What happened in the Kaseya cyber attack?

The Kaseya cyber attack refers to the ransomware attack that impacted hundreds of businesses worldwide on July 2, 2021. The attack began when threat actors exploited vulnerabilities in Kaseya’s VSA software to deploy ransomware to Kaseya’s customers. This article provides an overview of the key events and impacts of this significant supply chain cyber attack.

Table of Contents

What is Kaseya VSA?

Kaseya VSA is an IT management software that allows managed service providers (MSPs) to remotely monitor and manage IT infrastructure for multiple customers from a central interface. The software is used by MSPs to provide outsourced IT services to small and medium businesses globally.

Key features of VSA include:

Remote monitoring and management of networks, computers, and servers
Patch management for automating software updates
Antivirus and endpoint security

Backup and disaster recovery
Service desk and ticketing system

At the time of the attack, Kaseya estimated it had over 36,000 customers using VSA to manage over 1 million endpoints.

How did the attack unfold?

On Friday July 2, 2021, threat actors exploited vulnerabilities in VSA software to deploy ransomware payloads. This malicious code was then distributed downstream to MSPs and their customers as VSA automatically pushed out scripts and updates.

The attack unfolded over the American Independence Day holiday weekend as follows:

Friday July 2

Threat actors compromise Kaseya’s VSA product and use it to deploy ransomware to targets.
Initial infections estimated between 800 – 1500 businesses.
Kaseya shuts down cloud servers for VSA to stop infections spreading.

Many victims receive ransom demands from REvil ransomware operation.

Saturday July 3

Kaseya encourages on-premise VSA servers to shut down.

Ransomware impacts reported globally across Asia, Europe, North America.
Cyber attack makes headlines worldwide.

Sunday July 4

President Biden briefed on the situation.
REvil ransomware group offers universal decryptor for all victims for $70 million.

Monday July 5

Further infections reported as businesses return to work.
Total number of victims expected to be over 1000.
Kaseya releases patch for on-premise servers not yet impacted.

This timeline shows how a single compromise of Kaseya rapidly spread ransomware downstream impacting a huge number of organizations globally.

What was the impact?

The Kaseya supply chain ransomware attack was one of the largest and most disruptive cyber attacks of 2021, impacting over 1,000 businesses worldwide. Key impacts included:

Ransomware infections – Between 800 to 1,500 businesses were encrypted by ransomware payloads deployed via Kaseya VSA.

Business interruption – Many affected businesses had to shut down operations while they investigated and recovered from the attack. This included closing stores, halting production lines, and disabling online systems.
IT outages – The ransomware payloads spread by VSA disrupted IT and internet systems for victim organizations. Encrypted files led to outages of email, internal applications, and public facing websites.
Supply chain disruption – As many victims were providers of IT and business services, the attack caused significant supply chain and customer impacts. For example, hundreds of supermarket stores had to close due to their IT provider being hit.

High ransom demands – The REvil ransomware gang demanded up to $5 million from some larger victims and reportedly offered a bulk discount on decryption.

In summary, the attack was highly disruptive both directly to infected victims, as well as indirectly through downstream supply chain impacts. With many victims providing essential services, the attack highlighted the risk ransomware poses to national critical infrastructure.

How were the threat actors able to exploit Kaseya VSA?

Investigations into the attack revealed the threat actors were able to leverage three key vulnerabilities to exploit on-premise Kaseya VSA servers:

SQL injection flaw – Allowed attackers to access VSA database and forge authentication cookies.
Privilege escalation bug – Elevated access from low privilege “Agent” role to highly privileged “System Administrator” role.
Arbitrary command execution – Enabled running malicious PowerShell scripts on the VSA server for lateral movement and deploying ransomware.

Chaining together these vulnerabilities provided the attackers with root level access to compromise VSA servers. They were then able to weaponize Kaseya’s own systems to push ransomware out to all connected endpoints.

How did REvil carry out the ransomware attacks?

Most victims were encrypted with Sodinokibi ransomware, also known as REvil. This ransomware operation is one of most prolific and profitable cyber criminal groups of recent years. Their tactics in this attack included:

Infecting and disabling security tools using VSA, before encrypting files to avoid detection.

Automatically scanning and encrypting entire networks of victim organizations by stealing credentials from VSA.
Using the .cs file extension on encrypted files.
Leaving ransom notes named DECRYPT-FILES.txt demanding payment in cryptocurrency.

Asking for high ransoms based on the size and revenue of the victim.
Threatening to publish sensitive stolen data on the dark web if ransom not paid.

These tactics allowed REvil to cause maximum damage after compromising each target through their access via VSA. Ransomware deployments were highly automated to enable encryption of entire enterprise networks.

Why was this attack so impactful?

The Kaseya supply chain ransomware attack was exceptionally damaging for several key reasons:

Trusted vendor compromise – Threat actors compromised a trusted IT management vendor, enabling access to their customers.
Downstream spread – Infection of just one vendor (Kaseya) lead to ransomware deploying to many of its customers’ customers.

Service provider targeting – MSPs and IT providers were ideal targets to maximize ransomware spread.
Dependency on VSA – Encryption of VSA servers was exceptionally disruptive as businesses relied on it for IT operations.
Independence Day timing – The US holiday weekend limited response time from Kaseya and victims.

REvil ransomware – Attack was by one of most aggressive and disruptive ransomware groups.

Together these factors amplified the business impact as ransomware was able to spread widely through supply chains before defenses could be put in place.

How was the attack remediated?

Kaseya and victims worked through the Independence Day weekend to shut down infections and restore operations. Actions taken included:

Kaseya shut down its cloud-based VSA servers to isolate the attack vector.
On-premise VSA servers were recommended to offline mode or shut down completely.
Kaseya released a detection and removal tool to identify infections.

A patch was released for on-premise VSA servers to fix the exploited vulnerabilities.
Compromised credentials used by attackers were reset to stop lateral movement.
Restoration from backups to recover encrypted files and systems.

Increase of security monitoring to check for residual threats.

For victims, remediation was a difficult process involving rebuilding compromised systems from scratch and validating recovery using best practices. Where backups were impacted or non-existent, some organizations ended up paying sizable ransoms for decryption keys.

How can supply chain attacks like this be prevented?

The scale of damage from the Kaseya attack highlights the inherent risks of supply chain cyber attacks. Some key ways to help prevent similar attacks include:

Enhancing vendor security – Mandating high cyber security standards for all providers of remote management and IT tools.
Limiting access – Restricting any vendor remote access to only critical systems and for limited time periods.
Monitoring vendor systems – Detecting anomalies in vendor hosted systems and interfaces to identify threats.

Contingency planning – Having plans in place if a key vendor is ever compromised, including backups and alternatives.
Least privilege access – Ensuring vendors only have minimal access and rights needed to provide services.

As supply chains grow in complexity, cyber attacks via third parties are likely to increase. Investing in the above areas should be part of business planning to reduce supply chain cyber risks.

What happened after the attack?

In the months after the attack, significant actions were taken by cyber security researchers and law enforcement:

In August 2021, Kaseya released updated hardened builds of VSA with improved security.
REvil’s dark web sites disappeared weeks after the attack as law enforcement took action.

A decryptor was released for victims still attempting recovery from backups.
Legal investigations commenced into the attack by US and international authorities.
In February 2022, the US DoJ charged a Canadian national for a role in the attack.

In April 2022, Europol and DOJ seized Polish and Swiss infrastructure used by REvil.

The coordinated international law enforcement response was recognized for successfully degrading REvil’s operations. However many of those behind the Kaseya attack still remain at large.

The long term implications include increased regulatory scrutiny of software supply chains, and more businesses taking action to secure IT providers. For Kaseya, the impact on their brand reputation is likely to remain for years to come.

Conclusion

The scale and impact of the supply chain ransomware attack targeting Kaseya VSA cemented this incident as one of the most significant cyber events of 2021. By compromising IT management software, the attack highlighted the immense risk connected to third party service providers.

While Kaseya, law enforcement, and victims worked diligently to contain the damage, the inter-connected nature of supply chains meant the overall business impact was still substantial. Moving forward, the Kaseya attack stands as a sobering reminder of the potential consequences of supply chain cyber attacks against organizations providing ubiquitous business technology.