform will remain offline until a fix is tested and implemented.