A ransomware attack against a single company’s software product can cause a ripple effect across 1,000’s of organizations. Information Technology firm, KASEYA revealed a successful cyberattack against its VSA products on July 3 2021, a program which is used by Managed Service Providers (MPSs) to remotely follow up service for customers.
Kaseya revealed that at that particular time the incident had only affected a small percentage of internal customers but with the supply chain nature of Kaseya’s business, it meant that more companies were caught in the aftermath of the attack. A new blog post shows that security firm, Huntress, mentioned that it had been tracking approximately 30 MSPs across the globe where Kaseya VSA was used to encrypt data across many businesses against an initial report, which earlier stated that only 8 MPS were impacted.
With this report, it was estimated that the impacted companies were many with a greater percentage than initially thought. The effect was felt across as many as 1,500 customers who were using the VSA internal products. The chief information security officer, Rick Holland, stated that it should not come as a surprise that extortionists would mainly target critical IT software that could serve as the initial access into more victim’s networks. He further noted that MSPs leveraged Kaseya’s software, eventually making them prone to extortionists who aim at potential targets especially small sized businesses, which have immature security programs.
Ransomware works by constantly exploiting a particular security flaw in the VSA software as often is the case. The attack takes advantage of an instance, which has zero vulnerability hence allowing the administrator to gain rights leading to an attack of the system, which then leads to the customers system being infected. To support this statement, Jack Champman who is the vice president of threat intelligence mentioned that the attacks mainly highlights once more that the hackers are waiting to exploit lax security and unpatched vulnerabilities, which has a devastating effect. To this end, he advised that organizations and companies need to secure their supply chain and examine the suppliers through the right protocols and ensure that their customers are defended from the increased barrage of malicious attacks.
Ransomware group called the REvil is identified as the culprit behind the constant attacks and are mainly responsible for many other high level attacks. One blog reported that the ransomware group took full responsibility for the attack against Kaseya, and further claimed that more than 1,000,000 systems had been infected in the process. They also dangled an alarming offer for all their victims, which amounted to $70 million worth of bitcoin and promised to publish a universal descriptor through which the affected companies would be able to recover all their lost files.
After declaring the attack, Kaseya took several actions in response. The company immediately shut down its SaaS servers, which was a measure to counter the attack although they had not received an official report that their servers had been compromised in any way. They further reached out to their internal customers to notify them of the attack and advised them to shut down their VSA servers. Furthermore, Kaseya sought the professional assistance of its internal response team as well as a forensic investigation team to understand the root cause of the attack. They even reached out to law enforcement and government cybersecurity agencies such as the FBI as well as the Cybersecurity and Infrastructure Security Agency (CISA).
Firstly, Kaseya and other parties have been prompt to issue advice to targeted or potentially affected companies and customers and urge them to shut down their servers to avoid further compromises. Secondly, these organizations are required to download and run the Compromise Detection Tool which will analyze a VSA server and look for any indicators of compromise (IoC). With the latest version, the tool can be in a position to scan for data encryption and as such, companies which had already run the tool are advised to run it again using the latest version. Thirdly, CISA and FBI should guide the affected MSPs to enforce multifactor authentication on all the available and active accounts, which will limit communication through remote monitoring and management. Finally, affected organizations should constantly check Kaseya’s blog for updates concerning attacks.