First updated 2021-07-02, 22:40 UTC
Last updated 2021-07-12, 23:07 UTC
On Friday, July 2, 2021 at 14:00 EDT/18:00 UTC Sophos became aware of a supply chain attack that uses Kaseya to deploy ransomware into a victim’s environment. There’s been a noticeable shift towards attacks on perimeter devices in recent years. Vulnerabilities in common internet facing devices allow attackers to compromise large numbers of systems at once with very little effort. In this instance, they targeted the Kaseya VSA server.
It appears that the attackers exploited a zero-day vulnerability, possibly with a SQL Injection (SQLi), to remotely access internet facing VSA Servers. As Kaseya is primarily used by Managed Service Providers (MSPs) this approach gave the attackers privileged access to the devices of the MSP’s customers. Some of the common features of the VSA Server is the deployment of software and automation of IT tasks. As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations.
For a detailed analysis of the attack, the malware used, and lessons learned, please see the SophosLabs Uncut article Independence Day: REvil uses supply chain exploit to attack hundreds of businesses and view the accompanying one-hour webinar.
SophosLabs and the Sophos Security Operations team have also published a Security Blog article on this attack with several indicators of compromise (IoCs) including detections, processes, files, registry keys, extensions, and domains that will help organizations determine if they are potentially impacted and recommended next steps. Sophos has also published a query to check for matching IoCs present in the endpoint.
We will continue to update these articles in real-time as new information becomes available. If you are experiencing this attack and need assistance, our Rapid Response service is available to help.
Sophos customers are protected via detections in multiple Sophos products. Please see the above video and read the Security Blog article for full details.
The video below shows how the attack affects an unprotected machine.
And to educate IT security teams on the different approaches in recent high-profile attacks, we illustrated these characteristics in the following infographic.
2021-07-12, 23:07 UTC – Embedded infographic
2021-07-08, 13:54 UTC – Embedded two demo videos
2021-07-07, 11:13 UTC – Added link to Sophos query to identify IoCs on the endpoint
2021-07-04, 23:28 UTC – Detailed analysis of the attack, malware used, and lessons learned
2021-07-04, 17:35 UTC – Updated information on the attack approach
2021-07-03, 22:49 UTC – Updated IoCs
2021-07-03, 02:35 UTC – Added update for anyone needing assistance