Australian orgs among victims of Kaseya attack

Australian organisations are among the victims of a sophisticated ransomware supply chain attack on software provided by Kaseya, a provider of IT and security services for managed service providers.

The Australian Cyber Security Centre has confirmed it has received reports from impacted Australian organisations in the wake of the attack.

The attack perpetrated by threat actor group REvil allowed the group to distribute ransomware through update mechanisms within the Kaseya VSA software.

Kaseya detected the attack on July 2, and quickly acted to shut down access to the affected software. The attack nevertheless impacted around 50 of the company’s 35,000 customers, and in turn impacted around 800 to 1500 of the customers of the company’s managed service provider customers.

The company has developed a compromise detection tool for potentially impacted users of the software and is working on deploying a patch for its SaaS infrastructure.

In response to the attack, Kaseya is also configuring an additional layer of security to its SaaS infrastructure. Other additional security measures include a 24/7 independent security operations centre and a complementary content delivery network with web application filtering for every VSA.

Meanwhile, the company is actively working with US government agencies including the FBI, CISA, Department of Homeland Security and the White House on an investigation into the attack, and has engaged FireEye Mandiant IR to assist with its incident response.

The ACSC is recommending Australian organisations operating Kaseya servers to immediately shut them down until further notice, in addition to implementing multi-factor authentication and ensuring service accounts run with minimal appropriate privileges.

Varonis head of incident response Matt Radolec said these sorts of supply chain attacks are going to become increasingly common.

“Usually, attackers are getting in through phishing or from brokered access — buying access from another cybercriminal or group. This time, they hit service companies to spread their ransomware downstream,” he said.

“The average employee can access over 17 million documents the day they walk in the door. That’s the blast radius — the damage — that an attacker can do with just one compromised laptop. This attack sets an unfortunate new standard in ransomware.”

BlackBerry CISO John McClurg noted that REvil itself acts as a ransomware-as-a-service provider.

“The REvil developers receive a percentage of all proceeds from ransom payments. Because the ransomware is distributed by different entities, the initial infection vector can vary; typically, this is either via phishing campaigns, brute force attacks to compromise RDP or through software vulnerabilities. REvil has not yet been caught, and ransomware-as-a-service will only continue to grow,” he said.

Jeff Costlow, Chief Information Security Officer, ExtraHop, said Kaseya is a terrifying example of how quickly cybercriminals are adopting advanced persistent threat (APT) tactics.

“In the Kaseya attack, the threat actors deliberately targeted a well-established but little-known software management firm that would allow them access to hundreds of other environments,” he said.

“They meticulously researched their target and found a zero-day flaw in their software. They then exploited it and waited for a long holiday weekend to detonate their ransomware.

“This technique parallels almost exactly the techniques used by nation-state adversaries in the NotPetya attack four years ago –– which used an exploit in Ukrainian tax software MeDoc –– and more recently, in the SolarWinds SUNBURST attack. Both NotPetya and SUNBURST used exploits in software that was widely used but little known to the public to disseminate malware on a massive scale. Both waited for national holidays (the former in the Ukraine, the latter in the US), when many were out of the office, to detonate their attacks.”

The fact that techniques that were once the dominion of the most advanced nation states are now being used to extract multimillion-dollar ransoms should serve as a stark warning for every organisation and every software vendor, Costlow said.

Image credit: ©stock.adobe.com/au/nicescene

Originally published here.