Cyberattack group REvil attacks MSPs and their clients in a supply-side attack

Cyberattack group REvil targets Kaseya VSA powered MSPs and their clients

Managed service providers (MSPs) are on alert this holiday weekend as those that run Kaseya VSA software are being informed by the company to shut down their on-premises VSA servers following a suspected supply-chain attack on their remote management software. Kaseya proactively shut down their SaaS servers that run VSA for their partners.

There are active threads on Twitter and Reddit as well as a continually updated post on Kaseya’s website.

BleepingComputer.com has been told by security researchers that the attacks were likely performed through a malicious update of the Kaseya VSA agent called Kaseya VSA Agent Hot-fix. This update drops an agent.crt file and then uses the legitimate Windows certuil.exe file to decrypt the payload. The attackers then use a legitimate Microsoft Defender executable to sideload the ransomware payload. Additional details on the method can be found in Reddit threads.

Why are MSPs targeted in Kaseya supply-chain attack

MSPs are high-value targets, with attack surfaces that make them interesting to cybercriminals as they manage IT for large numbers of endpoints in their client organizations.

This attack represents another leap forward in the scale, scope, and sophistication of attacks against the software vendors that serve MSPs. No private business, public institution, tech vendor, or service provider should be laughing or pointing fingers at either the initial victims of the attack or the members of their software supply chain that were comprised as a result.

 

How to avoid becoming a victim

In light of this event, what can you do to reduce your risk of being victimized by a similar attack – one that would cause great harm to your reputation if you become a conduit for passing malware on to your partners and customers? Here are a few recommendations:

  • First, tend to your own backyard by renewing your commitment to building a multi-layered, defense-in-depth security architecture. Consider following an open security framework like NIST 800-171 or ISO/IEC 27001 to help work through various potential risks, identify your softest spots, and shore up those defenses.
  • Next, evaluate your vendors and service providers as a potential source of risk to you. Unless you’ve vetted their security measures, any organization could be a weak link in your software supply chain. Acronis has published an e-book on supply-chain attacks which includes specific recommendations on how to evaluate the vendors and providers in your supply chain. You can download and review this e-book at https://www.acronis.com/en-us/resource-center/resource/561/
  • Revisit your incident response management policy. If you don’t have one, start building one immediately. Assume that, at some point, a cybersecurity attack on you will eventually succeed – despite your best efforts to deploy comprehensive defenses, build solid security policies, and invest in good people. A well-constructed and regularly-rehearsed incident response plan can significantly limit the damage from such a cyberattack, reduce the external blowback from investors, partners, and customers, and preserve the kind of forensic evidence you’ll need to avoid a recurrence of the particular attack.

Additional resources:

  • Learn how Acronis protects its customers against software supply-chain attacks with secure software development practices: https://www.acronis.com/en-us/resource-center/resource/561/
  • Keep abreast of Acronis Smart Alerts distributed through Acronis Cyber Protection Operations Centers (CPOCs)
  • Check out additional complimentary cybersecurity advisories, analysis, and white papers in the Acronis Resource Center and on the Acronis Blog, and our cyber protection webinars.
  • Take advantage of Acronis #CyberFit Academy training courses to attain certification in secure deployment, operation, and support of Acronis Cyber Protect and other products
  • Learn more about cybersecurity at Acronis, as well as our bug bounty program, encryption technologies, and secure code development and self-defense technologies at https://www.acronis.com/en-us/security/.