Written by: Joseph Salazar, Technical Marketing Engineer – A significant reminder of the SolarWinds attack, attackers have once again targeted a trusted software vendor, this time Kaseya, to compromise hundreds of businesses and deploy ransomware. There are reports that the REvil ransomware group was behind this attack and that they have demanded $70 million to unlock the compromised systems. It is known to have affected over 1500 businesses using their on-premises software version. Many of these businesses use Managed Service Providers that the ransomware affected.
The attackers targeted a zero vulnerability CVE-2021-30116 in Kaseya VSA, a patch and vulnerability management software. The product requires administrator rights to the end systems, which provided an easy target for attackers to push ransomware to thousands of systems. Because Kaseya recommends adding folders used by VSA to the “allow” list in Anti-Virus and EDR products, the malware bypassed detection, making it difficult to offer any protection to client systems.
Kaseya recommends all businesses shut down all VSA Servers until Kaseya provides further instructions about when it is safe to bring these servers online. Kaseya expects that all VSA customers should install the yet-to-be-released patch before bringing the VSA Servers back online.
These supply chain attacks demonstrate the sophistication of these attackers to compromise software products and use their footprint in many businesses. In this particular attack, a single vulnerability allowed the attackers to compromise close to a million systems by automating ransomware deployment.
Compromising Kaseya VSA to deploy ransomware is one of the many methods attackers have used to launch thousands of attacks. While EDR and EPP products protect against many such activities, the sheer number of attacks demonstrates that businesses need a solution to have in-network or stage 2 detection controls that alert on attempts of unauthorized access, credential misuse, and attacker lateral movement.
The Attivo Networks Endpoint Detection Net (EDN) DataCloak function protects customers from this specific ransomware attack and other ransomware attacks that use privilege escalation and lateral movement. The DataCloak function uses concealment technology to hide and deny access to local files, folders, removable storage, and mapped network or cloud shares. The function prevents unauthorized users or processes from enumerating or accessing these protected objects. By denying attackers the ability to see or exploit critical data, organizations can disrupt their discovery and limit the damage from ransomware attacks such as the Kaseya compromise.
As attackers continue to experience success with supply chain attacks, these activities will only continue to grow. The Kaseya attack has proven how one weak link in the security chain can lead to abuse by persistent threat actors to break into a network, thus accessing confidential and private data. Organizations should look into adopting an “assumed breach” posture for their cybersecurity strategy and deploying security controls to detect when threat actors evade existing defenses to get inside the network. More information on Attivo anti-ransomware solutions can be found here.