Cyber ​​attack on Kasia VSA leaves IT administrators waiting for advice, looking for ransomware

Cyber ​​attack on Kasia VSA leaves IT administrators waiting for advice, looking for ransomware

Managed service providers and organizations using the cloud or on-premises version of Kasia's VSA remote monitoring and IT management tool await the company's decisions on Monday whether they can resume using the tool after the hack . Due to which ransomware attack has happened. customer.

Kasia told customers on Friday, July 3 that it had been the victim of a sophisticated cyberattack and had to discontinue the software-as-a-service version of VSA. More importantly, it urged IT administrators to take the on-premises versions offline and introduced a compromise detection tool. Kasia believes that only VSA's on-premises users are at risk.

On Sunday afternoon, the company said a "small number of people on-premises" were involved in the attack. But CTV News quoted Kasia CEO Fred Voccola as telling the Associated Press that the number of victims is in the low thousands, mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that."

Vocola said in interviews that only between 50 and 60 of the company's 37,000 customers were compromised. But 70 percent were managed service providers who use VSA software to manage multiple customers.

Researchers at Huntress Labs said Sunday that they know of 30 managed service providers and 1,000 organizations who are victims. Everyone used the on-premises version of VSA. On Sunday, Sophos said more than 70 managed service providers have been affected so far, resulting in more than 350 organizations being affected.

At this point, it is not known whether any of the aggrieved firms are Canadian.

UPDATE: In an interview this afternoon, Alexis Dorais-Joncas, chief of security intelligence at ESET's Montreal Research and Development Office, said that its telemetry has affected at least "several" Canadian organizations with ransomware related to this attack. These will be the customers of the managed service providers. He said Canada is the third most affected country after the United Kingdom and South Africa.

"It seems that [the spread of ransomware] was contained relatively quickly," he said. "From what we have seen in our telemetry, there has been a steady decline in detection over the past two days."

Threat intelligence firm Darktracer posted Revil Ransomware Group's claim on Twitter that more than one million systems have been infected. A universal decryptor that can be used by all victims is worth $70 million in bitcoin. Either Cassia is expected to make this payment, or Reville expects all the aggrieved companies to chip in a pool of money for a new strategy to pay the ransom.

In an interview with ITWorldCanada, the dean of research at the SANS Institute, Johannes Ulrich, said the full number of victims in the US may not be known until Tuesday, when IT workers return to work after the long weekend of Independence Day.

Kasia VSA customers have been without service for three days, raising questions about whether they will switch to a new service. Ullrich doubts that managed service providers will because of the time it takes to roll out a new product. "I don't think they will make that decision quickly," he said. Ullrich said neither should IT departments decide to use the on-premises version.

To restart the SaaS service first

In its Sunday statement, Kasia said that the restoration of the cloud version of VSA will begin first, followed by instructions for the on-premises restore.

The Kasia Executive Committee met late Sunday to decide on a timetable for restarting the Kasia server hosting the SaaS version of VSA. A tentative server restore program around 4am in the EU, UK and Asia-Pacific regions has been postponed. The executive committee meeting was to be held again at eight o'clock this morning.

"All on-premises VSA servers must remain offline until further instructions from Kasia to ensure that it is safe to restore operations," the statement said on Sunday afternoon. "A patch will need to be installed prior to restarting VSA and a set of recommendations on how to enhance the security posture."

“Due to the rapid response from our teams, we believe this [attack] has been localized to a small number of on-premises customers,” Kasya said. However, according to news service The Record, one of Sweden's largest supermarket store chains closed nearly 800 stores nationwide after one of its contractors was hit by ransomware.

no data theft

According to Bleeping Computer news service, the Reville ransomware group (also known as Sodinokibi or Sodin) is taking credit for the attack and targeting managed service providers (MSPs) - but not their customers. The news service also says that Reville has told victims that they are encrypted networks only, suggesting that no corporate or customer data was stolen in the attack.

Researchers at Huntress Labs, who saw the compromised servers, said they "have high confidence that the threat actor used Kasia VSA to acquire an authenticated session, upload the original payload, and then execute commands via SQL injection." did." Authentication bypass is used in the web interface. We can confirm how SQL injection actors initiate code execution."

In a statement, Canada-based managed security provider eSentire said it detected the Sodin/Revil ransomware dropper in a customer's IT environment and was able to shut down that system before the ransomware was deployed. eSentire has customers in many countries. The statement did not specify where this customer was located.

This is not the first time Kasia has faced a breach of its security controls, the statement from eSentire said. In 2018 it discovered an unknown threat actor who was attempting to deploy a Monero cryptocurrency miner to multiple eSentire customers via VSA. eSentire believes the threat actor detected a zero-day in Kasia and gained administrative access to Kasia's systems. The VSA was then used to download the Monero miner to the victims' endpoints.

Eldon Sprickerhoff, Chief Innovation Officer and Founder of eSentire to deploy ransomware in organizations." said in a statement. “Essentially, MSPs do their best to detect threats as they inadvertently deploy malicious software (in this case, the Sodin [Revil] ransomware dropper) to all of their customers. This current attack is the same attack strategy.” The strategy used by him in 2018 may be different."

Security teams whose organizations use the on-premises version of Kasia VSA should check for indicators that the Sodin ransomware dropper or ransomware has already been installed on their computer systems, he said.

could be worse

Sprickerhoff believes that the latest attack on Kasia could have been worse. He said the attack had started on Friday long enough for it to be traced and acted upon by Kasia. It was a long weekend in the US, so the attack that began on Saturday, when many organizations had fewer IT and security teams, may not have elicited such a strong response.

In a statement released on Sunday, managed services provider SecureWorks said, "It does not see a significant impact on our customer base. It appears that fewer than 10 organizations have been affected, and the impact appears to be affecting those." who are running it. Kasia Software." We have not seen evidence that the threats subsequently attempted to transfer or propagate the ransomware through the compromised network. This means organizations with extensive Kasia VSA deployments are the ones that only run it on one or two servers.

“Based on what we know right now,” SecureWorks said, “we believe this was a planned attack against a subset of Kasia VSA customers, largely managing IT service providers (MSPs). Ongoing evidence does not indicate that Kasia's software update infrastructure has been compromised. This means that, while we have seen limited impact on our customer base, large groups of victims based on general MSP use elsewhere can be.

James Shank, chief security architect for community services at threat intelligence firm Team Cymru, who was also a member of the ransomware task force committee, noted in a statement that threat actors have turned their attention to supply chain attacks. Kasia is only the latest in the series that includes SolarWinds and Kodakov, he said.

"This is not the first and it will not be the last," he said. “It is time to add one more item for already overwhelmed corporate security teams: audit suppliers and integration with your supply chain providers. Limit risk to the absolute minimum while enabling business operations.”

Mark Manglikmot, vice president of security services at managed services provider Arctic Wolf, called the Kasia VSA supply chain ransomware campaign "a sophisticated and deliberate attack, the scope of which will not be fully understood for several weeks or possibly months. Any organization should Treat this as a significant risk to your business and immediately shut down their Casia VSA servers.They should also follow CISA guidance to ensure that the back-up is up-to-date and air-gapped, Manual patching is applied, multi-factor authentication (MFA) is turned on, and then wait for additional instructions from Kasia for the next steps.

“Supply chain attacks spread in a matter of hours to thousands of organizations looking to protect themselves from future incidents, with 24x7 surveillance being able to detect, manage and mitigate any threats they might have. Must deploy world class security operations. Often, users are seen as the weakest link, and adversaries will continue to exploit the human element to reach their objectives, meaning that establishing a strong security posture is the first step for organizations to protect themselves from the future. And the best way. Supply chain compromises can be taken to avoid it.