The Kaseya Ransomware Attack
The network management software vendor Kaseya is currently struggling to mitigate the consequences of a massive Ransomware attack, which exploited a vulnerability (CVE-2021-30116) in its software, resulting in the successful infiltration of the systems of over 1,000 of the company’s customers.
The strike occurred on Friday last week and was initially classified as a supply-chain attack. Kaseya has since stated that the possibility of hackers having tampered with the code of the company’s software has been ruled out.
It was speculated in the initial reports about the attack that the hackers behind it may have been able to remotely access the backend of the company’s infrastructure and may have altered it in order to deploy a harmful update to the VSA servers of Kaseya’s clients, thus infecting their networks. A similar large-scale attack has already occurred in the past when SolarWinds, Microsoft, and VMware got compromised by a Russian ransomware hackers.
However, it has been since discovered that it was the CVE-2021-30116 bug in Kaseya’s software that allowed the attackers to compromise the company’s customers. According to Kaseya, the criminal actors have managed to use the zero-day flaw to circumvent authentication requirements and run arbitrary commands, which enabled them to leverage the functionality of the company’s VSA products and thus attack the targeted endpoints with Ransomware. However, as stated by the company, thus far there is no evidence that the VSA codebase has been tampered with by the attackers.
To put it differently, although the exploitation of the zero-day bug is not in and of itself a supply-chain attack, the subsequent infiltration of the MPSs (managed service providers) and the attack on their customers should still fall under the supply-chain attack category.
For the time being, it remains unclear how the hackers learned the specifics about the zero-day flaw since they haven’t been made publicly available, although it has been suggested that the bug is trivial to exploit for someone with sufficient hacking expertise.
According to the latest information provided by Kaseya CEO Fred Voccola, the attack has hit approximately 60 MSPs and nearly 1500 of their customers (mostly small to medium businesses and organizations) spread across the globe.
The hacking group responsible for the attack is the infamous REvil ransomware-as-a-service (RaaS) organization, which has been active for at least the past three years and has netted over $100 million from its hacking campaigns in 2020 only. Initially, the REvil hackers demanded a ransom sum of $70 billion to release a universal decryptor that can unlock the encrypted data of the infected victims. The threat actors have since lowered the price of the decryptor to $50 million, indicating that they may be willing to negotiate terms.
The chain of the attack started after a malicious dropper was deployed using a PowerShell script, the execution of which was done through the exploiting the VSA software flaw.
According to researchers, the PowerShell script works by disabling the endpoint protection that Microsoft Defender provides and by them using the certutil.exe utility to decode agent.exe – a malicious executable. The latter deploys the legitimate MsMpEng.exe (which is an older Microsoft Defender version) and the malicious mpsvc.dll library (this is the Ransomware virus). After that, the Ransomware library gets loaded by MsMpEng.exe using a type of DLL side-loading method.