Another massive ransomware attack became known just before the holiday weekend began. The apparent attack on Kaseya’s VSA supply chain is likely to affect thousands of companies, with an apparent partner in the REvil ransomware gang launch what appears to be a particularly pernicious attack on the supply chain. Kaseya VSA was a particularly attractive target because it is software used by managed service providers (MSPs), a type of online contracting business. Details of the story still break, and things can look different (and probably significantly worse) until people come to work on Tuesday or Wednesday.
So what actually seems to be happening?
What is an MSP?
Many companies are either too small or too smart to have their own IT department. Managing computer networks is an especially difficult and difficult task, and the cost of failure can be crippling for an organization. The solution for a smart smaller business is to use a provider called a managed service provider, a company that does all of this work on a contract basis.
Virtually any business with more than two computers and fewer than a few hundred of them is best served by an MSP rather than running it themselves; There are so many details, from inventory maintenance to patching to providing backups, that need to be considered for maintaining a company’s IT system that are too small to warrant a full-time IT professional. Much better and cheaper on an MSP.
These regulations mean that MSPs have to manage many computers themselves. So MSPs try to automate this as much as possible by setting up things so that they can manage all of the customer’s networks at the same time from a single remote computer.
What is Kaseya VSA?
MSPs don’t write software. Therefore, MSPs use vendors to provide software to make it easier to manage hundreds or thousands of computers. Kaseya is one of these vendors, and Kaseya VSA is the underlying tool used by many MSPs to control customer systems.
This software requires significant privileges to serve its purpose for the MSP. It needs to be able to update machines, add users, add or remove programs, and secure all data – but that also means it can just as easily be tampered with to steal information and encrypt data.
What is a supply chain attack?
A supply chain attack occurs when the attacker compromises a software vendor in order to provide malicious code to the subsequent victim. Supply chain attacks are particularly damaging because the extent to which they are affected depends not only on a particular company’s suppliers, but even on their suppliers.
Perhaps that is exactly what happened here. The MSPs buy Kaseya products to manage customers’ networks. A compromised update of the Kaseya VSA would run on thousands of company networks without them having even signed a direct contract with Kaseya.
However, as coverage of the incident evolves, speculation mounts that it might have been one more instead conventional exploit attack on Kaseya VSA. The incident still affects almost all VSA installations that are open to the internet; It is very easy for an attacker to find and exploit all of the vulnerable servers, and MSPs will likely leave those servers open to the Internet – the MSP must log into the servers in order to access the client networks. Otherwise, how could the MSP remotely manage the machines?
In fact, this scenario can be even more worrying than an attack on the supply chain. The Dutch CERT, the Dutch government’s cyber response team, suggests that it discovered the vulnerability, notified Kaseya, and actively worked with Kaseya to develop and deploy patches. But somehow the attacker found the vulnerability and exploited it before Kaseya could officially validate and release a patch. Although the Dutch CERT doesn’t specifically say so, there is a possibility of a dire scenario in which the ransomware gang found out about this vulnerability, or at least about patch plans from someone who was informed of the exploit!
Infosec Twitter may be anything about Twitter, whether it was a supply chain attack or conventional exploitation or even a leak – but that really has little practical relevance to the implications of that event.
Who is REvil?
Ransomware is a type of business that is run on an affiliate model. There’s the Corporate Overlord who provides the branding, handles the payments, and takes care of customer care for both the partners and the victims. The partners are the ones who actually break into systems to deliver the ransomware. Think of it like the agreement between a fast food brand and their franchisees.
REvil, also known as Sodinokibi, is one of the most famous corporate bosses and, as the branding suggests, particularly malicious gangs of ransomware. It really is that McDonalds of the criminal world with a very high level of awareness. It is believed that they mainly operating from Russiawho have a long history of turn a blind eye to cyber criminals who do not negatively impact Russian systems.
So what happened in that incident?
It appears that a member of the REvil ransomware gang started a mass ransomware campaign with an attack on the supply chain or simply by directly attacking a large number of Kaseya installations. In either case, it enabled them to deploy ransomware on MSP customers’ computers. This ransomware is appropriately sophisticated, using both signed code and residing in a legitimate (albeit older) Windows Defender executable, so it can bypass many antivirus systems.
We do not currently know how many victims are affected, but hundreds are confirmed and this is likely to affect thousands. Every victim is a small to medium-sized company whose computers, at best, become unusable and, at worst, all of their data is lost forever. Worse still, backups designed for recovery are often targeted by ransomware gangs. So unless the MSP arranges off-site or segregated backups, victims may have no choice but to either pay or lose data. And even if the victims get away with their data intact, the companies affected by the incident can expect business interruptions of several days or more.
So what now?
There is an unfortunate trend in the information security community to blame victims for the targets of ransomware. Usually such blaming of victims is wrong, but this is where it is especially wrong. Small to medium-sized companies should Use MSPs; it ensures that a responsible expert monitors your network, maintains the inventory and keeps everything up to date.
It’s too early to blame Kaseya, too. You may be the special vector in this case, but any management tool provider is a high quality target. The Russians targeted Solar Winds for the same reason: an attack on administrative tools is particularly effective.
Then there is the delicate question of how to deal with the attackers. The perpetrators are unlikely to be brought to justice unless Russia allows them to be extradited. This means that the gang responsible will continue such attacks as long as they can make money.
So what about the payments?
Because of this, focusing on payment bans is likely the best way to counter the threat. But this gang is a bit unique in this respect. Rather than with bitcoin, the gang uses Monero for primary payments.
Monero is a cryptocurrency that offers money laundering as a prime primitive, as opposed to Bitcoin, which requires additional steps to disguise the origin of funds. But basically nobody uses Monero for legitimate payments and as “Altcoins” (alternative crypto currencies) it is significantly smaller, only in the ranking 26th place in market capitalization among all altcoins.
But this particular choice makes the payments potentially easier to thwart. Exchanges where criminals convert Monero either into other cryptocurrencies or into real money could block these attackers. Few people other than criminals are significant net sellers trying to turn ransom or other illegal payments into a usable form. Exchanges may not know what crime network sellers are hiding, but they do know – or at least should know – that such sellers are criminals. The only other users are speculators who both buy and sell Monero and therefore would not be net sellers.
Any cryptocurrency exchange that even offers Monero or Zcash (the other major cryptocurrency with built in money laundering) is effectively the cryptocurrency equivalent of a bank that accepts massive stacks of $ 100 bills. These exchanges should be viewed as inherently suspicious and viewed as at risk of violating anti-money laundering regulations.
I hate that ransomware and cryptocurrencies taken together made me an advocate for the authoritarian application of money laundering laws. But I’m afraid nothing else will work. Otherwise there is simply too much money for the attackers.
#happened #Kaseya #VSA #incident