Earlier this month, software vendor Kaseya made headlines when a vulnerability in its Virtual System Administrator (VSA) software led to an epidemic of the REvil ransomware.
Global ransomware attacks are on the rise, with REvil attacks the most common. According to this year’s IBM X-Force Threat Intelligence Index, REvil ransomware actors made at least $123 million in 2020 and stole nearly 21.6 terabytes of data.
The software in this attack, used by managed service providers (MSPs) to maintain customers’ environments on their behalf, often runs on on-premise servers deployed by Kaseya. When those servers were compromised using a zero-day exploit, the ensuing ransomware attacks affected approximately 1,500 organizations.
The group responsible for the attack publicly demanded a $70 million ransom in exchange for a universal decryption key. How did it get to this point?
What is REvil?
REvil, an abbreviation of Ransomware Evil, is a threat group thought to be based in Russia. The group is behind a string of ransomware attacks, several of which have extracted large payments from high-profile organizations. REvil is known for demanding high ransoms, often in the millions of dollars.
REvil has two other interesting characteristics.
First, the group employs a ransomware-as-a-service (RaaS) business model where it provides ransomware and infrastructure to affiliates in exchange for a percentage of paid ransoms. The REvil group focuses mainly on writing and updating its software and infrastructure, while its affiliates are responsible for identifying targets and conducting attacks.
Second, REvil doesn’t focus exclusively on encrypting a victim’s data. The group often begins its attacks by exfiltrating sensitive data and only then encrypting the environment. This approach provides two opportunities for ransom:
- An exchange for REvil not publishing sensitive data on its public blog.
- An exchange for the decryption key to regain access to encrypted files.
This two-pronged approach is known as a double-extortion scheme.
What Happened to Kaseya?
On July 2, an affiliate of REvil launched a ransomware attack against more than 5,000 targets across 22 countries, successfully compromising around 60 MSPs. The attack targeted internet-connected instances of the VSA software hosted on servers deployed by Kaseya on-premise for its MSP customers.
The attack exploited zero-day vulnerabilities that Kaseya had known about since April when seven were reported by the Dutch Institute for Vulnerability Disclosure (DIVD) through Kaseya’s Vulnerability Disclosure Program (VDP). While four of those vulnerabilities had been patched, three were outstanding.
One of the remaining vulnerabilities allowed REvil’s affiliate to bypass Kaseya’s authentication and gain access to an MSP’s VSA software. The attacker then used the software’s privileged access to infect the MSP’s customers’ environments with the REvil ransomware.
On Saturday, July 20, Kaseya released an update to patch the three remaining vulnerabilities, closing the window on other attackers that may try to use the same exploit used in the Kaseya/REvil breach.
The Rising Danger of Supply Chain Attacks
For non-Kaseya customers, these attacks may seem no more significant than other ransomware attacks in recent months. However, the 60 compromised MSPs were just the start.
MSPs use Kaseya’s VSA software to manage customers’ environments on their behalf. VSA servers have complete access to those environments, so once a VSA server is compromised, it can be used to compromise all of the environments it manages. That’s what happened—each compromised VSA server was used to send the malicious script described above to all of the customer environments it managed.
The rest of the story is predictable. The REvil ransomware encrypted every system it could access.
In a statement on July 6, Kaseya stated that “the total impact thus far has been to fewer than 1,500 downstream businesses.” Meanwhile, the REvil group claims the attack has compromised over one million distinct systems. We’ll probably never know the full extent of the attack or how many affected organizations will opt to pay the ransom.
This is a two-phase attack. The REvil affiliate initially targeted MSPs using Kaseya’s VSA software. The group then used that access to drop the REvil ransomware inside their customers’ environments. From the perspective of the victims, this incident was extremely hard to foresee. A hole in their security programs didn’t cause it, or even in the security program of their supplier—it was caused by a security weakness on the part of their supplier’s supplier.
What can we learn from this? Like the SolarWinds attack, the Kaseya attack highlights the danger posed by an organization’s supply chain. An organization could have a highly effective security program but still fall prey to an attack like this due to a vulnerability in a supplier’s systems.
Protecting Against Ransomware
There are several important steps that organizations should take to protect against ransomware. Most notably:
- Keep secure, off-site backups of all critical systems and files.
- Practice effective vulnerability management (VM) to identify and patch known vulnerabilities in software assets quickly.
These steps help organizations minimize the likelihood of a ransomware compromise and limit the damage a compromise could cause. However, the Kaseya/REvil attack demonstrates that this may not be enough to mitigate the risk posed by modern ransomware variants.
REvil, in particular, is known for targeting backup files using several techniques. For smaller organizations, preventing these techniques may not be realistic, making ransomware attacks a considerable risk. Equally, as with the Kaseya attack, quickly patching known vulnerabilities may not always be enough to protect against ransomware attacks—mainly when they target suppliers.
Hacking the Supply Chain (in a Good Way)
One positive to come from the Kaseya/REvil attack is that it highlights the role of VDPs.
Why are VDPs important? Unlike typical vulnerability management (VM) programs, which resolve only known vulnerabilities, VDPs invite hackers, security researchers, and anyone who knows of an issue to search for unknown vulnerabilities, business logic abuse, and chained exploits. Many zero-day vulnerabilities have been reported through VDPs, allowing organizations to resolve them proactively before a malicious actor can take advantage.
VDPs are an excellent addition to any VM program, but their value doesn’t stop there. By doing business with suppliers and partners with active VDPs, an organization can reduce its risk of falling prey to supply chain threats like Kaseya/REvil and SolarWinds because they find vulnerabilities before bad actors can exploit them. For this reason, forward-thinking organizations and federal agencies now strongly favor or mandate doing business with suppliers with VDPs in place.
As an added precaution, organizations can also require suppliers to have protocols in place to audit their suppliers for security readiness.
Recently, the U.S. Department of Defense launched the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), a collaboration of the Department of Defense Cyber Crime Center (DC3), the DoD Vulnerability Disclosure Program (DoD VDP), the Defense Counterintelligence and Security Agency (DCSA), and HackerOne. This pilot program promotes cybersecurity within DIB vendors and contractors.
While smaller organizations may not mandate that third parties implement a VDP, they can include VDPs (and security in general) as a consideration when choosing suppliers. VDPs are an effective way to augment existing security controls and minimize the risk of ransomware attacks.
To find out more about HackerOne, VDPs, and how hacker-powered security can improve your organization’s security profile, read the CISO’s Guide to Reducing Risk with Responsible Disclosure.