President Biden has ordered his intelligence agencies to investigate a major ransomware supply chain attack over the weekend that targeted a vendor of IT software used by managed service providers (MSPs).
Suspected to be the work of a REvil affiliate, the attack on Miami-headquartered Kaseya was spotted by its incident response team at around midday on Friday.
The firm’s latest update, dated Sunday, claimed that the incident had affected around 40 on-premises customers worldwide, who will need a patch to mitigate the targeted vulnerability before they can restart systems.
In the meantime, both they and the firm’s SaaS customers have been told to keep systems offline. A decision on when to restart the SaaS servers will be taken on Monday.
Customers who the ransomware actors have contacted have also been warned not to click on any links in these communications, as they may be weaponized with additional malware.
The attackers found and exploited a zero-day bug in the Kaseya VSA product to compromise the organization, according to researcher Kevin Beaumont.
The zero-day bug enabled them to remotely execute commands on the VSA appliance and deliver ransomware to the firm’s MSP customers via a fake software update.
“The attacker immediately stops administrator access to the VSA, and then adds a task called ‘Kaseya VSA Agent Hot-fix.’ This fake update is then deployed across the estate — including on MSP client customers’ systems — as it a fake management agent update. This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted,” explained Beaumont.
“By design Kaseya is designed to allow administration of systems with high level privileges. So ransomware can push itself to systems. The attackers pushed an management agent update, which is automatically installed on all managed systems — which means very wide impact.”
According to Huntress Security, the original vector is likely to have been an SQL injection vulnerability.
“We have high confidence that the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection,” it said. “We can confirm that SQL injection is how the actors began code execution.”
Although only 40 of Kaseya’s estimated 40,000 customers are thought to have been affected, these are MSPs that themselves have many customers. Huntress said it had tracked “well over 1,000” businesses whose systems have been encrypted as a result.
The attack is the latest in a string of high-profile compromises of the digital supply chain, following SolarWinds and Codecov. According to Team Cymru chief architect and Ransomware Task Force committee lead, John Shank, organizations should take note.
“This is not the first and it won’t be the last,” he warned. “It is time to add another item for already overwhelmed corporate security teams: audit suppliers and integrations with your supply chain providers. Limit exposure to the absolute minimum while still enabling business operations.”