Update Kaseya attack: company still struggling with the consequences - was there a ransom payment?
by Svenja Koch
One month after the supply chain attack on Kaseya, the IT service provider is still struggling with the effects of the cyberattack.
In early July 2021, a cyberattack occurred on the IT service provider Kaseya. This attack had a global impact, as it was an attack on the company's supply chain. In Sweden, for example, up to 800 branches of the supermarket chain Coop had to close for days because the cash register systems were not available. About a month after the incident, Kaseya is still struggling with the consequences of the attack.
The supply chain attack - this is the method used by the attackers
A supply chain attack refers to a specific form of cyber attack that targets companies' supply chains. In the case of Kaseya, the attackers exploited an IT vulnerability in the systems of the US company. This was a so-called zero-day exploit in the provider's software. The hackers used this IT security gap to smuggle ransomware into the customers' networks.
The target of the attack was the Unified Remote Monitoring & Management Software VSA. VSA (Virtual System Administrator) is a tool for remote maintenance. Customers use this software to control workstations and other computers in their own network from any location. Among other things, the customers' IT security installs software updates via this channel. VSA is designed as a cloud service as well as for on-premises installation, so that customers can also use the software on their own infrastructure.
Supply chain attacks in IT always follow a similar pattern. Instead of attacking the IT infrastructure of a company directly and looking for an IT security gap there, the hackers target IT service providers. There, the attackers specifically look for IT security vulnerabilities in order to implement malware in the software's update routines. In this way, the hackers infect the actual software product, such as the remote maintenance software VSA in this case. With the next update, the ransomware reaches the customer systems and activates itself there by installing the update.
This method has two decisive advantages for the hackers. Firstly, the IT security of most companies that use software from IT service providers trusts official updates and patches. Therefore, updates are usually installed immediately as soon as they are available. On the other hand, these attacks run simultaneously through the supply chain, as the updates are sometimes installed automatically or IT security applies them as quickly as possible. As a result, the ransomware compromises a large number of companies at the same time.
The sequence of events in the supply chain attack on the US company Kaseya
02 July: The company's own IT security notices irregularities in the VSA servers. Within an hour of discovering the attack, the company acts and shuts down the VSA servers. At the same time, Kaseya sends messages to all customers recommending that they also shut down their own servers with VSA.
03 July: Numerous companies around the world have been affected by the attack. According to Kaseya, however, the extent is limited to customers who use the Remote Monitoring & Management (RMM) module of the VSA software. According to the company's initial estimates, about 50 customers are affected. However, this number is quickly corrected upwards, as the users also include IT system houses. These use VSA to look after a large number of companies for their part. In total, there is talk of about 1,500 companies being victims of cyber attacks in the course of the attack on Kaseya's supply chain.
The impact on the Swedish supermarket chain Coop has been particularly high on the media agenda. This closes around 800 shops across the country, some of which do not open even after several days.
04 July: The first details about the attack become public. A Trojan called Sodinokibi was used. This malware is related to ransomware and exploits IT security vulnerabilities in Oracle WebLogic and Microsoft Windows. The specific IT vulnerability that the attackers exploited is now also known. The Dutch Institute for Vulnerability Disclosure reports that the corresponding zero-day exploit has been known since April. The US service provider was already in contact with security experts to close this IT vulnerability. However, the hackers struck faster.
05 July: A letter of confession is published on the Darknet. The hacker group REvil claims to be behind the attack. At the same time, the group publishes a ransom demand for 70 million US dollars. REvil itself claims to have compromised over one million systems worldwide. After paying the ransom, the hacker group promises to release the encrypted data of all affected companies. The group demands payment in the form of the digital cryptocurrency Bitcoin.
06 July: Fred Voccola, the CEO of Kaseya addresses the public via a YouTube video. Here Voccola speaks of a criminal cyberattack on his company's infrastructure as well as that of its customers. At the same time, he praises the quick action of his own IT security and addresses the fact that cyberattacks of this kind can no longer be avoided. However, it is much more important to react quickly in order to limit the damage of such cyber attacks. On the same day, there are increasing reports that the hacker group REvil is directly contacting customer companies affected by the ransomware. Here, too, the criminals demand a ransom. Against the payment of 45,000 US dollars, the hackers promise to decrypt the data of these companies.
07 July: The company is working to restore its own VSA servers. In cooperation with Cloudflare and other IT security service providers, work is done to improve the security level. However, unexpected obstacles are encountered in the process, delaying the re-commissioning of the VSA SaaS servers. At the same time, Kaseya promises to provide a patch for the local VSA installations at the customers' immediately after the restoration of their own server infrastructure.
11 July: The first VSA servers are accessible again and the patch for on-premises installations is ready.
14 July: All sites, blogs and payment portals of the hacker group REvil have disappeared from the Darknet. Analysts are undecided about the reasons. It is suspected that Russian President Vladimir Putin has taken action against the criminals' infrastructure. Experts from the field of IT security have long assumed that REvil operates from the Russian Federation.
Free riders take advantage of the situation and launch their own cyber attacks
Kaseya had publicly communicated that it would keep customers informed about further developments via email. In addition, a solution for the data encrypted by the ransomware was promised. Other cybercriminals took advantage of this fact. In the weeks following the cyberattack, there was increasing evidence that affected companies were the target of phishing attempts. Criminals sent mails that looked like official messages. The criminals added links to websites with a download link to the messages. Allegedly, a tool is available there that makes the data encrypted by the ransomware accessible. In fact, these are manipulated websites with further malware. The attackers tried to exploit the situation to launch their own cyber attacks.
IT Security's countermeasures and help for affected companies
The company's first action was to shut down the affected servers and disconnect them from the network. This is a standard IT security response and is recommended in such situations. In this way, IT Security deprives the attackers of access to the systems and prevents them from causing further damage. At the same time, the search for the IT security gap that the attackers used begins.
Simultaneously with the processing of the cyber attack by IT Security, the company began public communication about the incident. Current information is available on its own website at https://www.kaseya.com/potential-attack-on-kaseya-vsa/. In addition, the company informed its customers directly about the attack on the supply chain. Kaseya also notified the national security authorities FBI and CISA (Cybersecurity and Infrastructure Security Agency) in the USA.
On 22 July, the company surprisingly announced that a data decryption tool was available for the data affected by the ransomware. This works in 100 per cent of cases and thus decrypts the data encrypted by the ransomware on the customers' servers. According to the company, the data decryption tool comes from a trusted third party. It was initially suspected that the IT service provider had paid a ransom to the hacker group REvil. However, Kaseya vehemently denied this in an announcement on 26 July. At the same time, the company did not provide more detailed information about the source of the data decryption tool.
The Kaseya case once again clearly shows the far-reaching extent to which cyber attacks can take hold. Cyber attacks on the supply chain prove to be particularly dangerous. In this case, even customers of IT service providers, who were in turn customers of Kaseya, are affected. In such a constellation, a small or medium-sized company is often not even aware of what software or cloud applications are in use in their networks. At the same time, it is apparent that IT security vulnerabilities are popping up everywhere. IT security often does not have the chance to address such IT vulnerabilities before hackers exploit them for cyber attacks. In most cases, including this one, the attackers work quickly, precisely and use ransomware. Ransomware has proven to be an effective tool to jam corporate networks and put pressure on targets. Due to the high degree of digitalisation, many companies are dependent on their IT infrastructure. If this fails, the companies suffer enormous losses. For these reasons, the sustainable and up-to-date strengthening of IT security is now a must for every company. There are no secure or trustworthy systems, as cyber attacks via the supply chain prove.