Security News Reading Time: 3 minutes

New Major Ransomware Attack Strikes IT Solutions Provider, Kaseya

Another major ransomware supply chain attack has occurred over the holiday weekend. On July 2nd, the IT Solutions Provider Kaseya issued a statement saying they had suffered a ransomware attack. This attack only affected 0.1% of Kaseya’s customers, but their customers are Managed Service Providers (MSPs), which means hundreds of smaller businesses were also affected by this ransomware attack. This attack follows in the wake of several other large ransomware attacks in the past few months, including the Colonial Gas Pipeline attack and the attack on the meat supplier JBS. Before we get the specifics on this attack, let’s first learn about who Kaseya are and what a ransomware attack is.

What is Kaseya?

Kaseya is an IT solutions provider who offers different software to Managed Service Providers and enterprises. These MSPs in turn offer their own services to other small customers, such as Software as a Service, PKI as a Service, and other similar services. This is one of the reasons that this attack was so effective, as each of these MSPs have several hundred small companies of their own that they accidentally affected with this ransomware. An example of the software that Kaseya provides is VSA, which is used to monitor and manage networks and endpoints.

What is ransomware?

Ransomware is a type of malware which encrypts all the files in a victim’s system. Once the files are encrypted, the threat actors normally leave a ransom note, telling the victim how much and where to send the ransom, while they in turn send the decryption key back to the victim. It is recommended to never pay the ransom to a threat actor who has encrypted your data, as they can either not give you the encryption key, they can download the information anyways and blackmail you in the future, or they may not even know how to decrypt it.

What happened in this attack?

On July 2nd, 2021, Kaseya announced that an attack had hit their tool, the VSA, and affected “a small number of on-premise customers.” Even though only a small number of customers were affected, that is still a significant number of victims. As we previously mentioned, many of the tools created by Kaseya are utilized by MSPs, and thus their clients were affected as well. Victims were recommended by Kaseya to shut off admin access to the hijacked tool, and they also pulled their SaaS servers and data centers offline.
The attack itself manipulated a vulnerability within Kaseya’s VSA tool where the attackers used an authentication bypass vulnerability within the tool’s web interface to distribute their malware. This let the threat actors get around security controls, upload their payload, and use SQL injection to execute their code within the VSA tool. To do this, the attackers utilized a rogue certificate. Once the endpoint of the MSP or user was infected, the endpoint would write a file into its working directory. From there, the machine would then run a number of PowerShell commands which work to stop and turn off a number of malware services on a Windows computer. The file in the working directory is then turned into an executable file, thus releasing the ransomware.

However, to use the executable file, a legitimate signature was still needed, which is where the rogue certificate comes in. The certificate was found to belong to an organization called PB03transport, which is a legitimate organization. This indicates that the threat actors had access to the private key of this organization, most likely obtained via phishing or a Man in the Middle attack. Once the ransomware infected an MSP, the malware was then given to other customers through an automated update containing the ransomware. The ransomware in question is called REvil ransomware and was uploaded to the VSA tool by the creators, the threat actors known as REvil or Sodinikibi. It is unknown at this time if the victims have all paid the attackers.

Stopping this Type of Attack

The sad truth of this attack is that it could have been prevented. Utilizing a rogue certificate, these threat actors crippled thousands of companies, when proper certificate management could have stopped this. Using a managed certificate management system or PKI-as-a-Service, like the kind Encryption Consulting offers, this rogue certificate would not have been created in the first place. With proper certificate monitoring and key inventorying, the stolen key could have been detected and subsequently deactivated. Instead, many companies may have to pay a ransom just to get their data back.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

About the Author

Riley Dickens's profile picture

Riley Dickens is a graduate from the University of Central Florida, who majored in Computer Science with a specialization in Cyber Security. He has worked in the Cyber Security for 4 years, focusing on Public Key Infrastructure, Hardware Security Module integration and deployment, and designing Encryption Consulting’s Code Signing Platform, Code Sign Secure. His drive to solve security problems and find creative solutions is what makes him so passionate about the Cyber Security space. His work with clients has ensures that they have the best possible outcome with encryption regulations, implementations, and design of infrastructure. Riley enjoys following his passion of penetration testing in his spare time, along with playing tennis.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo