REvil Ransomware Used In Kaseya Supply Chain Attack


The Idappcom Threat Detection team has been working on the recent Kaseya Supply Chain REvil Ransomware Attack.

Description

The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware.

Kaseya was in the process of validating a patch before rolling it out. Unfortunately the REvil ransomware gang used this zero-day to conduct the attack.

The attackers compromised the Kaseya VSA system then pushed out malicious updates to deploy ransomware on enterprise networks.


Identification

(Statement from Kaseya)

Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only. Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service.
Once example of a victim of this attack but don't directly use Kaseya is Coop in Sweden. They have closed 800 of their stores indefinitely as their PoS terminal supplier uses an MSP who uses Kaseya.

Detection

Kaseya has released a new Compromise Detection Tool can be download at the following link: VSA Detection Tools.zip

This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.


Idappcom have created several rules along with traffic files which detect attempted requests that have been identified by the intelligence gathered so far.


Coverage

Idappcom have created signatures 8021513, 8021514, 8021515 and 8021516 along with their respective traffic files.


References

Huntress Blog

Kaseya Report Updates


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can share your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional