A Truesec Threat Intelligence investigation

Origin of the Kaseya Breach

The Fourth of July weekend REvil ransomware attack that crippled hundred of organizations.

EDIT: Added name of the CVE reported by DIVD, 2021-07-08

The REvil Ransomware Attack

Truesec has now been able to conclusively prove that the massive ransomware attack by the REvil cybercrime syndicate was the result of a pre-authentication remote code execution zero-day. The exploit chains three different vulnerabilities to execute malicious code on Service Providers that had their Kaseya software exposed to the Internet.

Technically this still makes it a supply chain attack, but not in the style and sophistication of the SolarWinds breach, but more like the CloudHopper campaign. An attack directed at service providers allowed the attacker free access to the service provider’s clients.

It is still an unusually sophisticated attack. The fact that the attackers choose the Fourth of July weekend is a clever use of long weekends to get maximum effect before the victims can react. Truesec has observed many Ransomware gangs use this technique in the past. Given the recent public debate on ransomware after the Colonial Pipeline attack and public outrage in the USA, we can’t discount the possibility that choosing to strike during the Fourth of July weekend was a way for the REvil syndicate to taunt US authorities.

Origin of the Zero-Days

According to sources in the media Kaseya had already been alerted to at least one of these vulnerabilities, CVE-2021-30116, by the Dutch Institute for Vulnerability Disclosure (DIVD) and were in the process of validating a patch, when REvil struck.

Truesec has not been able to verify that the zero-days used in the REvil attack were the same as the ones that Kaseya had been discussing with DIVD. As Truesec was in fact the first cybersecurity company able to confirm the exact exploit used by the attackers, there may yet be more information to come about this.

If however, the zero-days used by REvil are indeed the same as those Kaseya were about to patch, it may seem like an example of particularly bad timing, but it also begs the question if this really was just a very unlucky coincidence. Did a cybercriminal really discover the zero-days independently of DIVD and beat the patch by a few days or did REvil obtain the knowledge of the zero-days by some other means?

We know that the cybercrime syndicate known as REvil has exploited vulnerabilities in software linked to Kaseya before. Back in 2019, when the same cybercrime group operated an older ransomware known as GrandCrab, they exploited a vulnerability in ConnectWise, software used with Kaseya.

Neglect or Foul Play?

It is certainly possible that this is still all just coincidence, or that someone in the REvil group continued to study the Kaseya software after their first successful attack in 2019, hoping to find a flaw that would allow them to replicate their initial success. Cybercriminals rarely spend as much time as state-sponsored groups to prepare for their attacks. If it turns out that REvil found zero-days to exploit with relative ease, even though Kaseya had already been involved in another zero-day attack two years ago, it will seem like neglect.

There are however other possibilities that also need to be explored. How secure was the data about the work on the patch? Has someone affiliated with REvil managed to get hold of information from Kaseya and find out about the vulnerabilities that way? Did sensitive information about the vulnerabilities leak some other way? Cybersecurity research is vital, so it would be a double tragedy if it turns out that it was such research improperly stored that was the origin of the attack.

Conclusions

Cybercrime syndicates continue to evolve their capabilities and use more sophisticated methods. However it happened, it is obvious that Service Providers with free access to all their clients’ networks will be a major attack vector in the future too, after the stunning success of the Kaseya breach.