Kaseya VSA Supply-Chain Compromise

By

Updated July 8, 2021

This is an addition to the recent deepwatch announcement released on July 2, 2021. On-going updates will be shared here as this event continues to unfold.

What Happened

Around 3 PM EST, reports started trending on Twitter regarding a possible supply chain attack that delivered REvil ransomware via the Kaseya VSA platform, a unified remote monitoring and management tool that is primarily used by Managed Service Providers (MSPs). 

What’s New

Kaseya confirmed on July 5th that the attackers used multiple “zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.

Kaseya published a runbook on July 7th at 9:45 PM EDT regarding the changes to make to the VSA on-premises environment to prepare for the patch release; the runbook can be found at https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993)/

On July 7th at 2:45 AM EDT, Kaseya published a runbook for VSA SaaS customers to help prepare for the steps to take after the SaaS environment returns to service at: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709476369.

Kaseya is still in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment.

A separate business email compromise campaign that is using the notoriety of the Kaseya ransomware attack was detected by Malwarebytes Threat Intelligence and posted to Twitter on July 6th. The campaign contains an attachment named “SecurityUpdates.exe”, as well as a link pretending to be a security update from Microsoft to patch the Kaseya vulnerability. When executed, the file drops a CobaltStrike payload.

What Did deepwatch Do?

  • The deepwatch Managed Detection & Response team has reviewed customers who are currently sending Windows and Network traffic logs to Splunk. Of these customers, deepwatch has performed a seven-day look back for associated IOCs across the customer base to identify potential targets.
  • deepwatch has added all known indicators related to Kaseya VSA compromise at this time to deepwatch TIP, which feed into a variety of detections.
  • The deepwatch Firewall Team has reviewed vendor-specific detections and IOCs that may need to be deployed in an emergency fashion; deepwatch will partner with our customers to implement any recommendations per their change management process.
  • The deepwatch Threat Operations team developed multiple base searches to detect known activity associated with the Kaseya VSA compromise. The following was distributed and implemented to all deepwatch customers via their squads:
    • A search for suspect IP addresses
    • Specific searches for suspicious execution and process associated with the ransomware
    • Searches that look for evidence of manipulation of Windows Defender via PowerShell
    • Searches that look for evidence of manipulation of Windows Defender via Event Code 4688

 

Original Briefing

Executive Summary

Around 3 PM EST, reports started trending on Twitter regarding a possible supply chain attack that delivered REvil ransomware via an auto-update feature in the Kaseya VSA platform, a unified remote monitoring, and management tool that is primarily used by Managed Service Providers (MSPs). 

deepwatch does not use Kaseya products for monitoring or management of our customer base. 

By design, Kaseya VSA has administrator rights down to client systems — which means that MSPs who are infected also infect their client’s systems.” Huntress Labs has reported it is “working closely with four of the known eight MSPs affected and is seeing indications VSA admin user accounts were disabled only moments before ransomware is deployed. The source of these indicators are auto-emailed Kaseya VSA Security Notifications indicated the “KElevated######” (SQL User) account performed this action. Huntress Labs is hesitant to jump to any conclusions, but this could suggest execution via SQL commands.

Kaseya released a statement shortly after:

“We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only. We have proactively shut down our SaaS servers out of an abundance of caution.”

Impact

After compromising an MSP via VSA, adversaries are then able to pivot to the MSPs’ customer environments to:

  • Disable those customers’ administrative access to their respective VSA platform 
  • Gain administrative access to all endpoints managed by VSA

Once the adversaries have gained access to compromised customers’ environments, adversaries have been reported to perform the following actions:

  • Disable Microsoft Defender
  • Deploy ransomware

Recommendations

deepwatch does not leverage Kaseya VSA as part of our technology stack; however, for organizations who leverage Kaseya’s VSA platform, Kaseya has released a statement strongly recommending that your organization IMMEDIATELY shut down your VSA server until further notice from Kaseya.

Kaseya has provided another advisory with the following information:

We are in the process of investigating the root cause of the incident with the utmost vigilance, we have:

  • Notified all of our on-premise customers to immediately shutdown their VSA servers
  • Shutdown our SaaS Servers

We have been further notified by a few security firms of the issue and we are working closely with them as well. While we continue to investigate the incident, we will update our customers (and interested parties) as we have more information.



Supporting Information

  1. https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
  2. https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
  3. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
  4. https://www.kaseya.com/potential-attack-on-kaseya-vsa/
  5. https://twitter.com/markloman/status/1411035534554808331?s=20

Subscribe to the deepwatch Insider Blog