One of the most audacious cyber-attacks of recent years was revealed last December, when state-backed hackers infected customers of an IT software company via a malicious update. That SolarWinds attack resulted in the compromise of at least nine US government departments. At the time Trend Micro warned that this was just the tip of the iceberg. Unfortunately, we were right. Now, potentially thousands of customers of another IT management software company, Kaseya, have experienced a similar fate.
While US intelligence agencies investigate, Trend Micro and its partners’ customers remain protected via multiple layers of defence. Here’s what happened and how we’re keeping these organisations safe.
The attack landed on July 2, just ahead of the US Independence Day holiday weekend and likely a calculated ploy to catch organisations and their IT security teams flat-footed. It targeted Kaseya’s VSA platform, which is used by MSP clients for automated patching and remote monitoring of their customers’ environments.
According to reports, a zero-day exploit allowed the attackers to bypass authentication controls, access and upload a malicious payload to the system and execute commands via SQL injection. In so doing, they were able to weaponise VSA to push a malicious PowerShell script which loaded REvil ransomware onto MSP customer systems, and their customers in turn. Because VSA is designed to operate with elevated privileges, the malicious fake update “Kaseya VSA Agent Hot-fix” was installed across all managed systems.
The Sodinokibi/REvil ransomware (detected as Ransom.Win32.SODINOKIBI.YABGC) disabled certain services and terminated processes related to legitimate software, including browsers and productivity applications. It also ran commands to hide its activity from Microsoft Defender. Kaseya warned customers infected with the ransomware not to click on any links in communications from the attackers as these may also be weaponised with malware.
What is the impact?
The REvil group, or rather the affiliate which carried out this particular attack, has reportedly been attempting to extract ransoms from individual firms. It’s also demanding $70 million in cryptocurrency for a ‘universal decryptor’ which it claims will work across all victims.
Kaseya claims “fewer than 60” of its on-premises MSP customers and around 1500 downstream organisations have been affected. These include organisations as varied as Swedish supermarkets, New Zealand schools and Dutch IT companies.
It is hoped that a patch will be deployed to bring affected customers back online within the day.
How Trend Micro keeps you safe
The good news is that the ransomware itself is detected by Trend Micro anti-malware solutions. In fact, our predictive machine learning and behaviour monitoring capabilities were detecting and protecting against samples before specific IOCs were added to the regular detection pattern. This functionality is included in our Worry-Free security range, also offered by Vodafone and other partners to protect small businesses from serious threats like ransomware.
In addition, Trend Micro is actively blocking several known malicious domain infection vectors that are associated with the campaign via Trend Micro Web Reputation Services (WRS).
Finally, our Trend Micro Vision One platform for threat detection and response, provides customers with XDR detection capabilities from underlying products such as Apex One. It also helps organisations to sweep for IOCs in order to check for malicious activity and enhance retrospective investigations.