Observing The Kaseya VSA Attack

Just before the Fourth of July weekend, Kaseya, an IT solutions developer for managed service providers (MSPs) and enterprise clients, fell prey to a cyberattack waged by REvil, a Russia-based private ransomware-as-​a-service (RaaS) provider. CBS has called this the single biggest global ransomware attack on record as cybersecurity teams worked feverishly over the holiday to stem the attack’s impact.

If ransomware were a TV series, the latest cyberattack involving Kaseya VSA would be a great season finale: a ransomware attack affecting a competitor to Solar Winds.

Organizations must understand that we are in a “soft war” with RaaS providers. We must be expeditiously and continuously diligent on all forms of IT and cyber hygiene. Everything from application code reviews to patch management along with methodologies and processes to upgrade network and system components must be incessantly reviewed. Any actions needed must be made immediately.

It is time for organizations to be proactive in these endeavors and to further ensure their downstream suppliers and vendors and critical partners are doing the same. RaaS providers are to be viewed in the same light as cyber terrorists. Organizations need to be right all the time in how they conduct IT processes and cyber hygiene; cyber terrorists need to be right just once to affect many.

How did this happen and is the software company at fault? 

The Kaseya VSA Supply Chain attack appears to have been a very sophisticated attack. We’ll all play “Monday morning quarterback” as more information comes out – here’s what we know so far:

  • Attackers gained privileged access to a vulnerable Kaseya server (there is unsubstantiated speculation about possible ways that information on the vulnerability could have reached REvil)
  • REvil’s dropper drops a legitimate but vulnerable Windows Defender process to launch a malicious dynamic-link library (DLL) file using exceptions granted to Kaseya’s working folder, and a modified PE header, to avoid detection
  • GET and POST requests travel from the AWS IP address (this IP address provides a shared hosting – it’s possible that the attackers used a compromised web server as a launching point)
  • Second-wave attacks reported using malicious fake security updates sent in emails allowing attackers to gain access to systems using CobaltStrike (a threat emulation software tool)

Kaseya has been very transparent, offering day-by-day updates as they resolve the attack.

What will the regulatory or government response look like? 

While President Biden has threatened retaliation against Russia for these attacks, Russia is not the only country housing such organizations. Ransomware attacks also come from friendly nations who hide their “source” tracks very well.


What makes this attack stand out?

Ransomware was, until this incident, a targeted approach affecting a single company. What makes this attack different is that many IT shops use Kaseya’s offerings. Thus, the ransomware has propagated onto many systems causing interruption. The downstream effect targeting and spreading the ransomware to those organizations has vastly changed the dynamic.


Should Kaseya pay the $70 million ransom?

Kaseya’s CEO has stated that less than 0.1% of the company’s customers are included in the breach. But, Kaseya’s clientele include numerous Managed Service Providers (MSPs),  meaning smaller businesses are caught up in the mess.

To pay or not to pay the ransom is up to the Kaseya board to decide. Have they built such a sum into the cost of doing business if such an event as this occurred? Only Kaseya can answer this.  You can view this along the same lines of entertainment or sport contracts. When one sees “x” getting so much then they want the same or more. The same is true between competing RaaS shops. When does it stop? When organizations say “no – I’m not paying that”. Someday, some organization will say no (and we can only hope they can support such a call) and perhaps it will curb the escalating ransoms being asked.

Meanwhile, Tech Radar reports that REvil has invited individual victims to “cough up anywhere between $50,000 and $5 million, depending on the size of the impacted corporate network.”


What is the major takeaway for Risk Management from this attack?

Understanding the risks associated with outsourcing critical processes is critical for all organizations. Proper due diligence of the cyber and privacy hygiene of any organization with access to your data is a must. This is a HUGE wakeup call to organizations to properly vet any organization who is exposed to their data; vendors, suppliers, partners, joint-ventures, etc.