What Happened in the Kaseya VSA Incident?

Nicholas Weaver
Sunday, July 4, 2021, 2:19 PM

Right before the start of the holiday weekend, news broke of yet another massive ransomware attack. What’s the deal?

"Hackers (pt. 2)" by Ifrah Yousuf is licensed under CC BY 4.0

Published by The Lawfare Institute
in Cooperation With

Right before the start of the holiday weekend, news broke of yet another massive ransomware attack. The apparent Kaseya VSA supply chain attack is likely to affect thousands of businesses, with an apparent affiliate of the REvil ransomware gang launching what seems to be an especially pernicious supply chain attack. Kaseya VSA was a particularly attractive target as this is software used by managed service providers (MSPs), a type of online contracting business. Details of the story are still breaking and things may look different (and probably significantly worse) by the time people come into work on Tuesday or Wednesday.

So, what appears to be happening?

What is a MSP?

Many businesses are either too small or too smart to have a dedicated information technology (IT) department. Managing networks of computers is a particularly fraught and difficult task, and the price of failure can be crippling to a business. The solution for a smart smaller business is to use a vendor called a managed service provider, a company that does all this work on a contract basis.

Practically any business with more than two computers and fewer than a couple hundred of them is best served using a MSP instead of running their IT system themselves. There are so many details, from maintaining inventory and patching to providing backups, that need to taken care of to maintain a company’s IT system, yet are too small to justify a full-time IT professional. It’s far better and cheaper to use an MSP.

These arrangements mean that MSPs themselves have to administer a lot of computers. So, MSPs try to automate this as much as possible, setting things up so that from a single remote computer they can administer all customers’ networks at the same time.

What is Kaseya VSA?

MSPs are not in the business of writing software. So, MSPs use vendors to provide software, in order to ease the managing of hundreds or thousands of computers. Kaseya is one of these vendors, and Kaseya VSA is the underlying tool used by many MSPs to control customer systems.

This software needs significant privileges in order to serve its purpose for the MSP. It needs to be able to update machines, add users, add or remove programs, and backup all data—but this also means it can just as easily be manipulated to steal information and encrypt data.

What is a supply chain attack?

In a supply chain attack, the attacker compromises a software supplier in order to provide malicious code to the eventual victim. Supply chain attacks are particularly pernicious because the scope of who they affect depends not just on a given company’s suppliers but on their suppliers’ suppliers.

Indeed, that may be what happened here. MSPs purchase Kaseya products in order to administer customers’ networks. So a compromised update to Kaseya VSA would end up running in thousands of companies’ networks without these companies having even directly contracted with Kaseya.

However, as reporting on the incident develops, speculation is growing that it could instead have been a more conventional exploit attack targeting Kaseya VSA. The incident is still affecting almost all VSA installations open to the internet; it is very easy for an attacker to find all vulnerable servers and exploit them, and MSPs are likely to leave such servers open to the internet—the MSP needs to log into the servers to access the client networks. Otherwise, how could the MSP administer the machines remotely?

In fact, this scenario may be even more disturbing than a supply chain attack. The Dutch CERT, the Dutch government’s cyber response team, is suggesting that it discovered the vulnerability and notified Kaseya, and that it was actively working with Kaseya to develop and deploy patches. Yet somehow the attacker found the vulnerability and exploited it before Kaseya could formally validate and release a patch. Although Dutch CERT doesn’t say so explicitly, this brings up the possibility of a grim scenario in which the ransomware gang learned about this vulnerability, or at least about plans to patch, from someone with advanced notice of the exploit!

Infosec Twitter may be all atwitter about whether or not it was a supply chain attack or a conventional exploitation or even a leak—but this really has little practical bearing on the implications of this event.

Who is REvil?

Ransomware is a type of business that operates on an affiliate model. There is the corporate overlord that provides the branding, processes the payments and engages in customer support for both the affiliates and the victims. The affiliates are the ones who actually break into systems to deploy the ransomware. Think of it like the arrangement between a fast-food brand and its franchisees.

REvil, aka Sodinokibi, is one of the highest profile such corporate overlords and, as the branding implies, particularly pernicious ransomware gangs. It really is the McDonald's of the criminal world with a very high profile. It is believed that REvil operates primarily out of Russia, which has a long history of turning a blind eye to cybercriminals that don’t negatively affect Russian systems.

What happened in this incident?

It appears that an affiliate of the REvil ransomware gang launched a mass ransomware campaign using a supply chain attack or just by directly attacking a large number of Kaseya installations. In either case, it enabled them to deploy ransomware onto the MSPs’ customers’ computers. This ransomware is appropriately sophisticated, using both signed code and hiding in a legitimate (albeit older) Windows Defender executable, allowing it to evade many antivirus systems.

We don’t currently know how many victims are affected, but hundreds are confirmed and this will likely affect thousands. Each victim is a small-to-medium-sized business that is going to, at best, find its computers unusable and, at worst, have all their data lost forever. Worse is that backups designed to handle recovery are often targeted by the ransomware gangs, so unless the MSP arranges for offsite or disconnected backups, victims may have no choice but to either pay or lose data. And even if the victims can get away with their data intact, it’s reasonable to expect several days or more of business disruption for the firms affected by the incident.

So what now?

There is an unfortunate trend in the information security community to victim-blame the targets of ransomware. Such victim blaming is normally wrong, but it is especially wrong here. Small-to-medium-sized businesses should use MSPs. Doing so ensures that a responsible expert is watching their networks, maintaining inventory and keeping everything up to date.

It’s also too premature to blame Kaseya. They may be the particular vector in this case, but any supplier of administration tools is a high-value target. The Russians targeted Solar Winds for the same general reason: An attack on administration tools is particularly effective.

Then there’s the thorny question of dealing with the attackers. The perpetrators are unlikely to face justice unless Russia allows them to be extradited. This means the gang responsible is going to keep conducting such attacks as long as they can keep making money.

What about the payments?

This is why focusing on payment interdiction is likely the best means to counter the threat. But this gang in particular is slightly unique in this respect. Rather than using Bitcoin, the gang is using Monero for primary payments.

Monero is a cryptocurrency that provides money laundering as a first-class primitive, unlike Bitcoin where additional steps are required to obscure the origin of funds. Yet basically nobody uses Monero for legitimate payments; and as “altcoins” (alternative cryptocurrencies) go, it is significantly smaller, ranking only 26th in market capitalization among all altcoins.

But this particular choice makes the payments potentially easier to thwart. Exchanges where criminals turn Monero into either other cryptocurrencies or real money could block these attackers. Few people other than criminals are substantial net sellers, who attempt to turn ransoms or other illegal payments into a usable form. The exchanges may not know what particular crime the net sellers are hiding, but they do know—or at least should know—that such sellers are criminals. The only other users are speculators who both buy and sell Monero and therefore would not be net sellers.

Any cryptocurrency exchange that even offers Monero or Zcash (the other major cryptocurrency with built-in money laundering) is effectively the cryptocurrency equivalent of a bank that accepts massive stacks of $100 bills. These exchanges should be considered innately suspect and at risk of violating anti-money laundering regulations.

I hate that ransomware and cryptocurrencies, taken together, have turned me into an advocate for the jackbooted-authoritarian application of money laundering laws. But I fear nothing else will work. There is simply too much money for the attackers otherwise.

Nicholas Weaver is a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, and Chief Mad Scientist/CEO/Janitor of Skerry Technologies, a developer of low cost autonomous drones. All opinions are his own.

Subscribe to Lawfare