A little over a week ago, we wrote a bit about what we knew about the Ransomware-as-a-Service (RaaS) operator group REvil’s (aka Sodinokibi) attack on Kaseya. Now that the dust has settled, we’ll bring you up to speed on what’s happened in the threat landscape so far in this blog.
As of 12 July 2021, Kaseya has announced that all of the needed patches have been released across the VSA Saas infrastructure. Kaseya is continuing to monitor progress and continually posting updates here of ongoing maintenance and patches.
What was the Kaseya incident?
To catch everyone up, REvil was able to gain access to Kaseya via three zero-days tracked under CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120. Kaseya advised customers to shut down its VSA (Virtual System Administrator) service immediately until a fix could be found.
Over the next ten days, Kaseya was able to release patches to fix these issues, which had allowed attackers to exploit flaws that leaked credentials, allowed cross-site scripting, and bypassed two-factor authentication. In the wake of the incident, approximately 1,500 customers were affected.
What has happened since then?
Phishing attacks followed
In a quick and very typical fashion, other criminals decided to take advantage of current events and performed a number of phishing attacks which used the incident as a lure. Luckily, Kaseya warned customers via their update page that spammers were behind these attacks. The attacks took shape as emails containing purported Microsoft patches for Kaseya vulnerabilities but instead served up weaponized links and attachments to unsuspecting users. According to a report from MalwareBytes, this phishing campaign used Cobalt Strike beacons, which, as we’ve discussed before, have become a trendy piece of every adversary’s arsenal.
Ransom payments went unpaid
As Bleeping Computer discovered, there were only two companies who paid a ransom, for whatever reasons. The others were simply unaffected or chose to use backups instead of paying a ransom.
An upside to this attack was that it proved right those in the security community who have advocated for backups over the years. One important thing to highlight is that even though these companies dodged a metaphorical bullet here, there is ransomware that searches for indicators of backups and then encrypts those as well. The attackers in this instance attempted to modify code to do just that but it did not appear to work as planned.
REvil’s “Happy Blog” Down for the Count
In a final, and possibly unrelated, development, the actors behind REvil seem to have gone incommunicado. In the wee hours before writing this blog, the group’s disclosure site “Happy Blog” was reportedly offline, as some Twitter users discovered:
Also notably absent in recent days was the REvil representative Unknown, who had not been seen on notable forums such as Exploit, and was banned on XSS, as noted in the tweets above. Other underground chatter about the outage is limited, likely due to some Russian-language forums’ hostile attitudes towards discussing ransomware. Some threat actors have speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities. Still, others predicted that the group would reappear under another name or split into smaller groups to attract less attention, which is a thought shared by some researchers in the Twitterverse. One Twitter user noted that it’s not unusual for short-term absences.
However, you spin it, the inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than other ransomware groups. There are possibilities the site’s down from temporary technical issues or upgrades, but it could also signify a law enforcement disruption of the group’s operations. Given the recent absences of REvil representatives, it does pose interesting questions.
Time will only tell, but Digital Shadows will continue monitoring further insights and any other comments from the underground about this developing situation.
How to defend against ransomware attacks?
We’ve been talking about this for a long time on our ShadowTalk podcasts and in previous articles: Attacks on the supply chain like this have the potential for disaster, as we saw in this year’s SolarWinds incident, the Accellion breach, and many others previously.
When supply chain attacks happen, it could be a case of a friend, instead of a foe, causing the breach of the network. One could make a pretty decent argument about adding an extra layer of attack surface when it comes to vendors, partners, and other third parties that are linked to your organization through applications and services, much as Kaseya’s VSA application was with so many downstream customers. It may not mean micromanaging everyone else’s security, but some due diligence to ensure partners are doing their best to stay secure or even compliant may go a long way. Digital Shadows monitors popular breach disclosure blogs that many of these ransomware and extortion groups now run, in addition to catching their online chatter.
While backups seem to have saved the day for many potential victims in this instance, it could be their undoing in the next. However, it’s always a good practice to be disaster-ready and maintain backups, as we’ve talked about before. It might mean building some resilience through a combination of online and offline backups, especially in light of the possibility of backups coming under attack. It also means ensuring the backup images work, and testing the incident response and disaster processes so that all the moving pieces fall into place correctly if the real thing happens.
In any case, understanding where those risks lie helps the enterprise stay safe in the current threat landscape. Suppose you’re curious about the intelligence we produce about these and similar attacks (such as the event profile below).