A supply-chain attack on Kaseya, which provides management, monitoring and automation software for managed service providers (MSPs), has led to ransomware infections among the company’s customers around the world.
An unknown number of the company’s over 40,000 customers have been hit by REvil ransomware, sparking fears that the attack could be as serious as the one that hit network monitoring firm SolarWinds.
The malware appears to have been delivered through an automatic update of the Kaseya VSA client management and monitoring software, researchers say.
Downstream customers of MSPs using Kaseya VSA have then had their systems infected by REvil ransomware with files being encrypted.
Kaseya VSA runs with high administrator system privileges, and the attackers are using a malicious dynamic link library that is executed by a signed copy of the legitimate Windows Defender anti-malware utility to encrypt victim data.
We are monitoring a REvil ‘supply chain’ attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:Windowsmpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:WindowsMsMpEng.exe to run the encryption from a legit process.
— Mark Loman @ (@markloman) July 2, 2021
As part of the attack chain, the malware executes code to disable Microsoft Defender for Endpoint’s real-time monitoring, script scanning, controlled folder access, intrusion protection system, cloud loookups and sample submission, and network protection features via a PowerShell script.
REvil is asking for different amounts of ransom, ranging from approximately US$45,000 to US$5 million, payable in the Monero cryptocurrency.
The company has confirmed only a “potential attack” but said it has shut down its software-as-a-service servers.
“We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only,” the company said.
“We have proactively shut down our SaaS servers out of an abundance of caution.
“We have been further notified by a few security firms of the issue and we are working closely with them as well.
“While we continue to investigate the incident, we will update our customers (and interested parties) as we have more information.”
Since the malware removes administrative access to Kaseya VSA, users are advised to immediately switch off their instances of the software as well.
The attack was ongoing at the time of writing, and the United States government computer emergency response team is also urging users to immediately shut down their Kaseya VSA servers.