While most Americans were preparing for the July 4 holiday weekend by picking up burgers and beers, the hackers thought to be responsible for the JBS ransomware incident were readying a supply chain attack timed to hit when IT workers were off duty. An attack on managed service providers (MSPs) making use of Kaseya products is thought to have compromised at least 200 of that company’s clients, and possibly as many as tens of thousands in total.
Kaseya is a software service provider that specializes in remote monitoring and management tools operated through its own cloud servers, which in turn are often licensed by MSPs that offer various IT services to their clients. The incident somewhat resembles the infamous SolarWinds attack in that compromise of a service provider allowed attackers to access many of that provider’s clients, but in this case it is still not clear exactly how many were hit. The attack appears to have compromised the Kaseya VSA platform specifically, a product highly targeted at MSPs that provide IT support to small businesses that generally cannot afford their own IT departments.
Supply chain attack spreads damage far and wide via MSPs
The fact that it impacts MSPs makes the total damage of the supply chain attack hard to estimate, as those companies in turn have unknown amounts of clients that may have been affected. MSPs generally have privileged access to client networks and computers, and the type that use Kaseya’s VSA platform may have as many as several hundred clients each.
The supply chain attack was first discovered on Friday, July 2. The following day, Kaseya issued a statement confirming the attack and claiming that 40 of its clients had been affected. The company advised all of its clients (about 40,000 in total) to disconnect the software immediately. Independent cybersecurity firm Huntress Labs tracked the supply chain attack and confirmed that at least 20 MSPs making use of Kaseya VSA servers had contracted the ransomware; together these MSPs are estimated to have somewhere north of 1,000 clients that may have been compromised in turn. At this point at least 200 of these end clients have confirmed being hit with the ransomware. Given that the attack unfolded over a holiday weekend during which many of these end clients will not be in the office, a more accurate count is not expected for several days at least. Bryson Bork, CEO at SCYTHE, does not have a positive expectation for the eventual total: “This is going to be another SolarWinds in size. MSSPs are the trusted backbone to many companies and this compromise takes advantage of that relationship. Pour one out for the thousands of folks who just lost their 4th of July weekend to this latest (and not the last) threat campaign.”
The culprit is a familiar face: REvil, the “ransomware as a service” group that is thought to be behind the recent attack on meat packing giant JBS. It is unclear exactly who is directly responsible as REvil provides its ransomware and resources to a variety of cyber criminals that do the actual penetration of target networks for a share of the eventual profits. In this case, ransom demands were directed to each of the individual end targets with the Wall Street Journal reporting amounts of $25,000 to $150,000 being asked. Anurag Gurtu, CPO at StrikeReady, points out that organizations should not expect REvil to stop plaguing the world anytime soon given the spree of activity as of late: “This year, REvil, also called Sodinokibi, is on a rampage … Recent threats have included demands for ransom from Apple and a threat to leak blueprints on its site before Apple’s Spring-Loaded event – a live streaming event from Cupertino. Affiliates keep 60 percent of every ransom payment, and 70 percent after three successful ransom payments. The remaining 30 or 40 percent goes to the actor or actors behind REvil.”
On Sunday July 4, Kaseya issued a notice that it expects to restore operations within 48 hours and that a patch will be required before restarting VSA. Kaseya also issued a “compromise detection tool” that clients can use to determine if they were affected. The vulnerability, which appears to be a zero-day not previously known prior to its use in the supply chain attack, is thought to affect nearly all VSA installations that are open to the internet.
A twist in the story is that the Dutch government’s cyber response team (CERT) appears to have actually discovered the zero-day prior to the supply chain attack, and had notified Kaseya and been working with them to develop a patch when it happened. It is still unknown if the information somehow leaked out, or if the attackers simply happened to discover the same vulnerability at the same time.
Ransomware and supply chain attacks
The incident combines two of the fastest-growing areas of concern in IT security: ransomware and supply chain attacks. Ransomware has enjoyed a renaissance thanks to “brand name” vendors such as REvil enabling less sophisticated criminal actors, and supply chain attacks continue to plague even well-defended organizations as they target factors that are largely outside of their control. And though MSPs have not made a big splash in cybersecurity news as of late, they have consistently been a popular target — particularly for state-backed threat groups looking to quickly gather lots of proprietary corporate information. Chris Grove, technology evangelist with Nozomi Networks, describes how this sort of attack on an MSP is particularly devastating for smaller companies with little technical capability: “This type of a supply chain attack, similar to the SolarWinds attack, goes straight to the jugular of organizations looking to recover from a breach. These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed. Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts.”
Though the full scope is still unknown this particular supply chain attack is serious enough that the US Cybersecurity and Infrastructure Security Agency (CISA) announced that it was getting involved, taking action to “address and understand” the incident. The Biden administration has ordered a probe of the attack, saying that there is no initial indication that the Russian government is involved.