First updated 2021-07-02, 19:50 UTC
Last updated 2021-07-06, 04:10 UTC
Sophos is aware of a supply chain attack that uses Kaseya to deploy a variant of the REvil ransomware into a victim’s environment.The attack is geographically dispersed. Organizations running Kaseya VSA are potentially impacted. Kaseya has stated that the attack started around 14:00 EDT/18:00 UTC on Friday, July 2, 2021 and they are investigating the incident.
There's been a noticeable shift towards attacks on perimeter devices in recent years. Vulnerabilities in common internet facing devices allow attackers to compromise large numbers of systems at once with very little effort
It appears that the attackers used a zero-day vulnerability to remotely access internet facing VSA Servers. As Kaseya is primarily used by Managed Service Providers (MSPs) this approach gave the attackers privileged access to the devices of the MSP’s customers. Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks. As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.
For a detailed analysis of the attack, the malware used, and lessons learned, please see the SophosLabs Uncut article Independence Day: REvil uses supply chain exploit to attack hundreds of businesses.
We will update this location with more information as it becomes available.
If a Sophos customer is running Kaseya they can be alerted to the attack via one or more of the following events
SophosLabs and the Sophos Security Operations Team have compiled a list of Indicators of Compromise. They are listed below and can be used by threat hunters to perform searches in their own environments.
For Sophos MTR customers, the MTR team is monitoring the situation, assessing customer impact, and addressing issues as they appear.
If you use Kaseya in your environment:
2021-07-06, 04:10 UTC - Updated demo of REvil ransomware attack
2021-07-05, 00:21 UTC - Updated analysis of attack
2021-07-04, 17:30 UTC - Updated introduction text and associated links
2021-07-04, 01:00 UTC - Updated Sophos detection information
2021-07-03, 14:12 UTC - Updated domains affected