Kaseya Update: Hundreds to Thousands of Businesses Affected

-

To expand on my previous entry regarding the initial disclosure and understanding of the Kaseya supply-chain attack by REvil ransomware operators, I wanted to provide some of the available information we have on affected businesses.

Kaseya reported to the public that the attack resulted in the breach of roughly 60 direct customers systems using the VSA on-premises product. Further downstream, Kaseya adds another 1,500 victims whose networks were being managed by those direct MSP customers. As of their press release yesterday, Kaseya has asserted that the attack "had limited impact" and that "only approximately 50 of the more than 35,000" customers were affected. Kaseya stated that of the approximately 800,000 to 1,000,000 small businesses that are being managed by Kaseya customers, roughly 800 to 1,500 have been compromised.

While this number seems low in comparison to the whole customer base, it's still a staggering number of potential compromises, ransoms, and increased positions by threat actors.

Kaseya is working on restoring normality and are readying the deployment of a fix for the VSA zero-day.

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations.  A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture". - Kaseya



The Zero-Days

Kaseya confirmed on July 5th that multiple zero-day vulnerabilities were exploited to target vulnerable VSA server instances. These vulnerabilities included an authentication bypass and arbitrary command execution vulnerability. At the moment, no additional details about these vulnerabilities have been shared and no additional vulnerabilities have been referenced.

Huntress Labs and TrueSec researchers have identified potentially three zero-days in their investigations into attacks against clients. These zero-days include a code injection vulnerability to the two mentioned above. Huntress Labs believes that the threat actors were able to obtain access to VSA servers through the authentication bypass flaw. New evidence has suggested that SQL injection may have been only a portion of the full attack vector leading to code execution and perhaps another injection attack as part of the attack chain.

Currently, CVE-2021-30116 is believed to related to the authentication bypass vulnerability but we do not have any additional information just yet.

As of the creation of this blog entry, there have not been any proof of concepts posted for the above-mentioned vulnerabilities.

Relevant Articles

https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware

https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/tree/main/IOCs

https://www.bleepingcomputer.com/news/security/kaseya-roughly-1-500-businesses-hit-by-revil-ransomware-attack/


Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more