On the afternoon of July 2, 2021, Kaseya reported that it had been impacted by a ransomware attack affecting its Virtual System Administrator (VSA) product and advised users to shut down VSA servers immediately. Initial reporting indicates this was a well-orchestrated supply chain attack impacting about 60 managed services providers (MSPs) and up to 1,500 client organizations by leveraging a zero-day vulnerability (CVE-2021-30116). The ransomware group behind the attack coordinated their malware to encrypt systems at a massive scale, claiming to have “more than a million systems” infected according to their shaming site.
Kroll alerted clients to the threat on Friday afternoon, and shortly after Kroll was engaged by several impacted customers. Our Kroll Responder team validated what the security community had shared, with the ransomware dropper running the binary “agent.exe” and then loading the malicious mpsvc.dll via a legitimate Windows Defender binary, “MsMpEng.exe”.
The use of a legitimate Windows process to launch an attack can make it harder for traditional defensive applications to detect. This type of obfuscation where the malware tries to appear benign was also part of our research into EPHEMERAL LOCKPICKER, marking yet another area where attackers are becoming more sophisticated.
Kaseya released a compromise detection tool, which the Cybersecurity & Infrastructure Security Agency (CISA) recommends MSPs download to analyze whether any indicators of compromise (IoC) are present. In a joint alert, the CISA and FBI also recommend MSPs:
- Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services;
- Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities like those of Kaseya VSA to known IP address pairs; and/or
- Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
Additionally, Kroll recommends organizations take the following steps:
- In addition to enabling MFA, conduct an audit of all administrative accounts and accounts with access to remote management tools, ensuring each account has a verified owner.
- Evaluate your ability to detect attacks like this where a legitimate process invokes malware and where traditional antivirus software is deactivated. It’s imperative to take advantage of a robust endpoint detection and response solution and manage it 24x7.
- Review your vulnerability management process to ensure systems are patched or updated to the latest release. Where a patch isn’t available or the system is unable to accommodate it, implement a compensating control to mitigate or reduce the risk.
- Review your business continuity and disaster recovery plan, specifically your backup and restoration processes and implementation. Determine if your backup strategy will enable successful recovery if hit by a ransomware attack. Where possible, move backups offline or out-of-band from the network for safe keeping.
- If your team hasn’t been doing incident response tabletop exercises with key stakeholders, including senior management and legal counsel, it’s a great time to start. For those already conducting these exercises, consider specific ransomware scenarios to help fine-tune decisions related to extortion methods such as data exfiltration, public exposure, client sensitivity, and more.
- Consider running an assessment focused on ransomware preparedness. These narrow assessments can often reveal key infrastructure weaknesses and assist with network hardening as well as improving detection and response controls.
- Kaseya released a patch for the VSA On-Premises server on July 11. The patch is available from Kaseya here and customers are advised to follow the "On-Premises VSA Startup Readiness Guide" prior to deploying the patch. Please note this download link will not come via email, beware of phishing attempts.
- "Kroll is aware of a phishing campaign designed to look like a Microsoft patch for the Kaseya VSA vulnerability and asking users to click on an embedded link or a malicious attachment. If executed, the attack would grant persistent remote access to the victim device. Security leaders are urged to remind their teams to route such emails to their security or help desk team for validation"
- "Ahead of the expected patch release, Kaseya published a Startup Readiness Guide for on Premises VSA servers. Clients are advised to follow the steps before restoring full connectivity. More details at https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993)
- According to their latest announcement at 5:00 p.m. ET on July 6, Kaseya estimates a patch for VSA will be available within 24 hours
- The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed “the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2,200 to less than 140,” and the number continues to drop. In a Shodan query run at 6:00 p.m. ET on July 6, there were only 25 exposed instances worldwide.
The Kroll incident response team is on standby to help. Reach us 24x7 at [email protected] or via our hotlines.