Kaseya CEO Fred Voccola was absolutely correct. The recent attack against his company’s VSA remote monitoring and management solution was indeed “incredibly sophisticated”.
Those were the words Voccola used in a conversation with ChannelPro some two weeks ago shortly after Kaseya shut down the cloud-based version of VSA and urged on-premises users to follow suit in response to an assault by the REvil cybercrime syndicate that used VSA as a stepping-stone for inflicting ransomware on MSP customers. An appearance on this week’s episode of the ChannelPro Weekly podcast by Kyle Hanslovan, CEO of security vendor Huntress, makes clear that it took way more than a routine phishing campaign to pull off that hack.
As Hanslovan reveals based on a complete reconstruction of the incident executed by Huntress analysts under laboratory conditions, the attack involved three carefully interlocked elements. The first of those is perhaps the most disturbing: REvil either stole registered agent IDs on a targeted MSP’s VSA server or manufactured and registered new IDs using VSA’s agent installer.
“With that ID, they could exploit two vulnerabilities that were going to allow this attack to happen,” Hanslovan says.
One of them enabled the attackers to bypass VSA’s authentication process. “They could get into VSA and execute commands with absolutely no credentials,” Hanslovan says. “Even if you had two-factor turned on and logged on, they were going to be able to do it with this exploit.”
At that point, the attackers uploaded commands to the VSA server and executed them directly within the system’s database. “When you’re running in the VSA database, you have full, call it, ‘God mode’ access,” Hanslovan notes.
Using those essentially unlimited privileges, the exploit then delivered a core payload that directed ransomware—disguised as something sent by the Microsoft Defender antivirus system—to endpoints supported by VSA and ran a second routine designed to cover the assailants’ tracks by purging relevant log records.
“It was fairly sophisticated because these were not just one zero-day vulnerability but two that they took advantage of to be able to do this incident,” Hanslovan observes.
In the end, the attack compromised just 50 to 60 VSA users out some 38,000 worldwide. Huntress doesn’t yet know for sure what if anything made that handful of companies vulnerable.
“We don’t have a smoking gun yet,” Hanslovan says. In particular, he adds, it remains unclear how REvil got ahold of the agent IDs it utilized. Perhaps victimized MSPs left VSA’s agent downloader exposed somehow on their website, or perhaps the attackers purchased IDs on the dark web. Either theory would help explain why the scope of the incident was so limited.
“Maybe they just didn’t have enough of those unique agent IDs to be able to conduct the full exploit,” Hanslovan says.
Even so the sophistication of the strike, and what it implies about the skill and determination of the people behind it, is worrying. “They’re getting better,” Hanslovan says of threat actors. “These attackers, generally speaking, know your product, know your RMM, especially the internals, better than you do.” They may even know VSA, in this case, as well as Kaseya’s own architects and engineers, he adds.
Furthermore, Hanslovan continues, hackers targeting MSPs are getting better and better at locating backups, determining whether or not they’re protected by multifactor authentication, logging into vulnerable files, and deleting them. Worse yet, ransomware perpetrators like REvil are becoming increasingly good at moving beyond an MSP’s IT management stack into their business systems.
“They actually know finances really well, meaning they know how to target your accounting system,” Hanslovan says. Indeed, Huntress has seen cases in which attackers included a screen shot of a bank account, P&L, or cyberinsurance policy with their ransom demand to show they know what the victim is capable of paying.
Though VSA was struck in this particular incident, Hanslovan emphasizes, users of other RMM systems shouldn’t assume they’re safe. “Almost all, if not all, the RMM vendors have had a security issue like this, where code could have been run remotely, including Microsoft,” he notes. “It can happen to anyone.”
In fact, it probably will. Hanslovan advises MSPs hit by an RMM breach to take three steps immediately. “Your very first phone call when this happens should be to your legal team,” he says. Your second should be to your cyberinsurance company. If your lawyer doesn’t have a breach coach (and they should) your insurer can usually provide one, and they can also help with things like determining what, when, and how to communicate with customers.
Your third call, according to Hanslovan, should be to an outside incident response vendor, which will not only help you diagnose and remediate the attack but also demonstrate how seriously you took it. “If you ever go to litigation, it’s great to be able to say, ‘yes, we might’ve been partially responsible for this incident because it was our software, and even though we have the skills to remediate it, we still brought in an external, independent third party,'” he says.
On a more personal level, Hanslovan advises channel pros to factor the physical and emotional effects of a breach into their response plans. “They’re a marathon. They’re not a sprint,” he says. “You’ll be working an issue if this happens to you probably no less than two weeks straight, and more realistically dealing with the fallout for at least six weeks.”
Putting everyone at your company on a sleep and shower schedule, therefore, and keeping them fed and hydrated are essential. So too is thinking beyond the immediate members of your team.
“Most of the time nobody thinks of the spouses,” Hanslovan observes. If you’ve got kids, he adds, call in family or babysitters to handle the childcare duties you won’t have time to do yourself. If you don’t have kids, consider inviting your spouse into the office to help with customer outreach and other non-technical matters. “It’s a heck of a lot better than him or her sitting at home for the next six weeks wondering where the heck you are and why you’re working these hours,” Hanslovan notes.
His most urgent recommendation, however, is to get ready now, because if you haven’t suffered through an RMM breach yet your turn is almost certainly coming.
“It’s not if, it’s when,” Hanslovan says.
