MSPs used as ransomware conduit after Kaseya remote access tool breached: 1,000s hit

Quis custodiet?

MSPs used as ransomware conduit after Kaseya remote access tool breached: 1,000s hit

Updated Tuesday July 6 to add latest from Kaseya, numbers affected.

Kaseya, a company that provides IT management software to Managed Service Providers (MSPs), was attacked by cybercrime syndicate REvil on Friday. REvil exploited a SQL injection vulnerability in its remote access and vulnerability management software Kaseya KSA to deploy ransomware into the networks of thousands of panicked MSP customers in a devastating supply chain attack over the weekend. Many are still affected.

MSPs around the world were left tackling hundreds of calls from affected customers. Many were utterly unequipped to handle the scale of the incident which was – equivalent, as cybersecurity firm Huntress Labs put it – to a local fire department being called to hundreds of burning homes at the same time.

REvil is claiming to have encrypted over one million endpoints. That claim might be self-aggrandising but it's clear the number is significant. Anecdotal evidence from MSPs working together publicly on Reddit to swap tips suggests many are dealing with thousands of affected endpoints per company. The cybercrime group is reportedly offering a universal decrypter to MSPs for $50m. Kaseya said July 5: "We aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses."

The Dutch Institute for Vulnerability Disclosure (DIVD) said it had “previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks” and had “reported these vulnerabilities to Kaseya under responsible disclosure guidelines”. (It did not say when, but said Kaseya had been cooperative and responsive, sharing partial patches, etc. before the hack.)

See also: 6 free cybersecurity tools to take a close look at

Cybercrime syndicate REvil got there first, however. It was not immediately clear whether it already had access to Kaseya’s systems and caught wind that a patch of the bug was pending, or if – as can often be the case with a major software bug – multiple people identified the vulnerability within a short period of each other.

As DIVD noted in a Sunday July 4 blog: “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch”, leaving Kaseya frantically urging customers on Friday to immediately shut down their Kaseya VSA server until further notice.

“It's critical that you do this immediately because one of the first things the attacker does is shutoff administrative access to the VSA” Kaseya – which names 36,000 customers – said in its post.

After a frantic weekend Kaseya said Monday it would be removing some “lightly-used VISA functionality” out of an “abundance of caution” after patching the software and conducting a clean-up. It plans to bring its SaaS data centres back online on Monday July 5, but all on-premises VSA servers should stay offline.

A patch for the exploited vulnerability is pending, Kaseya added.  MSPs in turn, will no doubt fail to find much humour in the fact that they were used and abused by cybercriminals through a tool, Kaseya VSA, explicitly labelled as designed to help software patch management and vulnerability management

Kaseya hack: impact has been huge

Cybersecurity firm Huntress Labs said in an official Reddit post that it had seen over 1,000 business hit, pointing to a SQL injection vulnerability in Kaseya VSA as the original threat vector.

“We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited a SQLi vulnerability and have medium confidence an authentication bypass was used to gain access into these servers.

Reports from Sweden suggested the entirety of Coop's 800 stores had to shut down as a result of the attack hitting their cash management software provider.

The US’s FBI and CISA urged all Kaseya customers to download the Kaseya VSA Detection Tool to spot any indicators of compromise (IoC) across either VSA servers or managed endpoints.

The agencies also called on users to “enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services; implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or; place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.”

The UK’s NCSC said Sunday July 4: “We are aware of a cyber incident involving Kaseya, and we are investigating its impact on the UK. Ransomware is a growing, global cyber threat, and all organisations should take immediate steps to limit risk and follow our advice on how to put in place robust defences to protect their networks." The agency urged organisations to review its Supply Chain Security Principles to “help organisations establish effective control and oversight of their supply chains.” Affected companies will be seething that MSPs they outsourced their security and IT management to were the source of their pains.

Follow The Stack on LinkedIn