Cyber attack on Kasia VSA leaves IT administrators waiting for advice, looking for ransomware

Managed service providers and organizations using the cloud or on-premises version of Kasia's VSA remote monitoring and IT management tool are awaiting the company's decisions on Monday whether they can resume using the tool after a hack. Which has led to ransomware attacks. customer.

Kasia told customers on Friday, July 3 that it had been the victim of a sophisticated cyberattack and had to discontinue the software-as-a-service version of VSA. More importantly, it urged IT administrators to take the on-premises versions offline and create a compromise detection tool. Kasia believes that only VSA's on-premises users are at risk.

On Sunday afternoon, the company said a "small number of individuals on-premises" were involved in the attack. But CTV News quoted Kasia CEO Fred Voccola as telling the Associated Press that the number of victims is in the low thousands, mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that."

Vocola said in interviews that only between 50 and 60 of the company's 37,000 customers were compromised. But 70 percent were managed service providers who use VSA software to manage multiple customers.

Researchers at Huntress Labs said Sunday that they know of 30 managed service providers and 1,000 organizations who are victims. All used the on-premises version of VSA. On Sunday, Sophos said more than 70 managed service providers have been affected so far, resulting in more than 350 organizations being affected.

At this point, it is not known whether any of the aggrieved firms are Canadian.

UPDATE: In an interview this afternoon, Alexis Dorais-Joncas, chief of security intelligence at ESET's Montreal Research and Development Office, said its telemetry has affected at least "several" Canadian organizations with ransomware related to this attack. These will be the customers of the managed service providers. Canada is the third most affected country, he said, after the United Kingdom and South Africa.

"It seems that [the spread of ransomware] was contained relatively quickly," he said. "From what we have seen in our telemetry, there has been a steady decline in detection over the past two days."

Threat intelligence firm Darktracer posted the claim of the Revil ransomware group on Twitter that more than one million systems have been infected. The Universal Decryptor that can be used for all victims is worth $70 million in bitcoin. Either Cassia is expected to make this payment, or Reville expects all of the aggrieved companies to chip in a pool of money to pay the ransom, a new tactic.

In an interview with ITWorldCanada, the dean of research at the SANS Institute, Johannes Ulrich, said the full number of victims in the US may not be known until Tuesday, when IT workers return to work after the long Independence Day weekend.

Kasia VSA customers have been without service for three days, raising questions about whether they will switch to a new service. Ullrich doubts that managed service providers will because of the time it takes to roll out a new product. "I don't think they will make that decision quickly," he said. Ullrich said neither should IT departments using the on-premises version rush a decision.

To restart SaaS service first

In its Sunday statement, Kasia said that the restoration of the cloud version of VSA will begin first, followed by instructions for the on-premises restore.

The Kasia executive committee met late Sunday to decide on a timetable for restarting the Kasia server hosting the SaaS version of VSA. A tentative program to restore servers around 4 a.m. has been postponed in the European Union, UK and Asia-Pacific regions. The executive committee was to meet again at eight o'clock this morning.

"All on-premises VSA servers must remain offline until further instructions from Kasia that it is safe to restore operations," the statement said on Sunday afternoon. "A patch will need to be installed prior to restarting VSA and a set of recommendations on how to enhance the security posture."

“Due to the rapid response from our teams, we believe this [attack] has been localized to a small number of on-premises customers,” Kasia said. However, according to news service The Record, one of Sweden's largest supermarket store chains closed nearly 800 stores nationwide after one of its contractors was hit by ransomware.

no data theft

According to the Bleeping Computer news service, the Revil ransomware group (also known as sodinokibi or sodin) is taking credit for the attack and targeting managed service providers (MSPs) - but not their customers. The news service also says that Reville has told victims that they are encrypted networks only, suggesting that no corporate or customer data was stolen in the attack.

In a statement, Canada-based managed security provider eSentire said it detected the Sodin/Revil ransomware dropper in a customer's IT environment and was able to shut down that system before the ransomware was deployed. eSentire has customers in many countries. The statement did not specify where this customer was located.

This is not the first time Kasia has faced a breach of its security controls, the statement from eSentire said. In 2018 it discovered an unknown threat actor who was attempting to deploy a Monero cryptocurrency miner to multiple eSentire customers via VSA. eSentire believes the threat actor detected a zero-day in Kasia and gained administrative access to Kasia's systems. The VSA was then used to download the Monero miner to the victims' endpoints.

Eldon Sprickerhoff, Chief Innovation Officer and Founder of eSentire Let's say, this is a very efficient way to deploy ransomware in the US," it said in a statement. “Essentially, MSPs do their best to detect threats as they inadvertently deploy malicious software (in this case, the Sodin [Revil] ransomware dropper) to all of their customers. This current attack is the same attack strategy.” Maybe just a variation of the version he used in 2018."

Security teams whose organizations use the on-premises version of Kasia VSA should check for indicators that the Sodin ransomware dropper or ransomware has already been installed on their computer systems, he said.

could be worse

Sprickerhoff believes that the latest attack on Kasia could have been worse. He said the attack started long enough on Friday for it to be traced and acted upon by Kasia. It was a long weekend in the US, so the attack started on Saturday when many organizations had less IT and security teams may not have received such a strong response.

In a statement released on Sunday, managed services provider SecureWorks said, "It does not see a significant impact on our customer base. It appears that fewer than 10 organizations have been affected, and the impact appears to be affecting those." who are running it. Kasia Software." We have not seen evidence that threat actors subsequently attempt to transfer or propagate ransomware through compromised networks. This means that organizations with extensive Kasia VSA deployments are likely to be affected significantly more than organizations that only run it on one or two servers.

“Based on what we know now,” SecureWorks said, “we believe this was a planned attack against a subset of Kasia VSA customers, largely managing IT service providers (MSPs). Ongoing evidence does not indicate that Kasia's software update infrastructure has been compromised. This means that, while we have seen limited impact on our customer base, large groups of victims based on general MSP use elsewhere can be."

James Shank, chief security architect for community services at threat intelligence firm Team Cymru, who was also a member of the ransomware task force committee, noted in a statement that threat actors have turned their attention to supply-chain attacks. . . Kasia is only the latest in the series that includes SolarWinds and Kodakov, he said.

"It's not the first and it won't be the last," he said. "It's time to add one more item for already overwhelmed corporate security teams: audit suppliers and integration with your supply-chain providers. Limit risk to an absolute minimum while enabling business operations."

Mark Manglikmot, vice president of security services at managed services provider Arctic Wolf, called the Kasia VSA supply-chain ransomware campaign "a sophisticated and deliberate attack, the scope of which will not be fully understood for several weeks or possibly months. should consider this a significant risk to their business and immediately shut down their CISA VSA servers. They should also follow CISA guidance to ensure that back-ups are up-to-date and over-the-air. are gapped, manual patching is applied, multi-factor authentication (MFA) is turned on, and then wait for additional instructions from Kasia for next steps.

“Supply-chain attacks spread in a matter of hours to thousands of organizations looking to protect themselves from future incidents, able to detect, manage and mitigate any threats with 24x7 surveillance. It should also deploy world-class security operations. Often, users are seen as the weakest link, and adversaries will continue to exploit the human element to reach their objectives, which means establishing a strong security posture is first and foremost.