This year will be remembered as annus horribilis for attacks against the software supply chain. In the first half of 2021, prominent attacks against SolarWinds and Microsoft Exchange both highlighted the collateral impact and potential reach of targeting the software supply chain. One of the latest examples in this trend is a ransomware attack on Kaseya’s Virtual System Administrator (VSA) solution for remote monitoring and management (RMM).
Kaseya Attack Recap: What Happened
Late in the day on Friday, July 2, 2021, hundreds of organizations around the world were hit with a coordinated ransomware attack—just as U.S. employees were going offline for a long holiday weekend. In total, roughly 50 managed service providers (MSPs) that use Kaseya’s VSA were hit and between 800 and 1,500 of their end-customers.
On April 2, the Dutch Institute of Vulnerability Disclosure (DIVD) notified Kaseya of seven vulnerabilities—one of which was CVE-2021-30116 that was used to gain access to Kaseya’s VSA solution. Five of the seven vulnerabilities have been patched as of the writing of this blog post, including the one used to exploit the Kaseya VSA. Resolutions for the other two are marked as in progress. The perpetrator of the attack—REvil (a Ransomware-as-a-Service group with ties to the Russian government)—claimed responsibility for the attack on July 5, demanding $70 million in bitcoin to release a decryptor key.
As soon as Kaseya learned of the attack, in addition to contacting federal cybercrime authorities, Kaseya warned its customers to immediately shut down their on-premises VSA servers until a patch could be completed. But because VSA is available both as an on-premises server and as Software-as-a-Service (SaaS), Kaseya also preemptively shut down its SaaS servers as an extra precaution. But the warning came too late for many. REvil was able to encrypt and disable entire IT networks—forcing hundreds of organizations to close their doors due to a complete lack of operational devices and networks.
On July 23, Kaseya reported that it had obtained a decryptor key to help MSPs and end-customers recover from the attack—however, Kaseya did not clarify if it paid a ransom in order to obtain the key. After analysis and software hardening, Kaseya also restored its SaaS-based RMM service for MSPs, and issued a patch for on-premises VSA customers.
Dissecting the attack itself
While we still don’t know the full scope of information surrounding the Kaseya attack, some key details have been confirmed.
- The vulnerability. The DIVD notified Kaseya of zero-day vulnerabilities it had discovered in the VSA software (CVE-2021-30116), and Kaseya was developing corresponding patches when the attack occurred. While some speculated that REvil may have monitored internal communications about the vulnerability, Kaseya maintains that these systems have not been compromised.
- The methodology. REvil apparently did not infiltrate Kaseya’s network, and this supports the theory that the group attacked the MSPs separately but simultaneously using a “compromise-once-infect-many” approach. In this particular instance, there are two factors that helped multiply the number of downstream victims (MSP customers) involved: Each hack of an individual MSP infects many of their downstream customers; and the vulnerability in Kaseya’s VSA software that enabled dozens of MSPs to be simultaneously attacked.
- The victims. Kaseya reported on July 5 that around 60 Kaseya customers (mostly MSPs) were impacted and fewer than 1,500 companies were the subsequent downstream victims. In addition to the United States, victims have been identified in 17 other countries, including the United Kingdom, South Africa, Canada, New Zealand, Kenya, and Indonesia. Most of these victims are small to midsize organizations—but hundreds of Coop supermarkets in Sweden were forced to close due to the attack. The REvil hackers themselves claim to have encrypted 1 million endpoints in this attack, but the actual figure remains unclear.
- The ransom demand. REvil demanded $70 million in bitcoin in exchange for publicly posting a universal decryptor to unlock all systems. Kaseya CEO Fred Voccola declined to disclose whether his company has paid, or is in negotiations to pay, the ransom.
What we know about REvil
REvil (pronounced R-evil) emerged in the wake of the developers of GandCrab announcing their retirement in 2019—after successfully collecting an estimated $2 billion in ransoms over an 18-month period. Similarities between the REvil and GandCrab code, however, suggest that the same people may be behind the development of both products.
REvil ransomware is specialized for supply chain attacks—using the aforementioned “compromise-once-infect-many” approach. The REvil Group is mostly made up of native Russian speakers and is believed to be protected by the Russian government. They post stolen information on a dark web site called “Happy Blog.”
Even before the Kaseya attack, the REvil Group had wreaked havoc. Early REvil victims include two dozen Texas municipalities and hundreds of dentist offices. Since then, they have been responsible for a number of high-profile attacks:
- May 2020: A demand for $42 million from then-U.S. President Donald Trump to prevent posting of stolen files from the Grubman Shire Meiselas & Sacks law firm
- March 2021: 37,000 students in the Harris Federation, a group of primary and secondary academies in the London area, were locked out of their email and coursework
- April 2021: A $50 million demand from Apple after stealing product development plans from partner Quanta Computer
- May 2021: An $11 million ransom paid by JBS S.A., a Brazilian-based meat processing company with operations in the United States, Canada, and Australia—after slaughterhouses were closed around the world
Modern Application Security That Protects the Software Supply Chain
You might only think of application security in connection with original, in-house developed code. But today’s threat landscape and the distributed nature of modern applications—and the software supply chain—demand protection across four dimensions of application security:
- What you write. This means all of your traditional, internally developed software—including custom code and application programming interfaces (APIs).
- What you build with. In any development environment today, DevOps team members use many different development tools as part of their continuous integration/continuous deployment (CI/CD) pipeline; these all must be secured in order to prevent compromise and subsequent exploitation of the application.
- What you run. You also have to secure any commercial off-the-shelf (COTS) software used by the organization and/or by connected partners and suppliers.
- What you import. Third-party libraries are the ready-made building blocks of application code that help developers accelerate delivery of new applications. Application security needs to not only be able to test these third-party components for potential issues but also protect any unpatched or zero-day vulnerabilities against application attacks.
The vulnerability exploited by the REvil Group in Kaseya VSA occurred in the “what you write” category. The MSPs using the VSA solution and their downstream customers fall into “what you run.”
How can an organization protect against attacks on software that it does not even own or use, but is instead utilized by a third-party partner or service provider? For starters, they should ensure that their partners have adequate application security policies and practices, are deploying patches and updates in a timely manner, and have adequate tools for real-time threat response.
How the Contrast Application Security Platform Can Help
For today’s complex and multifaceted application attack surface, third-party software providers must have safeguards in place for the applications they provide to their customers.
Using a software composition analysis (SCA) solution like Contrast OSS that delivers real-time, continuous monitoring of third-party and open-source libraries helps alleviate the visibility gaps that come with using open-source software.
To combat zero-day attacks like this one, the third party will ideally need a runtime protection and observability solution, such as Contrast Protect, which detects attacks while they are in progress and blocks them before they can cause damage.
Finally, third-party providers should continuously monitor their applications in development using an integrated application security testing (AST) solution such as Contrast Assess.
Beyond individual application security solution capabilities, the best way to ensure security across the software supply chain is through instrumentation, which builds security monitoring into the software itself, and a comprehensive application security platform. Here, the Contrast Application Security Platform uses security instrumentation to enable full observability and protection throughout the entire software development life cycle (SDLC).
Additional Information on the Kaseya Software Supply Chain Attack
Recognizing the risk that software supply chain attacks like the one that hit Kaseya can pose to an organization, Contrast is hosting a moderated webinar discussion on July 29 @ 10 AM PDT | 1 PM EDT featuring CTO and Co-founder Jeff Williams, CISO David Lindner, and myself. It will be available on-demand afterwards. We also completed a Fact Sheet containing an overview of the Kaseya software supply chain attack and recommendations on what you can do to prevent one from impacting your organization in the future.