May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
June 04, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
On 02 July 2021, details started to emerge of a sophisticated supply-chain attack targeting Kaseya VSA, virtual system administrator software used to manage and monitor customers’ infrastructure. Researchers initially attributed this attack to ransomware gang “REvil” (aka Sodinokibi), whose members claimed responsibility in a press release on their dark-web data-leak site, Happy Blog.
Kaseya VSA is commonly used by managed service providers (MSPs) in the US and UK to help them manage their clients’ systems. As such, compromising this product also enabled the ransomware operators to gain privileged access to thousands of MSPs’ customers’ devices, given the high level of trust that IT monitoring software usually requires.
At the time of writing, the number of companies affected by this ransomware supply-chain attack is still unclear. Kaseya’s CEO, Fred Voccola, claimed on 03 July 2021 that “fewer than 40 worldwide” customers were impacted. However, the number of organizations is likely to be exponentially bigger than that, given that compromised MSPs will, in turn, affect their clients’ systems as well. REvil operators claimed in their press release that more than one million victims were “infected” but this needs to be taken with a pinch of salt.
Digital Shadows (now ReliaQuest) is keeping a close watch on the developing situation associated with this event and will provide updates as new details emerge. For now, we have decided to publicize what we know so far, review the connection to Sodinokibi, and highlight some measures to take while this event is still unfolding.
REvil operators conducted a sophisticated supply-chain attack to exploit malicious Kaseya VSA product updates, to distribute ransomware across the American IT giant’s customers. Let’s see in detail how the campaign unfolded.
Initial access
Multiple reports point to the observation that REvil seems to have used a zero-day vulnerability to remotely access on-premise VSA servers. Apparently, the vulnerability had already been disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD) and was in the process of being fixed; however, REvil affiliates were faster and weaponized it to breach multiple Kaseya customers.
Technical details of the vulnerability are still unknown. However, the ability of the REvil operators to put their hands on this undisclosed exploit speaks volumes about the increasing sophistication of this ransomware group. The exploitation of zero-day vulnerabilities was once seen as exclusive to highly capable state-sponsored advanced persistent threat (APT) groups; these days, the professionalization and immense resources available to ransomware gangs have significantly expanded their destructive potential.
Execution
The REvil ransomware is delivered via a malicious update through Kaseya VSA. The update is automatically rolled out across Kaseya’s MSPs and their customers’ systems, disguised as a management agent update.
Lateral movement
Like the vast majority of IT management and monitoring products, Kaseya is operated with high-level administrator privileges among its users’ networks and systems. Although this is a standard set-up for this kind of product, it means the attackers that compromised Kaseya VSA now have the same privileges, and can freely propagate.
Impact
REvil and other ransomware groups are financially motivated. Consequently, it makes sense for them to encrypt the compromised networks and demand a ransom to restore them. This ransomware supply-chain attack’s main targets were the MSPs and not their customers; the initial ransom demanded from the MSPs was set at USD 5 million each; the customers of the MSPs faced a lower demand, of USD 44,999.
Correspondence between the attackers and their victims indicated that the REvil affiliates were not honoring these initial demands. Based on the correspondence, the affiliates demanded between USD 40,000 and USD 45,000 per individual encrypted file extension. For a victim organization that stated that they had more than a dozen encrypted file extensions, the attackers demanded a sum of USD 500,000 to decrypt the entire network.
In other correspondence, the attackers stated that they did not perform any actions other than encrypting the networks. This suggests they did not steal victims’ files, which is the typical course of action in ransomware attacks using the double extortion method (attackers steal files and publish them on dedicated data-leak sites to pressure victims into paying the ransom).
Additionally, REvil offered a universal decrypting tool for 70 million dollars in Bitcoin. This universal decrypting tool would allegedly allow all victims to regain access to their systems within an hour. It is realistically possible that the attackers were capitalizing on the panic among the victims, which included the customers of the affected MSPs, to drive them into pooling funds for that universal decrypting tool.
Interestingly, as you can see from the screenshot above, REvil has been asking for the ransom to be paid in Monero (XMR) rather than Bitcoin (BTC). As we discussed in our blog about cryptocurrency attacks to be aware of in 2021, cybercriminals are increasingly moving toward privacy-focused cryptocurrencies, such as Monero, for their operations. It is likely that ransomware groups have noticed a trend in law-enforcement operations being able to locate and seize Bitcoin wallets in recent months (see the aftermath of the Colonial Pipeline attack) and have started to steer away from Bitcoin when possible.
After an initial unconfirmed attribution to the REvil (aka Sodinokibi, Sodin) operators, they confirmed being behind the attack in the press release on their data-leak site. REvil is ransomware that was first observed in April 2019. Since then, the ransomware has been actively used in campaigns targeting organizations worldwide and across a wide range of sectors. In a similar fashion to other prominent ransomware groups, the REvil operators have often adopted the popular method of exfiltrating sensitive data from their targets and threatening to release it on their dark-website to increase pressure on victims.
REvil operates as a Ransomware-as-a-Service (RaaS) criminal operation. REvil affiliates have been observed using a variety of methods to compromise victims in the past. Along with phishing and malvertising, REvil frequently made use of software vulnerabilities to spread and compromise victims.
This ransomware supply-chain attack is not the first time REvil has targeted MSPs. Back in June 2019, REvil used remote management tools to deploy ransomware on MSPs’ customers’ systems; this indicates that the event observed over the past weekend was a tried-and-tested operation, rather than improvised. Corroborating this assessment is the fact that the attackers deliberately chose the 4th of July weekend to target Kaseya VSA, timing their activity with the US Independence Day holiday in hopes of generating maximum chaos when few security professionals were in their (home) offices to respond to the threat.
As we mentioned earlier, we will continue to update this blog to reflect the most up-to-date details pertaining to this campaign. In the meantime, we have compiled a list of useful resources:
Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection)™ recommendations
If you’re a Digital Shadows (now ReliaQuest) client, we have consolidated a list of Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) queries you can use to stay on top of details as they emerge:
INDICATOR QUERY:
type=[indicator feeds] AND “kaseya”
KASEYA INFORMATION QUERY VIA THREAT INTEL FEEDS:
(type=[blog posts] OR type=[intelligence incidents]) AND “kaseya” AND date=[now-7d TO now]
THREAT ACTOR REVIL SPECIFIC QUERY:
(“revil” OR “sodinokibi”) AND (type=[Blog posts] OR type=[Intelligence])
QUERY FOR DISCUSSIONS ON FORUMS, CHATS, AND MARKETPLACES:
(“kaseya” OR “sodinokibi” OR “revil”) AND (type=[Forum posts] OR type=[Chat messages] OR type=[Marketplace listings])
QUERY FOR RELATED VULNERABILITIES:
(“kaseya” OR “sodinokibi” OR “revil”) AND (type=[Vulnerabilities & Exploits]) date=[now-6M TO now]