Kaseya CEO Fred Voccola was absolutely correct. The recent attack against his company’s VSA remote monitoring and management solution was indeed “incredibly sophisticated”.
Those were the words Voccola used in a conversation with ChannelPro some two weeks ago shortly after Kaseya shut down the cloud-based version of VSA and urged on-premises users to follow suit in response to an assault by the REvil cybercrime syndicate that used VSA as a stepping-stone for inflicting ransomware on MSP customers. An appearance on this week’s episode of the ChannelPro Weekly podcast by Kyle Hanslovan, CEO of security vendor Huntress, makes clear that it took way more than a routine phishing campaign to pull off that hack.
As Hanslovan reveals based on a complete reconstruction of the incident executed by Huntress analysts under laboratory conditions, the attack involved three carefully interlocked elements. The first of those is perhaps the most disturbing: REvil either stole registered agent IDs on a targeted MSP’s VSA server or manufactured and registered new IDs using VSA’s agent installer.
“With that ID, they could exploit two vulnerabilities that were going to allow this attack to happen,” Hanslovan says.
One of them enabled the attackers to bypass VSA’s authentication process. “They could get into VSA and execute commands with absolutely no credentials,” Hanslovan says. “Even if you had two-factor turned on and logged on, they were going to be able to do it with this exploit.”
At that point, the attackers uploaded commands to the VSA server and executed them directly within the system’s database. “When you’re running in the VSA database, you have full, call it, ‘God mode’ access,” Hanslovan notes.
Using those essentially unlimited privileges, the exploit then delivered a core payload that directed ransomware—disguised as something sent by the Microsoft Defender antivirus system—to endpoints supported by VSA and ran a second routine designed to cover the assailants’ tracks by purging relevant log records.
“It was fairly sophisticated because these were not just one zero-day vulnerability but two that they took advantage of to be able to do this incident,” Hanslovan observes.
In the end, the attack compromised just 50 to 60 VSA users out some 38,000 worldwide. Huntress doesn’t yet know for sure what if anything made that handful of companies vulnerable.
“We don’t have a smoking gun yet,” Hanslovan says. In particular, he adds, it remains unclear how REvil got ahold of the agent IDs it utilized. Perhaps victimized MSPs left VSA’s agent downloader exposed somehow on their website, or perhaps the attackers purchased IDs on the dark web. Either theory would help explain why the scope of the incident was so limited.
“Maybe they just didn’t have enough of those unique agent IDs to be able to conduct the full exploit,” Hanslovan says.
Even so the sophistication of the strike, and what it implies about the skill and determination of the people behind it, is worrying. “They’re getting better,” Hanslovan says of threat actors. “These attackers, generally speaking, know your product, know your RMM, especially the internals, better than you do.” They may even know VSA, in this case, as well as Kaseya’s own architects and engineers, he adds.
