Executive Briefing: Kaseya Supply Chain Attack

Globally, a new ransomware attack hit thousands of organizations that use a remote management tool called Kaseya. The extent of the attack is just now becoming apparent, and the scope continues to grow.

Who is attacking and how?

The REvil ransomware gang, based in Russia, launched the attack. REvil used a sophisticated chain of exploits that included a vulnerability in the Kaseya VSA (virtual system administration) tool. Managed IT service providers (MSPs) that use the VSA tool then unknowingly distributed the compromised version to their customers. REvil then had an open door into those customer networks and launched ransomware attacks. This was a very fast attack, not designed to carefully extort targeted victims, but rather to maximize the criminals’ return using scale and automation. Therefore, the damage has been limited.

What steps should we take?

The basic guidance has been to shut off the VSA tool on all computers where it is installed and wait for the fixed version to be deployed (ETA still TBD). Kaseya has also released a tool that will search for compromised versions of the agent. Network flow and firewall records should be searched for suspicious outbound connections from systems with the VSA installed. DHS/CISA and the FBI have published a list of indicators, and network traffic and systems should be searched for those indicators.

Could we have prevented this?

This attack utilized what is known as a “zero-day” vulnerability, which means there was no update or patch at the time the attack was identified as underway, and therefore could not have been prevented through tools that detect “known” malware. Network monitoring and analysis may identify aberrational behaviour, but this would be after the fact, with the extortion already underway.

If nothing has happened so far, are we okay?

If an organization was compromised using the VSA tool, criminals could have installed other tools for future access, and possibly on other systems inside the network. Organizations must still monitor very closely for signs of an attack in the coming weeks, as well as prepare to minimize the impact if one occurs.

If we don’t use Kaseya, are we okay?

This attack only impacts Kaseya users, but since this is the second time REvil has gotten into networks through 3^rd party software updates, all organizations should see this as a future avenue of attack and prepare.

What we will do going forward

• Review backups to ensure their availability and integrity.
• Prepare duplicates of critical operation servers and disconnect them from the network, reviewing incident response, insurance, and availability of external resources
• Obtain all indicators being distributed, and searching for those indicators in logs and network traffic, including the Kaseya identification tool
• Monitor media and government sources for information and set up an assessment through Mid-Range for you.