A Perspective of the Kaseya Incident
Posted July 21, 2021 by Adam Cole ‐ 3 min read
Ransomware is a scourge on businesses everywhere today, and the Kaseya ransomware incident was no different. Except, it was an exceptional attack that utilized advanced procedures not normally seen in large scale, public, ransomware incidents. TrueSec provides an excellent overview of the initial compromise:
- Obtained an authenticated session by abusing a flaw in the authentication logic [CWE-304] in /dl.asp.
- Uploaded the REvil ransomware (agent.crt) through an unrestricted upload vulnerability [CWE-434] while also bypassing the request forgery protection [CWE-352] in /cgi-bin/KUpload.dll.
- Uploaded the ASP payload (screenshot.jpg) in the same fashion as described in 2.
- Invoked the payload in screenshot.jpg through a local code injection vulnerability [CWE-94] in userFilterTableRpt.asp.
- Created Kaseya procedures to copy file and execute the ransomware.
- Executed the procedures.
- Removed logs and other forensic evidence.
Writing this article, and doing research into the attack, I was startled by how efficient the above procedures were carried out, as well as the fact that a common tactic was missing: phishing. For years threat actors abused the trust of individuals to gain access to systems, and then spread laterally once a presence was established. If you look at the ATT&CK sub-techniques for phishing, nearly every single threat actor Mitre has logged uses some form of phishing for initial access.
REvil blew a 0-day away and abused multiple vulnerabilities in order to breach Managed Service Providers (MSPs) during this incident. That is not normal, but the payout was absolutely worth it; millions of dollars paid, and REvil actually offering a global decryption key for a single payment. However, it also resulted in REvil being shut down; whether that was by Russia itself, or another entity no one knows.
I won’t dig into the details of the attack here; there are multiple blogs out there that do an amazing job of that already:
However, LifeOmic’s security team does believe that it is a part of our mission to stay abreast of these attacks and validate that we could manage and survive against them if launched against our environments. Believing that our practices are the naturally occurring path that Cybersecurity must take, we pointed to a few key ideologies/techniques we hold strongly to that could have defeated or at least slowed this attack down in our own environment:
- Zero Trust. Service accounts and full administrative access simply do not belong in a modern enterprise. They are consistently abused, and this incident was no different.
- Manage your suppliers. LifeOmic rigorously reviews any supplier, and always asks the question, ‘Can we automate this functionality instead?’. MSP are extremely high value targets, don’t invite them into your home.
- Practice, practice, practice. LifeOmic is a firm believer that incidents like this are not a matter of if, but when. We practice our response to possible incidents and verify our detection mechanisms as frequently as we can.
- Hackers can be your best friend. This entire incident was much shorter than it could have been, because Kaseya was actively working on the 0-day that was used as the initial vector. Bug bounties and open relationships with the bug bounty community can help speed the process of identifying critical vulnerabilities and getting those patches shipped!