Hackers attributed to the REvil group recently exploited an (internally) known 0day in Kaseya software to demand ransom worth 70,000,000 USD affecting at least 1000 businesses.
On Friday, July 2, 2021, the incident response team from Kaseya became aware of a security incident related to their VSA software. Hackers used the software to deploy the REvil ransomware into many victims’ environment. The malicious code is side-loaded by a fake Windows Defender app, encrypting files in return for ransom. “Kaseya VSA Agent Hot-fix” is the distributed name of the malware, which was also seen attempting to disable Microsoft Defender Real-Time Monitoring via Powershell.
The group sent out a message on July 2:
“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour."
How did the REvil group know a patch was forthcoming? Did they? It’s improbable this is a coincidence.
Assuming it is not, how were they alerted to a forthcoming patch which likely spurred an immediate decrease in their attack timeline? Insider alerting them? Prior compromise and a great analysis team?
Anything is possible when tens of millions of dollars, or more, are at stake. The most expensive 0days ($1,000,000+) are a drop in the bucket for groups eyes to rake in millions from one successful operation.
Former employees raised several software security concerns from 2017 through 2020 to company leaders. These concerns were not fully addressed, as sales were the focus of the business at the expense of other priorities. One employee sent a 40-page memo detailing many security concerns related to the software leading to his firing two weeks later. Customer passwords were stored in clear text on third-party platforms, among other bad habits.
Shame on Kaseya. Likely one of many professional software firms and IT management companies which fail to adhere to even basic security and administration best practices.