Just in time to ruin the holiday weekend, ransomware attackers apparently used Kaseya – a software platform designed to help manage IT services remotely – to deliver their payload. Sophos Director and Ethical Hacker Mark Loman tweeted about the attack earlier today, and now reports that affected systems will ask for $ 44,999 to be unlocked. A note on Kaseya’s website pleads with customers to shut down their VSA servers for now “because one of the first things the attacker does is shut down administrative access to the VSA.”
Flash info: cybercriminals are $$ holes.
Keep all incident response teams in mind this holiday weekend as they are once again in the thick of the action.
– Chris Krebs (@C_C_Krebs) July 2, 2021
According to a report by Beeping computer, the attack targeted six large MSPs and encrypted the data of 200 companies.
AT DoublePulsar, Kevin Beaumont has released more details on how the attack works, with the REvil ransomware arriving via a Kaseya update and using the platform’s administrative privileges to infect systems. Once Managed Service Providers are infected, their systems can attack customers for whom they provide remote IT services (network management, system updates, and backups, among others).
In a statement, Kaseya said The edge that “We are investigating a potential VSA attack which indicates that it was limited to a small number of our on-site customers only. A notice claims that all of its cloud servers are now in “maintenance mode”, a decision the spokesperson said is made because of “great caution”. Later Friday evening, Kaseya CEO Fred Voccola released a statement saying they estimate the number of affected MSPs to be less than 40 and are preparing a patch to mitigate the vulnerability.
Today’s attack is linked to the notorious ransomware gang REvil (already linked to attacks against Acer and JBS meat supplier earlier this year), and The record notes that, by collecting incidents under more than one name, this may be the third time that Kaseya software has been a vector of their exploits.
As of noon (EST / US) on Friday, July 2, 2021, the Kaseya Incident Response Team has been made aware of a potential security incident involving our VSA software.
We have taken swift action to protect our customers:
Immediately shut down our SaaS servers as a precaution, even if we have not received any reports of compromise from SaaS or hosted clients;
Immediately notified our onsite customers via email, in-product notifications, and phone to shut down their VSA servers to prevent them from being compromised.
We then followed our established incident response process to determine the scope of the incident and the extent of the impact on our customers.
We engaged our internal incident response team and leading industry experts in forensic investigations to help us determine the root cause of the problem;
We notified law enforcement and government cybersecurity agencies, including the FBI and CISA.
While our early indicators suggested that only a very small number of on-premise customers were affected, we took a cautious approach by shutting down SaaS servers to ensure we were protecting our over 36,000 customers to the best of our ability. We have received positive feedback from our customers on our prompt and proactive response.
While our investigation is ongoing, to date we believe that:
Our SaaS customers have never been at risk. We plan to restore service for these customers once we confirm that they are not at risk, which should be the case within the next 24 hours;
Only a very small percentage of our customers have been affected – currently estimated at less than 40 worldwide.
We believe we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-site customers which will be thoroughly tested. We will release this fix as soon as possible to get our customers back up and running.
I’m proud to report that our team had a plan in place to take action and executed it perfectly today. The vast majority of our clients have told us that they have not encountered any issues, and I am grateful to our internal teams, external experts and industry partners who have worked alongside us to make this happen quickly.
Today’s actions are a testament to Kaseya’s unwavering commitment to putting our customers first and providing the highest level of support for our products.
– Fred Voccola, CEO of Kaseya
Update July 2 at 10:40 p.m. ET: Added statement from Kaseya CEO.