As the dust continues to settle on the Kaseya situation, we have learned that the initial premise of a “supply chain attack” was not accurate.
After what has been a particularly busy week in the world of threat response, Corvus continues to monitor the REvil ransomware group’s attack that targeted Managed Service Providers (MSPs) who leverage the on-premise Kaseya VSA solution, as well as fallout from the zero-day discovery known as PrintNightmare (skip to end of this article if you just want to read about this more recent vulnerability). Corvus alerted policyholders to each of these attacks within hours of discovery, but as the situation unfolds we are learning more.
Kaseya - A Lesson in Reading Books by Their Cover?
As the dust continues to settle on the Kaseya situation, we have learned that the initial premise of a “supply chain attack” — which this attack was widely reported as being, in its first several days — was not accurate. Rather than an attack against Kaseya’s environment, the attack leveraged potential zero-day vulnerabilities, weaknesses that have not yet been publicly known and patched, to gain remote access and control over on-premise VSA servers in customer environments.
As far as ransomware attacks go, this is one of the first coordinated multi-company distributions, and it serves as a clear escalation in the attack tactics ransomware groups have used to extort victims.
While the number of suspected companies encrypted in total is estimated to be below 1,500, the MSPs that were attacked via the on-premise Kaseya VSA server vulnerability is estimated to be fewer than 60. This is a classic example of a “one to many” type attack (similar to a supply chain attack) where a threat actor can gain access to a single point that then leads to access to many more companies. This is why MSPs are often targeted in ransomware attacks as the threat actor can often inflict greater pain to a larger audience in an attempt to collect a higher ransom.
In the latest opportunistic approach, threat actors have begun sending phishing emails purporting to be Kaseya VSA patches in an attempt to lure new victims into clicking on a malicious attachment and installing the CobaltStrike backdoor malware on the system.
How the Kaseya Attack Unfolded
The threat actors targeted on-premise VSA servers that had their management interface publicly available over the web.
2. Initial Access:
The threat actors leveraged a vulnerability in the web application for the VSA server that allowed them to bypass authentication, upload malicious files, and execute those files.
That series of vulnerabilities would have allowed the threat actor the ability to interact with the Kaseya VSA server, which the MSP’s use to manage endpoints for their customers.
At this point, the attacker would have full access to systems that are in the purview of the Kaseya VSA server.
Using the Kaseya VSA server access, the threat actor scheduled the deployment and execution of ransomware to endpoints managed through the VSA software on July 2, 2021.
Remediation After Kaseya
Remediation of the on-premise Kaseya VSA servers only applies if you manage a VSA server in your environment. This will be most relevant for MSPs and less so to customers of MSPs. (At the time of initial publication, the patch was expected on Sunday, July 12th).
If you are a customer of an MSP, take the following steps:
Confirm with your MSP whether they use an on-premise Kaseya VSA solution.
If your MSP uses an on-premise Kaseya VSA server, forward them this link and ensure they have followed the action items listed below.
If you are an IT MSP, take the following step:
Leverage Kaseya’s readiness checklist and hardening guidelines prior to installing the on-premise Kaseya VSA patch.
Other security considerations moving forward for any organization:
Use this to address similar vulnerabilities in the future.
On and after July 6, 2021, Microsoft issued an urgent out-of-band security patch to fix a critical vulnerability, CVE-2021-34527, in the Windows Print Spooler service that impacts all Windows Operating Systems.
The Windows Printer Spooler software manages printing as both the client (user requesting the print job) and server (system managing print jobs for multiple users). Microsoft is observing active exploitation of this vulnerability in the wild, meaning it’s particularly critical to patch against the vulnerability immediately.
Worryingly, a threat actor could leverage the PrintNightmare vulnerability either locally or remotely to execute arbitrary code with the highest level privileges on a given system. This would effectively provide the attacker the ability to install programs, view, change or delete data, and create new local accounts with full user rights. There are some mitigating factors as well that make this eventuality less likely for certain organizations, depending on their setups, which we review in detail in our Alert article. However, given how catastrophic the worst-case outcome is, we strongly recommend immediate action.
The Microsoft security bulletin recommends patching all systems with the latest out-of-band security patches issued in July 2021 to fix the identified vulnerability. This is especially important on critical servers such as Domain Controllers.
If you are unable to apply the patch, Microsoft recommends the following actions which could have an adverse impact on your ability to print documents:
Stop and disable the Print Spooler service
Disable inbound remote printing through Group Policy
For additional remediation items and links to further guidance, read our Alert article.