Researchers don't know how ransomware group discovered Kaseya leak

Researchers don't know how ransomware group discovered Kaseya leak

 The Dutch researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) don't know how a critical vulnerability they discovered in Kaseya's software, and which was exploited last week in a global ransomware attack , became known to the criminals. That is what Victor Gevers, chairman of the DIVD, told Security.NL.


The vulnerability in Kaseya VSA, designated CVE-2021-30116, was discovered by researcher Wietse Boonstra in April. It was one of seven security vulnerabilities that DIVD researchers found in Kaseya's VSA software. The severity of CVE-2021-30116 has been rated with a 10 on a scale of 1 to 10.


The DIVD warned Kaseya that it would then develop an update. Even before the update could be rolled out, the group behind the REvil group took advantage of it. Through CVE-2021-30116 and another vulnerability, they managed to remotely take over VSA servers from managed service providers (MSPs). MSPs use VSA to manage their customers' systems.


The criminals used the access that VSA provides by default to infect MSP customers' systems with ransomware. Soon after the attack, the question was raised how the REvil group also knew about the vulnerability. The DIVD does not know how this happened. "We have no idea about that," says Gevers. "The DIVD has been in frequent contact with Kaseya about the vulnerabilities found and possible solutions."


When asked whether the DIVD launched its own investigation after the REvil group also appeared to be aware of the vulnerability, Gevers replied that the institute's environment and systems are monitored and monitored as best as possible in accordance with the information policy established by the CISO. drawn up. "We are still going to carry out an extensive evaluation of this case", adds the DIVD chairman.


Gevers previously announced on Twitter that the vulnerability was easy to find. “But to successfully exploit it further (in the form of an under-the-radar ransomware) requires a much higher level of expertise,” he notes. He also points to the expertise within the REvil group, which previously attacked meat processor JBS and earned 11 million dollars . The group previously also struck at the Danish cleaning giant ISS and claimed successful attacks against computer manufacturer Acer and Apple supplier Quanta Computer. That may explain that they found out about the existence of the vulnerability.


"Because REvil hackers are just as brilliant if not even smarter than Wietse. We have to be realistic. We are volunteers who do this in addition to a full-time job. A kind of Sunday morning running group that is training for the CPC And that just before the finish we were overtaken by a group of top athletes who are working on this 24/7," says Gevers. In addition, it is more common for different researchers to find the same vulnerability.


"Intelligence unlikely"

One of the possible scenarios mentioned on the internet is that the REvil group, which is said to be operating out of Russia, got the exploit for the Kaseya vulnerability through a Russian intelligence agency. A security researcher with the alias The Grugq calls this highly unlikely as intelligence agencies would have no way of doing this. It is more likely that the group obtained the exploit through an exploit provider. "But given how little we know, it's all pure speculation."


As for the choice to strike over the weekend of July 4, the REvil group is known to strike more frequently during holiday weekends and may have been chosen this weekend due to the impending security update for the vulnerability. Two major ransomware attacks, on Colonial Pipeline and meat processor JBS, have made the US now want Russia to crack down on ransomware groups.


According to The Grugq, this has not yet had any consequences. "Financially motivated attackers are motivated by money. They will try to make money. There is no reason for them to stop because someone on the other side of the world is angry." The researcher does think that the group pays protection money to continue operating.


Another observation The Grugq makes is that the REvil group may have taken more victims than it can handle. "With the existing victim handling process, it is impossible for REvil to scale up to 1000 victims. Their management infrastructure simply cannot handle such a number. No one has managed to manage 1000 victims in a week," the researcher said. .


Previous Post Next Post