Back to BlogLessons Learned From REvil’s Ransomware Attack On Kaseya
On Friday, July 2, a vulnerability in Kaseya’s on-premises VSA software was used to launch a REvil “supply-chain” ransomware attack. The attack impacted 50 MSPs and up to 1,500 small businesses that are managed by Kaseya’s customers, according to Kaseya.
This is yet another high-profile attack by REvil, which illustrates the group’s ability to leverage Advanced Persistent Threat (APT)-like attacks across the internet.
Here’s a breakdown of what happened and how IT and security teams can learn from the attack.
What Happened?
This was not a supply-chain attack like Solarwinds in which the organization itself was exploited and then pushed down across the environment over an extended period of time. Rather, the supply-chain component of this attack is associated with REvil being able to use the MSP’s Remote Monitoring and Management (RMM) tools to push across their software delivery and patching supply chain.
The attackers were able to identify a chain of vulnerabilities in the Kaseya VSA on-prem solution which organizations often run in their DMZs. This, in combination with the fact that REvil ransomware moves quickly once a foothold is gained, resulted in fast action by Kaseya and similar MSP partners such as Huntress to notify all Kaseya VSA users to shut off their servers.
This attack reintroduces the pain point of unknown unknowns in the attack surfaces which are exposed to the internet that can result in zero-day exploitation. In this case, the Kaseya VSA RMM distribution is hosted on-premises within MSPs’ DMZs so endpoints can check in from the internet. We now know that Kaseya VSA had a number of previously unknown vulnerabilities as well as one vulnerability known to Kaseya that was not yet patched.
These vulnerabilities — ranging from Improper Authentication Validation to SQL Injection — were exploited in a chain that allowed REvil to push their first stage of attacks across all connected agents.
In cases where MSPs had Web Application Firewalls (WAF) in front of their Kaseya VSA, they likely were able to mitigate the attacks, whereas organizations with only general Intrusion Prevention and/or firewalling would have been quite vulnerable.
The Impact of Modern Ransomware Attacks
Any internet-facing application is a prime target for attackers. As ransomware groups like REvil move into APT-like tactics, the purchasing of exploits becomes a quick and lucrative method to expand the victim pool.
Applications like RMMs, VPNs, MDMs, and business-centric solutions that result in shared attack surface are significant targets to groups like REvil. This is especially true for RMM, because threat actors can leverage these applications without performing additional pivots to deploy ransomware.
With these changes in threat modeling by ransomware groups, organizations of all sizes — from SMB up to enterprise — are directly in the path of attack. Just the fact that these organizations ran an RMM solution in their DMZ that enabled their business needs resulted in broad exfiltration and encryption of their data.
It is essential for everyone in IT and information security to review their attack surface and understand where threats could be introduced to their environments — no matter the size.
Preventing Ransomware Attacks Like REvil
Moving forward, you should adhere to some best practices to prevent future ransomware and APT-like attacks:
- Evaluate external attack surface through scanning and tools like Censys or Shodan.
- Ensure that your organization doesn’t have any internet-facing applications to reduce your impact to unknown vulnerabilities. A threat detection and response solution like Blumira can detect and alert about any misconfigured connections — for example, RDP connections from a public IP.
- Deploy dynamic blocklists to block malicious source IPs and domains to reduce your attack surface
- Consider multiple RMM solutions: one for your critical server infrastructure and another for your workstations. While this creates some overhead, it does immediately cut risk.
- Collect verbose logs by enabling Sysmon. It’s also important to centralize those logs and integrate them into a threat detection and response for more immediate alerting.
- Ensure that your permissions follow least-access.
- If your organization has a need for on-premises servers that are internet-facing, evaluate WAFs to create an additional layer of defense.
- There will be more attacks; this is an inevitability at this point in the ecosystem of cybersecurity. Test your backup recovery time and success rates. Ensure that you have a plan to keep your data secure and that you are evaluating who and what actually has access to data. Limit your scope and save your sanity moving forward!
How Blumira Helps Prevent Ransomware
To prevent ransomware, it’s crucial to understand the behaviors that lead up to a ransomware attack, and then detect those behaviors. A detection and response platform like Blumira will quickly alert and detect indicators of compromise, prioritizing alerts to prevent alert fatigue and unnecessary noise.
Blumira detects many indicators of ransomware, including password spraying and unauthorized RDP access, enabling IT and security teams to catch a ransomware attack in its early stages. Blumira also takes ransomware prevention a step further by providing security playbooks to guide customers through remediation steps, as well as providing access to a team of security experts to give context and advice.
Try Blumira for free; our trial is easy to deploy and can provide immediate security value to your organization.
