LIFTING THE LID ON THE KASEYA HACK
None of the package-poisoning incidents we’ve mentioned here directly involved ransomware, but they easily could have. Any vehicle used for deploying malware could just as easily be used to deploy ransomware. And when ransomware hits the supply chain, it ain’t pretty.
In July 2021 IT giant Kaseya saw its VSA remote administration tool compromised by ransomware peddling outfit Revil (more on them over the page). Malicious versions of VSA were distributed to Kaseya’s customers, the majority of which were managed software providers. And so the ransomware-bearing VSA update was shipped to their customers too. Kaseya acted swiftly and decisively, alerting customers and shutting down their own infrastructure. But the ransomware was swifter. Around 1,000 businesses (including Swedish supermarket Coop, who had to close 800 stores for the weekend) found themselves locked out of key systems, and their files encrypted. Meanwhile, the nefarious hackers posted on a Tor message board demanding $70 million for a universal decryption key.
Some three weeks later, Kaseya announced it was in possession of this key. It denied paying the ransom, saying only that the key came “from a third party”. The attack itself was carefully timed (over a holiday weekend) and complex. It exploited several vulnerabilities and probably involved a lot of early reconnaissance. You can read a thorough post-mortem at https://blog. truesec.com/2021/07/06/kaseya-vsazero-day-exploit. It was a huge attack, and it would have been a great deal worse if more than a handful of Kaseya’s customers were hit. Enterprises today all rely on as-a-service providers and, like our “modular” coding practices, this creates a sprawling dependency chain. As such, they’re a high-impact target.