Kaseya VSA Supply Chain Ransomware Attack
Written by: Joseph Salazar, Technical Marketing Engineer – A significant reminder of the SolarWinds attack, attackers have once again targeted a trusted software vendor, this time Kaseya, to compromise hundreds of businesses and deploy ransomware. There are reports that the REvil ransomware group was behind this attack and that they have demanded $70 million to unlock the compromised systems. It is known to have affected over 1500 businesses using their on-premises software version. Many of these businesses use Managed Service Providers that the ransomware affected.
The attackers targeted a zero vulnerability CVE-2021-30116 in Kaseya VSA, a patch and vulnerability management software. The product requires administrator rights to the end systems, which provided an easy target for attackers to push ransomware to thousands of systems. Because Kaseya recommends adding folders used by VSA to the “allow” list in Anti-Virus and EDR products, the malware bypassed detection, making it difficult to offer any protection to client systems.
Kaseya recommends all businesses shut down all VSA Servers until Kaseya provides further instructions about when it is safe to bring these servers online. Kaseya expects that all VSA customers should install the yet-to-be-released patch before bringing the VSA Servers back online.
These supply chain attacks demonstrate the sophistication of these attackers to compromise software products and use their footprint in many businesses. In this particular attack, a single vulnerability allowed the attackers to compromise close to a million systems by automating ransomware deployment.
Compromising Kaseya VSA to deploy ransomware is one of the many methods attackers have used to launch thousands of attacks. While EDR and EPP products protect against many such activities, the sheer number of attacks demonstrates that businesses need a solution to have in-network or stage 2 detection controls that alert on attempts of unauthorized access, credential misuse, and attacker lateral movement.
The Attivo Networks Endpoint Detection Net (EDN) DataCloak function protects customers from this specific ransomware attack and other ransomware attacks that use privilege escalation and lateral movement. The DataCloak function uses concealment technology to hide and deny access to local files, folders, removable storage, and mapped network or cloud shares. The function prevents unauthorized users or processes from enumerating or accessing these protected objects. By denying attackers the ability to see or exploit critical data, organizations can disrupt their discovery and limit the damage from ransomware attacks such as the Kaseya compromise.
As attackers continue to experience success with supply chain attacks, these activities will only continue to grow. The Kaseya attack has proven how one weak link in the security chain can lead to abuse by persistent threat actors to break into a network, thus accessing confidential and private data. Organizations should look into adopting an “assumed breach” posture for their cybersecurity strategy and deploying security controls to detect when threat actors evade existing defenses to get inside the network. More information on Attivo anti-ransomware solutions can be found here.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise