Let’s just say that the fourth of July holiday weekend did not go as planned for us. We had been reporting REvil/sodinokibi for quite some time before they shocked the world with their recent ransomware attack. What is being called the “largest ransomware attack in history,” is only just the beginning. Here is the complete timeline of the attack:
We have been following REvil and reporting them since early 2019 (before it became an elite group involved in global extortion). When REviL appeared in the first half of 2019, it immediately caught attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers.
In June, the REvil ransomware group made headlines by targeting the US’s nuclear weapons contractors. Sol Oriens was targeted by the threat actors and their employees’ data was leaked online. Along with the employees’ information, business data was also stolen and leaked.
The company added that it is not aware that threat actors have stolen classified or critical security-related information belonging to its clients. However, the social security numbers of employees along with their payroll were leaked online.
On the fourth of July weekend rumors about a supply chain attack surfaced on the internet. The Kaseya VSA RMM (Remote Monitoring Management) software was compromised using REvil. Since the software is widely used by MSPs (managed service providers), the criticality of the attack rose. Although Kaseya is most widely used in America and has around 40,000 clients, the attacks spread worldwide. Around half a dozen MSPs were affected by the attack.
The REvil ransomware gang injected a malicious code into the VSA that caused the supply chain attack which extended to MSPs and end customers.
The ransomware group has now attacked around 50 to 60 Kaseya customers. Victims from 17 countries have been hit by the attack including the United States of America, Canada, South Africa, New Zealand, and the United Kingdom.
The FBI investigated the attack along with CISA. A VSA Detection tool was also released by Kaseya which helped MSPs determine if the RMM software in their firm had been compromised. The tool checks for IoCs (indicators of compromise) in the system.
The company itself made the announcement of the attack and advised its users to shut down their on-prem VSA servers. And while it didn’t affect their SaaS (software-as-a-service), the company still shut down its servers. The company’s CEO, Fred Voccola, told the U.S. Deputy National Security Advisor Anne Neuberger that the company was unaware of any critical infrastructure that had been hit by the ransomware.
Kaseya’s CEO revealed that around 800 to 1500 businesses had been impacted by the attack.
It was revealed that Kaseya was working with the Dutch Institute for Vulnerability Disclosure (DIVD) on patches for the vulnerabilities that REvil exploited. The company was informed of the vulnerabilities in April and was on the verge of releasing a patch.
Opportunists took advantage of the chaos and fear surrounding the Kaseya attack to send fake emails masquerading as Kaseya updates. Kaseya warned its users to not open any attachments or links until an official patch or update is released.
The patching of Kaseya’s VSA on-prem started along with its deployment to the VSA SaaS infrastructure.
The patching was in full-speed with 95% of the SaaS customers going live and the rest the following suit in the coming hours.
Stay up-to-date with the latest news, threat intel, IOCs, and updates on Kaseya-REvil with Rewterz Threat Advisories