REvil Ransomware Exploits IT Service Providers on 4th of July Weekend

The United States Cybersecurity & Infrastructure Agency (CISA) yesterday stated that a software supply chain based ransomware attack had been launched exploiting customers of Kaseya VSA, a US-based IT management system used by managed service providers (MSPs) worldwide (see Kaseya bulletin). Coop Sweden, a national supermarket chain, is shut down due to the attack. A public forensic analysis of the ransomware payload indicates the attack came from the REvil ransomware criminal gang.

What is Kaseya VSA?

MSPs, or companies who are hired to manage a larger company’s computer network, use Kaseya VSA to perform “endpoint management and networking monitoring.” This means Kaseya VSA is installed with full administrative privileges on every computer managed by an MSP, which makes it an ideal target for ransomware threat actors.

Compromising an MSP is an effective way for ransomware to be infiltrated into every customer managed by the MSP. And an MSP attack has already happened in 2019 to 22 cities in Texas whose computers were managed by a single MSP.

But this attack is much worse. Like how the SolarWinds and Codecov supply chain attacks amplified the threat actor’s power, this Kaseya VSA attack uses two stages of distribution to exponentially amplify ransomware distribution. After compromising the online servers as Kaseya, the ransomware began an automatic distribution cycle that delivered the ransomware to Kaseya’s MSP customers. This in turn infected the MSPs customers.  

Kaseya says they shut down the compromised server, but the ransomware did ultimately get installed into over 200 corporate sites, causing business operations to be disrupted.

Deliberate Timing

According to security blog Beeping Computer, a REvil ransomware attack timed for a Friday before a holiday weekend is a ransomware criminal tactic.

Most large-scale ransomware attacks are conducted late at night over the weekend when there is less staff to monitor the network. As this attack happened midday on a Friday, the threat actors likely planned the time to coincide with the July 4th weekend in the USA, where it is common for staff to have a shorter workday before the holidays.

Source: Bleeping Computer

The same Bleeping Computer article has a forensic analysis of the methods used to distribute the ransomware. That analysis plus the text of the digital extortion demand leads the publication to conclude the REvil ransomware gang, also known as Sodinokibi, is behind the attack.

Managing Software Supply Chain Risk

For Salesforce architects and devops practitioners this news reinforces the need to harden how software solutions are crafted. Here are some points to consider when adding open source or external packages to a stack of solutions.

• Consider if you have an MSP who may need to improve security or if you have any other kind of management agents on developer workstations.
• Secure remote workers with hardware-based VPN routers.
• Remember that open source software is everywhere, and until now there has been no widespread concern about its security.
• Be careful when building your own Salesforce or cloud native solutions. Look for any products that have an open source component to come with a software bill of materials to itemize and validate all 3rd party libraries.
• When using any JavaScript or other public library ecosystem be sure to engage in your own software composition analysis (SCA) to check for malicious code. One company I track, DigitSec, performs this type of scan as part of its security solution.

Time for Action

As if the IT industry needs reminding, the United States and its allies are under constantly attack by criminal gangs like REVil emanating from the Russian Federation. All workers in the industry must adopt a cyberwarrior posture and be on guard. Such admonitions are still in effect, and if anything the industry must assume that things will get worse before they get better.

At last month’s summit between the United States and the Russian Federation, President Joseph R. Biden stated that if any further ransomware attacks reach into 12 critical infrastructure sectors there would be tangible consequences to that action. One of the 12 sectors is the “Information Technology Sector,” and Kaseya is most certainly in the IT sector.

The United States and its allies must act against the source of these attacks. Those of us in the IT industry will be overwhelmed if threat actors get infinite do-overs. It is time to address the problem at its source.