RaaS, REvil, Kaseya, and Your Security Posture
Ransomware is an epidemic that adversely affects the lives of both individuals and large companies, where criminals' demands put a hindrance on your business.
Join the DZone community and get the full member experience.Join For Free
Ransomware is an epidemic that adversely affects the lives of both individuals and large companies, where criminals demand payments to release infected digital assets.
In the wake of the ransomware success, Ransomware-as-a-Service (RaaS) is being offered as a franchise model that allows people without programming skills to become active attackers and take part in the ransomware economy. This is a way of democratizing crime, giving ordinary people and smaller players an easier way into the criminal market, while reducing the risk of exposure for the ones on top of the value chain. For instance, a dissatisfied employee might decide to partner up with a RaaS developer to effectively infect an organization from the inside and then splitting the profit.
Wait a minute, this sounds like SaaS (Software as a Service) with the exception of mal-intent and ‘R’ as prefix instead of ‘S’ ?
Yes, these organized cybercrime groups have been known to offer 24/7 technical support, subscriptions, quality assurance, affiliate schemes, and online forums just like legitimate SaaS companies. They know that offering a quality service to their (admittedly) criminally-minded clients will help both sides of the venture to become wealthy at the expense of victimized individuals or organizations that they prey upon.
Inception of RaaS
The first ransomware, known as AIDS (Aids Info Disk or PC Cyborg Trojan), was observed in the wild already in 1989, spreading through the exchange of floppy disks. Following AIDS ransomware, the number of ransomware families was quite low for more than two decades, especially the ones with sophisticated destructive capabilities. However, this all changed with the advent of stronger encryption schemes in the ransomware code and especially the availability of cryptocurrency as a payment method, which is fairly difficult to track by law enforcement. In the wake of the ransomware's success, ransomware-as-a-service (RaaS) has become an entry point for criminals with little programming skills to participate and earn money from ransomware.
Is There an Underpinning Supply Chain That Benefits a Raas Provider?
Contacting ransomware service providers using dark-net markets, prospective and existing criminal networks can cheaply obtain tailor-made ransomware ready to be used on their prospective victims. In addition to the creation fee, the service providers may take a 20–30% revenue share of the ransom as well.
RaaS can have different delivery formats such as:
- Source code that the buyer compiles themselves
- Pre-compiled binaries or an interactive interface where the buyer inputs information about the victims
- Quality testing weaponized source code or pre-compiled binaries to ensure that it operates as expected (usually tested on low-risk victims)
This collaborative strategy is a way of achieving a faster rate of infections with a lower risk of getting caught.
Who Are the Stakeholders in the RaaS Supply Chain?
The stakeholders involved in the underground economy have different responsibilities and expose themselves to different types of risks. They defined several roles, including:
- virus writers (developers)
- website masters/crackers
- envelope (account) stealers
- virtual asset stealers/brokers
- sellers and players (buyers)
- mixers and tumblers (money laundering post-transaction)
Economic Standpoint From Offender and Victim POV
Similar to a SaaS pricing and distribution model, a victim is profiled and targeted based on their business domain, market share, clients that they serve, and WTPR (willingness to pay ransom). The amount of a single ransomware can be of a fixed price or discriminated based on several factors (basis associated with the complexity of vulnerability the malware is exploiting).
What Is REvil?
REvil (also known as Sodin and Sodinokibi) is a ransomware-as-a-service (RAAS) enterprise that first came to prominence in April 2019. Their claim to fame is based on the employed tactics and techniques which include and are not limited to:
- Their ideal victim profile (like ideal customer profile in SaaS) range from home users to F500 companies
- Known to successfully extort far larger payments from large corporate companies
- Execute methodical workflow to exfiltrate data prior to encrypting for ransomware (apply additional pressure to leak if a victim chooses to restore from backup and not pay the ransom)
- Yes, REvil has its own web presence (a web site) and often release/update a so-called “Happy Blog” listing their victims, sample of exfiltrated data and a “trial” decryption upon sample subset as a proof-of-decryption (this almost sounds like a SaaS activation, acquisition, and retention funnel)
- A timer countdown is often pinned to a victim’s profile in order to pressure for response/payment.
What Is Kaseya?
Kaseya sells unified IT monitoring & management software for MSP (Managed Service Providers) and IT reams (multi and single-site). The MSPs in turn sell monitoring and management services to their customers. Let’s visualize the supply chain distribution of Kaseya software
How Did REvil Victimize Kaseya?
Kaseya’s VSA server v9.5.6 had multiple vulnerabilities that were responsibly disclosed by Frank Breedijk. The vulnerabilities included:
- SQL command injection — patched April 10th, 2021
- Local File Inclusion — patched May 8th, 2021
- Credentials Leak — unpatched (CVE rating 10/10) leading to Request Forgery token bypass
- a 2FA (2-factor authentication) bypass on limited API scope — unpatched (CVE rating 9.9) leading to Authentication bypass + Code Injection. The 2FA logic only protected the VSA dashboard but not Live Connect
- Having more than 1 tab open in Live Connect, with remote-connect into a fleet PC/virtual desktop/workstation & rebooting it would cause it to reconnect from the last opened tab instead (cross-connect within and across fleet instances)
- a reflected XSS upon an authenticated API path — unpatched
During the month of June/July 2021, REvil discovered the exposed VSA servers (possibly via recon) and further on, discovered the unpatched vulnerabilities. REvil took credit for launching one of the farthest-reaching ransomware attacks on record beginning July 2 and demanded $70 million in Bitcoin in exchange for a universal decryption routine.
- The unpatched vulnerabilities on the exposed VSA servers were exploited to introduce a malicious script that was sent to all computers managed by the server, thereby transitively reaching all the end clients. The script further encrypted the systems.
- Trustwave discovered that the malware won’t execute on systems that have Russian, Ukrainian, Belarusian, and Romanian default languages set and former Soviet bloc nations in Central Asia, the Caucasus as well as Syria.
Why did Kaseya fail to address these inherent security issues? As per the latest Bloomberg article,
Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya’s products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities, the employees said.
One of the former employees said that in early 2019 he sent company leaders a 40-page memo detailing security concerns and was fired about two weeks later, which he believed was related to his repeated efforts to flag the problems.
Another employee said Kaseya rarely patched its software or servers and stored customer passwords in clear text — meaning they were unencrypted — on third-party platforms, practices the employee described as glaring security flaws.
Some engineers and developers at the company said employees quit over frustration that new features and products were being prioritized over fixing problems. Others were laid off in 2018, when Kaseya began moving jobs to Minsk, Belarus, where it recruited more than 40 people to do software development work that had previously been carried out in the U.S., according to two of the former employees familiar with the matter. Four of the ex-workers said they viewed the outsourcing of work to Belarus as a potential security issue, given the country’s close political allegiance with the Russian government.
Should we (as SaaS and software vendors) be concerned?
As U.S. Army Gen. Keith Alexander aptly paraphrased, “Either you know you’ve been hacked, or you’ve been hacked and you don’t know you’ve been hacked.”
If you are authoring and distributing software as COTS or SaaS (agent, runtime observability, management-monitoring, transactions based, web-based, etc) you should be concerned and stay on top of measuring your supply chain’s security posture.
What SaaS and Software Vendors Should Be Measuring
- Detecting Vulnerabilities (OWASP/NIST/MITRE ATT&CK) in your application source code (severity does not matter as a low severe vulnerability can be chained with a logic flaw to initiate an attack sequence)
- Detecting Business logic flaws in your application — example IDOR (Insecure Direct Object Reference).
- Detecting sensitive data, secrets and token leaks that can be weaponized to infiltrate your hosted applications.
- Detecting vulnerable OSS (open source software) that are exploitable on an exposed path.
- Detecting risk of insider attacks — identify the use of suspicious APIs and code flows that can be weaponized in an attack sequence.
These detection capabilities should not occur in isolation as context is lost if not correlated.
Published at DZone with permission of chetan conikee. See the original article here.
Opinions expressed by DZone contributors are their own.