Origin of the Kaseya Breach

The Fourth of July Weekend Ransomware Campaign that crippled hundred of Organizations.

EDIT: Added name of the CVE reported by DIVD, 2021-07-08

NOTE: when we mention REvil in this post, it could be either the REvil core team that conducted this attack, or one of their affiliates. This is currently unknown. However, considering that the GandCrab ransomware group (the same group as REvil before they started using the REvil ransomware) exploited vulnerabilities in software linked in Kaseya before, it is possible that it is the REvil core team conducting this attack.

The REvil Ransomware attack

Truesec has now been able to conclusively prove that the massive ransomware attack by the REvil cyber crime syndicate was the result of a pre-authentication remote code execution zero-day. The exploit chains three different vulnerabilities to execute malicious code on Service Providers that had their Kaseya software exposed to the Internet.  

Technically this still makes it a supply-chain attack, but not in the style and sophistication of the SolarWinds breach, but more like the CloudHopper campaign. An attack directed at service providers allowed the attacker free access to the service provider’s clients. 

It is still an unusually sophisticated attack. The fact that the attackers choose the Fourth of July weekend is a clever use of long weekends to get maximum effect before the victims can react. Truesec has observed many Ransomware gangs use this technique in the past. Given the recent public debate on ransomware after the Colonial Pipeline attack, and public outrage in USA, we can’t discount the possibility that choosing to strike during the weekend of the 4th of July was a way for the REvil syndicate to taunt US authorities. 

Origin of the Zero-days 

According to sources in the media Kaseya had already been alerted to at least one of these vulnerabilities, CVE-2021-30116, by the Dutch Institute for Vulnerability Disclosure (DIVD) and were in the process of validating a patch, when REvil struck.  

Truesec has not been able to verify that the zero-days used in the REvil attack were the same as the ones that Kaseya had been discussing with DIVD. As Truesec was in fact the first cybersecurity company able to confirm the exact exploit used by the attackers, there may yet be more information to come about this.  

If however, the zero-days used by REvil are indeed the same as those Kaseya were about to patch, it may seem like an example of particularly bad timing, but it also begs the question if this really was just a very unlucky coincidence. Did a cybercriminal really discover the zero-days independently of DIVD and beat the patch by a few days or did REvil obtain the knowledge of the zero-days by some other means? 

We know that the cybercrime syndicate known as REvil has exploited vulnerabilities in software linked to Kaseya before. Back in 2019, when the same cybercrime group operated an older ransomware known as GrandCrab, they exploited a vulnerability in ConnectWise, software used with Kaseya. 

Neglect of Foul Play?

It is certainly possible that this is still all just coincidences, or that someone in the REvil group continued to study the Kaseya software after their first successful attack in 2019, hoping to find a flaw that would allow them to replicate their initial success. Cybercriminals rarely spend as much time as state-sponsored groups to prepare for their attacks. If it turns out that REvil found zero-days to exploit with relative ease, even though Kaseya had already been involved in another Zero-day attack two years ago, it will seem like neglect.

There are however other possibilities that also need to be explored. How secure was the data about the work on the patch? Has someone affiliated with REvil managed to get hold of information from Kaseya and find out about the vulnerabilities that way? Did sensitive information about the vulnerabilities leak some other way? Cybersecurity research is vital, so it would be a double tragedy if it turns out that it was such research improperly stored that was the origin of the attack.

Conclusions

Cybercrime syndicates continue to evolve their capabilities and use more sophisticated methods. However it happened, it is obvious that Service Providers with free access to all their clients’ networks will be a major attack vector in the future too, after the stunning success of the Kaseya breach.


By Mattias Wåhlén

Threat Intelligence Lead at Truesec

Lead and further develop Truesec’s Threat Intelligence capabilities for anticipating data breaches and averting threats.

Active 12 years as a senior analyst in FRA’s cyber defense operations. Has spent almost 35 years in the Swedish intelligence services, both at FRA and Swedish Defence Forces.