The Kaseya Ransomware Attack

By Sekuro Hackcelerator 2021 Mentee, Conrad Byrnes-Krickl

Introduction

On 02 July 2021, software company Kaseya was the victim of a ransomware attack that targeted Virtual System Administrator (VSA), a remote computer management tool sold to Managed Service Providers (MSPs)[1]. As MSPs manage data for customers using VSA, the “Supply-Chain Attack”[2] (SCA) affected hundreds of companies across the world. SCA’s are becoming increasingly common and often target critical infrastructure, this was evident during the Colonial Pipeline hack In April 2021. The attack disabled the largest pipeline in the United States due to a single compromised password, resulting in fuel shortages across the East Coast[2] . Similarly, SolarWinds Corporation was the victim of a SCA that affected 18,000 customers, including fortune 500 companies and U.S. government agencies[3].

Kaseya's Incident Response

1. Preparation

Kaseya has a vulnerability disclosure policy that encourages clients to report issues. [4]

2. Detection and Analysis

Customers reported ransomware affecting VSA. [5] Kaseya advised customers to shut down their VSA servers. Their internal team determined the cause of the issue and found that 40 customers were affected. They also notified the FBI and CISA [2] and engaged with Mandiant to investigate the incident. [6]

3. Containment, eradication, and recovery

By 10pm a patch was being developed and Kaseya shut down VSA servers alongside issuing a security advisory to customers. The following day Kaseya released a compromise detection tool for customers. By the fourth day, Kaseya began changing underlying VSA IP addresses so servers could try returning online. [6]

By 07 July 2021, a runbook for the preparation of VSA implementation was given to customers, which included how to run the detection tool, steps to patch operating systems, changes to internet information services, and how to download and implement FireEye agent on the VSA server.[7]

By 26 July 2021, the Incident Response team still worked to restore encrypted customer data, their decryption tool having 100% effectiveness. [7]

4. Post-incident activity

Kaseya released patches that fixed functionality issues created by the security measures put in place. [7]

Kaseya products are audited and have achieved SOC 2 Type 2, and their data centres are certified to ISO 27001 [8]

Kaseya has a policy to not pay ransoms or communicate with criminals, and it is up to each client to decide whether they want to or not.[8] This is a common policy for companies to adopt as it’s not guaranteed a decryption key will be acquired, the payment may be done through illegal means, and the companies cyber insurance contract may not allow it.

Research indicates the virus spread via a fake software update. This reflects poor cyber security hygiene, governance, and training within Kaseya. Once it spread, a zero-day vulnerability within VSA [9] was exploited to disable VSA functionality. Here, Kaseya’s cyber maturity is at fault, as software security flaws were identified between 2017 and 2020 [2] and no action was taken.

conclusion

To conclude, prevention, early detection and testing of disaster recovery and Business Continuity Plans can assist in protecting organisations from attacks of this nature. Organisations can improve by monitoring internally and externally reported security vulnerabilities and patching technical faults and introduce/improve their cyber hygiene policy that requires staff to be properly trained in confidential and personal data protection and safe cyber practices. Further, they can improve on Recovery Time Objectives (RTO), Recovery Point Objectives (RPO) and Maximum Tolerance Downtime (MTD) metrics, by enhancing their tabletop exercises, Disaster Recovery and Business Continuity walkthroughs and simulations as part of overall business planning.