Kaseya VSA has fallen victim to a sophisticated and massive ransomware attack, that some experts say has affected thousands of customers. The company also provided a patch update for on-premise customers.
Kaseya VSA software is used by thousands of customers for remotely monitoring systems, patching and inventory of systems and networks.
Kaseya’s Incident Response team first spotted the attack on Friday, July 2, 2021 and then promptly shut down its SaaS servers and notified its on-premises customers to shut down their VSA servers to prevent them from being compromised. The company also notified law enforcement and government cybersecurity agencies, to include the FBI and CISA.
“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only,” Kaseya wrote in a notice online.
The timing was bad, given the start of a holiday weekend for many companies who are typically lightly staffed over the long weekend.
Kaseya initially stated only a “very small percentage of our customers were affected.” As of Monday night, the software company estimated 60 of its customers were impacted.
However, many of those affected customers provide IT services to up to 1,500 of its customers and downstream businesses.
According to some reports such as AP News, some IT experts have alleged thousands of customers may have been compromised via the supply chain attack. In one case, Swedish grocery chain Coop confirmed that most of its 800 stores were closed for a second day due to the cyberattack.
Hackers are now demanding $70 million to unlock and restore all impacted systems.
Moreover, the FBI also released a statement on July 4, 2021 further advising customers “shut down your VSA servers immediately, and report your compromise to the FBI.”
CISA and the Federal Bureau of Investigation (FBI) published mitigation guidelines for customers who have been impacted by the Kaseya VSA software vulnerability exploit against multiple managed service providers (MSPs) and their customers.
The cybercriminal group behind these attacks are allegedly the same group behind REvil ransomware attacks against JBS USA and Travelex.
Ransomware mitigation guidance
According to the CISA and FBI alert, MSPs and customers can download the Compromise Detection Tool at the following link: VSA Detection Tools.zip | Powered by Box. The tool analyzes VSA servers or managed endpoints to find any indicators of compromise (IoC).
MSPs and its customers can also implement the following controls:
- Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization (to include customer-facing services).
- MSPs: Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
- MSPs: Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.
- Revert to a manual patch management process.
Furthermore, readers can also check out GitHub for more DFIR resources on REvil ransomware supply chain attack.
Update July 13, 2021: On July 11, Kaseya has released a new version of VSA (9.5.7a) for their VSA On-Premises software and customers. The update fixes vulnerabilities that enabled the ransomware attacks on Kaseya’s customers.
Kaseya also warned this past week that “spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates.” The company reminded customers not to click on any links or download any attachments, since they likely contain or link to malware.
This article was originally published on July 5, 2021.