The Kaseya ransomware attack occurred through the exploitation of CVE 2021-30116, an authentication bypass vulnerability within Kaseya VSA servers. This allowed the hackers to circumvent authentication controls and executive commands via SQL injection, giving them all the control they needed to deploy their ransomware payload and encrypt a segment of Kaseya's internal data.
In addition to compromising Kaseya's customer database, the hackers also targeted several of Kaseya's clients by pushing out the ransomware payload within a seemingly innocuous software update - a tactic that's synonymous with the advanced methods used in the SolarWinds hack.
Kaseya was intentionally targeted because it offers IT solutions to Managed Service Providers (MSPs) offering IT support to under-resourced businesses. It's estimated that almost 2000 businesses across 17 counties were impacted by the attack. Many infections spread through firms remotely managing IT infrastructures for multiple customers, making this event the biggest supply chain ransomware attack on record.
Who was Responsible for the Kaseya Ransomware Attack?
Russian-linked ransomware gang REvil claimed responsibility for the attack on a dark web forum, boasting that over one million systems were infected with their ransomware. The ransomware gange also offered a decryption key to reinstate access to all seized systems for $70 million in cryptocurrency.
REvil (also known as Sodinokibi) is the same cybercriminal gang likely responsible for the mammoth Medibank data breach.
See how your organization's security posture compares to Kaseya's.
View Kaseya's security report.
How to Avoid an Incident like the Kaseya Ransomware Attack
Your business could avoid falling victim to a security incident similar to the Kaseya Ransomware attack by adjusting your cybersecurity efforts to the following key learnings.
1. Expect to be Attacked During the Holidays
The Kaseya ransomware attack occurred during the July 4th weekend. Cyberattacks, especially ransomware attacks, tend to spike over holiday periods, with hackers taking advantage of leaner staffing numbers during the lull of business demand.
With fewer IT and security staff on call, cyber threats are harder to intercept and contain after a network breach. Less security staff also makes it harder to support staff contending with a potential phishing threat - the primary initial attack vector for ransomware.
Implementing a zero-trust architecture will keep your cybersecurity program primed for imminent data breaches at all times, even while you're mentally unplugged on that long-awaited holiday.
2. Download the Kaseya VSA Detection Tool
With the impact of this attack specifically designed to proliferate across the supply chain, it's difficult to predict how far REvil's indicators of compromise have spread and how many systems are still vulnerable to compromise, despite this incident occurring in July 2021.
The presence of any indicators of compromise linked to this ransomware attack can be detected with this Kaseya VSA detection tool.
If you have a scanning solution in place, update it to include this list of CNC domains believed to be linked to Kaseya.
3. Implement Controls for Reducing the Impact of Ransomware Attacks
By implementing security controls across all of the major milestones of a ransomware attack pathway, the progression of an attack could be stopped or, at the very least, slowed down enough to be intercepted before sensitive resources are breached.
The ransomware attack lifecycle can be broken down into eight primary phases.
- Phase 1 - Phishing Attack
- Phase 2 - Victim Interaction
- Phase 3 - Account Compromise
- Phase 4 - Privilege Escalation
- Phase 5 - Lateral Movement
- Phase 6 - Data Exfiltration
- Phase 7 - Data Encryption
- Phase 8 - Data Dump
A list of suggested security controls corresponding to each of the phases are as follows:
Phase 1 - Phishing Attack
Security controls:
- Security awareness training.
Phase 2 - Victim interaction
Security controls:
- Web proxy
- DNS Logs
- Endpoint Security
Phase 3 - Account Compromise
Security controls:
- Multi-Factor Authentication
Phase 4 - Privilege Escalation
Security controls:
- Privileged Escalation Management
- Zero-Trust Architecture
- Password Manager
- Multi-Factor Authentication
Phase 5 - Lateral Movement
Security controls:
- SIEM
- Zero Trust
- Data Loss Prevention
Phase 6 - Data Exfiltration
Security controls:
- Network Segmentation
- Privileged Access Managemen
- Data Encryption
Phase 7 - Data Encryption
Security controls:
- Data backups
Phase 8 - Data Dump
Security controls:
- Ransomware blog data leak detection.
