15 July, 2021
Supply chain attack via Kaseya VSA software results in wide-spread IT security breaches
On July 2nd 2021, reports came in regarding a large scale security breach of companies that are using Kaseya VSA IT management software. Because of the widespread use of this software many organisations seem to have been affected. This blog post outlines what we know so far, and what can be done to remediate.
What has happened?
Kaseya is a software company providing IT management software. One of its software products is Kaseya VSA which allows remotely managing customer systems. It is a popular software product with Managed Service Providers (MSPs). VSA consists of one or more central management servers and agent software installed on the systems that are managed.
Around July 2nd 2021, 20:00 CEST Kaseya noticed that an SQL injection vulnerability in its VSA software was being actively exploited on the internet. The vulnerability allows attackers to gain full administrative access to a VSA management server. In those cases where the management interface is exposed to the internet, a remote attacker can obtain full administrative control over VSA.
The current attack consists of the attackers exploiting said vulnerability, and subsequently scheduling the deployment of a malicious software update for the Kaseya VSA management agent. Any system that receives this update gets infected with ransomware that encrypts the files.
Who are affected?
This attack targets Kaseya VSA, a software product to remotely manage computer systems. It is a software product that is popular with Managed Service Providers (MSPs), that are typically organisations that manage the IT infrastructure for (smaller) organisations that do not have their own IT support/service. Your organisation could be affected if you are using Kaseya VSA software within your organisation; if your MSP is using this software to manage your (or other customers) IT systems; the management interface of Kaseya VSA is or was exposed to the internet. This may be the case if you are using the on premise version of the software. This is definitely the case if you are using the hosted (i.e. SaaS) version of the software.
At the time of writing this report, it cannot be ruled out that systems that are not exposed to the internet are not affected by this attack.
What are the indicators of compromise?
The initial compromise of the VSA management servers seems to have taken place from the IP address 18.104.22.168 with a HTTP request to the /userFilterTableRpt.asp, which is allegedly vulnerable to SQL injection. Exploiting the vulnerability results in a compromise the VSA management servers.
Next, a job is installed in VSA that deploys and subsequently installs a malicious VSA Agent to all hosts managed by the VSA server. It installs at least the following two files on each managed system (file hashes included):
C:\Windows\mpsvc.dll: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
Please note that agent.exe is a malicious version of the actual Kaseya VSA Agent and is installed in the default update path c:\kworking\. This may be a different location depending on the specific configuration of the local installation.
Since the Kaseya installation documentation recommends to exclude the directories in which the Kaseya VSA software is being installed from being scanned by virus scanners, the installation of the malicious update may initially not be detected by an anti-malware solution and may remain unnoticed by the SOC/IT operations team.
Once the malware has been dropped on the system it tries to disable Windows Defender and other anti-malware solutions that are installed on the targeted system. Next, the malware starts encrypting files on the local system. Once done, the malware display a message that the system is encrypted and specifies payment details.
What should I do?
Check if your organisation is using Kaseya software. Although this attack seems to have targeted Kaseya VSA only, it cannot be ruled out that other Kaseya software is affected by the same vulnerability as well. If your IT infrastructure is being managed by an MSP. Check with them if they are using the software for management of any of their customer's IT systems. Check if your VSA server is exposed to the internet, or was until recently (before July 4th 2021).
If both conditions are met it is likely that your is vulnerable, and may have been compromised.
Disable Kaseya VSA as soon as possible. Do not install software updates via the Kaseya automated software update process. Keep an eye on the official Kaseya status update page (https://www.kaseya.com/potential-attack-on-kaseya-vsa/) for the latest information on how to update to a fixed version.
Check the available log files of Kaseya VSA, your network firewall, reverse proxy and any other component in your infrastructure deemed relevant for references to the aforementioned IP address, or references from (unknown) remote IPs to the asp page. In case a reference is found your VSA is likely compromised.
Check all your systems for the aforementioned files. The files may be stored in different locations, so it makes sense to check the file hashes of all files on your systems.
Monitor your anti-malware logs for any suspicious activity on VSA managed systems and the management servers in particular since July 1st, 2021.
Mid / long term:
It is expected that supply chain attacks will become more frequent. It is therefore advised to implement mitigating measures to reduce the risk of becoming a victim of such an attack:
Make checking the IT security level an integral part of supplier selection. Suppliers, such as MSPs, should provide proof that the security level of their organisation and software products are frequently checked for security flaws by means of IT audits and penetration tests.
Do not use centralised (e.g. cloud based) management solutions for remotely managing your IT infrastructure. Do not expose the management interface of any administrative software directly to the internet. Instead, use local instances of management software that can be accessed while on premise or via VPN only.
Disable the automatic update system of software; install software updates manually instead. Do not distribute / install software updates on production systems before having tested them in an acceptance infrastructure.
Make sure that development, test and acceptance environments are segregated from production on the network level.
Make sure that all systems within an infrastructure are protected by means of anti-malware software, and that reports issued by this software are evaluated and acted upon by your security and IT department.
By Eurofins Cyber Security
Back to Blog