The attack that compromised Kaseya’s VSA product last week and led to a widespread REvil ransomware incident has affected nearly 1,500 businesses so far, and researchers say there are ongoing attacks in more than 20 countries.
The incident began on July 2 when REvil actors exploited a vulnerability in Kaseya Virtual Server Administration product to gain access to the on-premises VSA servers on the networks of a number of managed service providers (MSPs). The actors then used the tool, which is a remote management and monitoring application, to deploy ransomware on the networks of hundreds of those MSPs’ customers. The damage from the incident has been extensive and has forced the closing of stores in some countries, affected schools and many businesses. The actors behind the incident have said they would decrypt all of the infected systems for $70 million.
Researchers working on the incident have discovered that the REvil actors exploited at least one vulnerability in Kaseya VSA, and possibly others, to gain initial access to the servers and then deploy the ransomware payload.
“All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers,” researchers from Huntress, which works with MSPs, said.
“This potential authentication bypass likely grants the user a valid session, and may let the user "impersonate" a valid agent. If that speculation is correct, the user could access other files that require authentication -- specifically KUpload.dll and userFilterTableRpt.asp in this case.KUpload.dll offers upload functionality and logs to a file KUpload.log. From our analysis, we have seen the KUpload.log on compromised servers prove the files agent.crt and Screenshot.jpg were uploaded to the VSA server.agent.crt is, as previously stated, used to kick off the payload for ransomware.”
Both the FBI and CISA are involved in the investigation and recovery process for the incident, and Kaseya is still working on a fix that will enable it to bring both its on-premises and cloud VSA services back online. The company estimates that it will be able to bring the SaaS VSA implementation back online this afternoon, and then have the patch available for on-premises servers within 24 hours after that.
REvil is one of the many ransomware-as-a-service operations that have sprung up in the last couple of years, offering criminals the tools and support to deploy ransomware. The group has been operating for more than two years and has been quite active and successful. The number of affiliates that buy REvil’s services isn’t clear, but the ransomware has been used in some high-profile incidents, including the attack on JBS USA in May. In that incident, the company eventually paid a ransom of $11 million.
"They run it like a business. REvil is about as sophisticated as they come. They take it seriously," said Kyle Hanslovan, CEO of Huntress.