Legendary hacks #5: Kaseya, the most significant supply chain ransomware attack yet
When a patch leads to a worldwide attack and a $70 million ransom.
What is a supply chain ransomware attack?
The supply chain brings together several professionals and tries to make them work together as well as possible. The main actors of the supply chain are: producers, suppliers, factories, distributors, customers, and logistics providers.
A supply chain attack involves malicious actors finding a vulnerability in an organization’s network, embedding malicious code into a software update, and automatically pushing it out to customers in the supply chain.
The Kaseya organization
On July 2nd, US Independence D>ay weekend, US-based network software provider Kaseya announced that its infrastructure had been compromised and immediately requested a number of its customers to shut down their systems.
The attack, linked to Russian ransomware group REvil (also called Sodinokibi), infiltrated Kaseya’s Virtual Systems Administrator (VSA) software, designed to remotely manage an organization’s complete infrastructure. REvil is one of the most prolific threat actor groups, totaling the most victims during 2021.
The initial entry was made using a zero-day vulnerability in Kaseya’s VSA software (used for remote management and control). This allowed the attackers to execute commands on the VSA appliance. It appears an auto-update in VSA was used to push out the ransomware. REvil demanded a $70 million ransom in this attack from Kaseya and thousands of dollars from individual victims.
It was all the more significant t as the attack was made through a trusted channel. Kaseya’s customers are managed service providers (MSPs), contracted to remotely handle IT operations for organizations. This vastly expanded the attack landscape. In addition, the bad actors directly targeted software used to protect customers from malicious attacks.
Kaseya has said that between 800 and 1,000 businesses were hit across the globe by the attack, including schools in New Zealand and “Coop” supermarkets in Sweden, downstream clients of the affected MSPs.
Kaseya rapidly started a restoration process to fix the issue in its VSA. On July 3, Kaseya released a compromise detection tool to its customers. This tool analyzes the user’s system, be it VSA server or managed endpoint, and determines if indicators of compromise (IOC) are present. To date, it maintains 2,000 customers have downloaded the tool. Kaseya also released patches to fix the vulnerability in VSA.
Several weeks after the attack, Kaseya confirmed it had obtained a decryption key to unlock hundreds of files belonging to companies attacked. For many, it came too late as they had already put recovery processes in place to retrieve their data or had paid the ransom.
Lessons learned from the Kaseya attack
This kind of attack could have happened to anyone. To face it, it is important to revisit regularly incident response plans. This includes periodically evaluating tools in the security stack to ensure they can deal with emerging threats.
To learn how to be prepared for a ransomware attack, discover our expert’s series.