AlertsSupply chain enabled ransomware activity affecting multiple managed service providers – Update 1

Number: AL21-013 UPDATE 1
Date: 5 July 2021
Updated: 12 July 2021

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") seeks information to assess the impact in Canada, and to help Canadian organizations respond to this malicious activity. Should activity matching the content of this Alert be discovered, recipients are encouraged to report this to the Cyber Centre via the My Cyber Portal (https://cyber.gc.ca/en/incident-management), contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88 or 1-833-292-3788). The Cyber Centre also strongly recommends that organizations report malicious activity related to this alert to their local police of jurisdiction.

OVERVIEW

The Cyber Centre is aware of open-source reporting [1][2] of large scale REvil (also known as Sodinokibi) ransomware activity affecting multiple managed service providers (MSPs) that use Kaseya VSA, a remote monitoring and management platform [3].

DETAILS

On 2 July 2021 researchers reported ransomware dropped to a working directory of multiple on-premises servers running Kaseya VSA, a remote monitoring and management platform commonly used by MSPs. By injecting malicious code into the products and then leveraging its native functions, actors have been able to deploy ransomware at scale across MSPs to their hosted organizations.

VSA is available in both an on-premises and a software-as-a-service (SaaS) model. The vendor has disabled the SaaS and will reenable it pending remediation. The company has indicated that the release of patches for on-premises VSA servers will follow restoral of the SaaS offering.

The activity has affected approximately 30 MSPs [2], encrypting files of more than one-thousand businesses. Impact has been reported in multiple countries including Canada.

MITIGATION

For Managed Service PROVIDERS:

  • All On-Premises VSA Servers should continue to remain offline [3] until further instructions are provided by Kaseya about when it is safe to restore operations.
  • The Cyber Centre recommends that MSPs download the Kaseya VSA Detection Tool. [4] The tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
  • Require multi-factor authentication (MFA) on all accounts controlled by the organization, and where possible, for customer-facing services.
  • Implement allow-listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs; and/or
  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
  • Monitor Kaseya’s dedicated web page for the timing of patches addressing the compromise for on-premises customers. [3]

For Managed Service CUSTOMERS:

If affected by this activity, take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customers who do not currently have their RMM service running due to the Kaseya incident:

  • Ensure backups are current and stored in an easily retrievable location that is air-gapped from the organizational network.
  • Where possible, revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available.
  • Require multi-factor authentication.
  • Follow the principle of least privilege on key network resources admin accounts.

For advice and guidance on recovering from a ransomware incident please refer to the Cyber Centre’s publication Ransomware: How to Prevent and Recover (ITSAP.00.099).[5]

INDICATORS

The Cyber Centre is aware of open-source indicators for this ongoing incident and is providing them as-is for awareness [6][7]. The Cyber Centre has not verified the technical details described in this disclosure. It is recommended to verify business services requirements before implementing.

UPDATE 1

On 11 July 2021, Kaseya updated its website [3] to indicate that it had released a patch [8] to VSA on-premises customers and had begun to deploy the patch [8] to VSA SaaS Infrastructure prior to its stated target of 1600 EDT on 11 July 2021. On 12 July 2021, the company stated that all SaaS customers' service had been restored, and that customers with on-premises deployments were in the process of applying the patch.

The Cyber Centre is also aware of spam e-mails containing attachments and links to malware in the guise of ‘patches’ for Kaseya VSA. The malware reportedly [9] includes components of Cobalt Strike, a legitimate post-compromise toolkit for penetration testing that is often employed by malicious actors and enables a ‘back door’ functionality on an affected host. Kaseya has stated [3] that it is not having its partners contact customers, that any contact from apparent partners is likely fraudulent, and that e-mails from Kaseya itself would not contain attachments or links.

Kaseya has provided a hardening guide and start up runbook for the SaaS [10][11] and on-premises [12][13] offerings.

REFERENCES

[1] Kaseya management software being used to deploy ransomware

https://www.cert.govt.nz/it-specialists/advisories/kaseya-management-software-being-used-to-deploy-ransomware/

[2] Reddit post from Huntress Labs

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

[3] Kaseya’s updates related to the incident

https://www.kaseya.com/potential-attack-on-kaseya-vsa

[4] Kaseya’s detections tool

https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40

[5] Ransomware: How to Prevent and Recover (ITSAP.00.099)

https://cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099

[6] Sophos Kaseya VSA Supply-Chain Ransomware Attack

https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers

[7] REvil Kaseya Attack CNCs

https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt

[8] VSA SaaS and On-Premise Release Notes

https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041

[9] Malwarebytes Threat Intelligence

https://twitter.com/MBThreatIntel/status/1412518446013812737

[10] VSA SaaS Startup Runbook

https://helpdesk.kaseya.com/hc/en-gb/articles/4403709476369

[11] VSA SaaS Hardening and Best Practice Guide

https://helpdesk.kaseya.com/hc/en-gb/articles/4403622421009-VSA-SaaS-Best-Practices

[12] On Premises Startup Runbook

https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993incident-response

[13] VSA On-Premise Hardening and Practice Guide

https://helpdesk.kaseya.com/hc/en-gb/articles/4403760102417


NOTE TO READERS

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security, and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: