Kaseya Supply Chain Attacks

Kaseya Supply Chain Attacks

By CYFIRMA Research

First Published on 6 August 2021

  1. EXECUTIVE SUMMARY

REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack and has exploited zero-day vulnerability CVE-2021-30116.

As several organizations, leverage Managed Service Providers (MSPs) as part of operational procedures and having third-party vendors as part of the organization’s ecosystem – they could potentially be targeted by such ransomware attackers.

The vulnerability is considered the critical one as it bypasses security mechanisms and has been exploited by cybercriminals/ransomware operators in the wild.

Based on the analysis and research carried out, CYFIRMA observed suspected Russian cybercriminals TA505 could possibly be collaborating with REvil ransomware groups or operating them to potentially exploit this vulnerability to gain access into the system, laterally move across the organization and implant customized malware to exfiltrate sensitive information.

CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within your environment.

CYFIRMA Risk Rating for this Research is Critical.

NOTE: This is a developing story, more insights will be shared in due course as developments continue to happen. The vulnerability has been reported as situational awareness intelligence. CYFIRMA would like to highlight the potential risk and indicators observed which may be leveraged by nation-state threat actors in exploiting the vulnerability to gain a foothold and exfiltrate sensitive information from the target organizations.

  1. VULNERABILIY AT A GLANCE

Security Bypass Vulnerability in Kaseya VSA Servers

CVE-2021-30116

CVSS Score: 9.8

Exploit Details: This zero-day vulnerability is being exploited in the wild and has been leveraged by REvil Ransomware Group.

Description:
Kaseya VSA servers could allow a remote attacker to bypass security restrictions, caused by improper authentication validation by the web panel. By sending specially-crafted SQL commands, an attacker could exploit this vulnerability to deploy arbitrary programs to all connected clients.

Impact
Successful exploitation of the vulnerability could allow an attacker to compromise the affected system.

Insights
The vulnerability exists due to unspecified errors and could be exploited by a remote non-authenticated attacker via the Internet.

The CWE is CWE-20, and the vulnerability has an impact on confidentiality, integrity, and availability.

Affected Version
Kaseya VSA (All on-premise Kaseya VSA versions).

Mitigation
Currently, NO patch is available for this vulnerability.

Security Indicators

  • Is there already an exploit tool to attack this vulnerability? Unknown
  • Has this vulnerability already been used in an attack? Yes
  • Are hackers discussing about this vulnerability in the Deep/Dark Web? Yes
  • What is the attack complexity level? Low

 

To download the full report, write to [email protected]