The FBI described the incident succinctly: a "supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers."
Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with "high confidence" that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.
According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process.
Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were "crazy efficient."
"There is no proof that the threat actors had any idea of how many businesses they targeted through VSA," Hanslovan commented, adding that the incident seemed to be shaped more due to a "race against time."
"Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks," Sophos noted. "As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted."
The vendor has also provided an in-depth technical analysis of the attack.
Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed "Kaseya VSA Agent Hot-fix".
"This fake update is then deployed across the estate -- including on MSP client customers' systems -- as it [is] a fake management agent update," Beaumont commented. "This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya's customers were still encrypted."
With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack.
On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints.
"In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure," the company says.
According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being "maliciously modified".
Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.
"Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions," DIVD says. "Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. "