IOTW: Kaseya Update

Add bookmark
Lisa Morgan
Lisa Morgan
07/16/2021

Last week, we reported REvil's attack on Kayesa which sell IT management software to MSPs and enterprise IT. At the time of this writing, a path has not yet been issued for Kaseya's on-premises software because the company prioritized remediating its SaaS software first to ensure its control.

The Facts

On July 2, the Kaseya Incident Response team learned of the security incident involving its VSA software. It shut down its SaaS servers and data centers and notified customers who had purchased on-premises software that they should shut down their VSA servers. By July 3, the U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity and Information Security Agency (CISA), FireEye Mandiant and other security assessment firms joined the investigation. 

That same day, Kasaya admitted that it had become the victim of a "sophisticated" attack but that only a small number of customers appeared to be affected. The company also said it would be issuing a detection tool by the end of the day. Customers were warned not to click on any links in email sent by the attackers.

By July 5, 60 affected customers had been identified, all of whom used the on-premises product. By July 7, they were given a runbook telling them how to prepare for the patch release which was updated the next day. In the meantime, SaaS and on-premises fixes continued to be delayed. 

On July 9, Kaseya warned its customers spammers are using the incident to send out fake notifications of updates and to refrain from clicking on links and/or attachments. It also warned of phone scams claiming to be a Kaseya advisory. Apparently, the attackers got into the customer support site and may have embedded malicious links.

On July 11, the runbook was updated again. VSA SaaS and on-premises release notes were published. The restoration of the SaaS infrastructure had begun and the on-premises patch was released. By July 12, all SaaS instances were live. Support teams are assisting on-premises customers. Meanwhile, the attackers released a fake product update.

Lessons Learned

Patch, patch, patch in a timely manner. According to KrebsonSecurity, REvil exploited CVE-2015-2862, a 2015 vulnerability allowed it to read "any files on a server using nothing more than a web browser". They also exploited CVE-2021-30116 which dates back to April 2. 

While Kaseya CEO Fred Voccola downplayed the number of affected customers, some of them are MSPs. Estimates are that up to 1,500 organizations have been affected. Clearly, the supply chain nature of the attack is concerning because the attack affects Kayesa, its customers and in the case of MSPs, their customers.

Cybersecurity firm Huntress apparently said that the attack was triggered by an authentication bypass vulnerability which allowed the attackers to use an authenticated session, upload a malicious payload and execute commands via SQL injection. Cyber security vendor Sophos added that "by infiltrating the VSA server, any attached client will perform whatever task the VSA Server requests…"

The Washington Post reported that the Leonardtown, Md, had been hit with a ransomware attack and that the town was another of likely thousands of companies affected which also included a Swedish grocery store chain and nine schools in New Zealand. Leonardtown received a ransom demand for $45,000 per computer, 17 or 19 of which had been frozen by encryption. The town decided to restore from backups versus pay the ransom. 

Bloomberg reported that employees had been leaving the company for years because it was not addressing security adequately, some complaints were specific to VSA software. 

Quick Tips

What would happen if your company was the victim of a supply chain attack that affected your customers, and (if relevant), their customers?

  • After learning about a breach, contact law enforcement and security experts who can help with forensic work. They can also help harden the remediation effort.
  • Be transparent. Kayesa has attempted to keep customers informed of remediation status along the way. They acknowledged the breach soon after it was discovered and have been providing intra-day updates. Transparency is critical because customers want to stay abreast of remediation progress, particularly when a cyber attack has disrupted their operations. Colonial Pipeline failed to do this.
  • Refrain from making definite statements about remediation timeframes. While Kayesa has set remediation targets, it has also pushed those targets out so the company and its customers could be confident about the fixes. Ultimately, customers are more concerned about quality than speed.
  • Be careful about discussing the potential blast radius. Companies may downplay the potential of an attack because they don't want to alarm their customer base. It's one thing to believe the scope of the attack is small. However, if it turns out that the scope of damage is considerably larger than the company has admitted, investigative reporters will attempt to discover the facts and publish them. Be prepared to address the potential allegations responsibly. It's difficult enough for businesses to forgive a company that has suffered a high-profile security lapse. Don't add lying to their list of complaints.
  • Don't limit incident response to only your company if others could be affected. Supply chain attacks are becoming more common.
  • Don't let vulnerabilities languish. One that's considered "minor" or "irrelevant at this point in time" may not be, as was the case with Kayesa.
  • Remind customers and employees about cyber hygiene if a breach occurs because systems infiltration and phishing go hand-in-hand.

RECOMMENDED