July 13, 2021
It was recently discovered that Kaseya’s VSA software had an unknown, zero-day vulnerability in the software which was exploited for an attack. The software is used by managed service providers (MSPs) and their clients for remote endpoint management and network monitoring. A zero-day vulnerability is a software security threat that is discovered at the same time it is noticed that hackers have already executed an attack.
After discovering the attack, Kaseya proactively shut down the affected servers as a cautionary measure. It has since been determined that REvil, a ransomware group that was also the source of the JBS Foods cyberattack, also executed the Kaseya supply chain attack.
Supply chain attacks are becoming increasingly common and are carried out by cyber criminals by infiltrating a trusted company that supplies software or IT services to other firms. Kaseya was likely targeted because of the nature of the VSA software, which has a high level of trust and administrative privileges on customer devices, so when the software is infiltrated with malicious code, any attached client can be infected.
Kaseya stated that nearly 50 of its customers had been directly impacted by the attack, but due to the nature of supply-chain ransomware attacks, as many as 1,500 downstream businesses had been affected worldwide. 70% of Kaseya’s MSP customers that utilize the VSA software were affected by the attack and as many as 17 countries have been affected by the attack. On the evening of July 4, 2021, REvil offered the decryption key for all systems in exchange for $70 million in cryptocurrency.
WHAT DOES THIS MEAN FOR ME?
This attack can affect anyone who uses Kaseya’s VSA software on their own servers, whether they use the product directly or through their MSP that utilizes Kaseya products. If your firm or MSP is running Kaseya VSA on your network, then you should shut down those servers immediately. Kaseya stated that all on-premise VSA servers should continue to remain down until Kaseya determines that it is safe to restore operations. This statement has been supported by the United States Cybersecurity and Infrastructure Agency (CISA), who is encouraging organizations to follow the advice to shutdown VSA servers until further notice.
Kaseya has developed a patch for customers running the VSA software on their own servers, which will be required to install before restarting VSA. Kaseya, working with the FBI and CISA, has also released system and network hardening requirements for its customers to put counter measures in place before the services are back online. Kaseya has also released a new version of the Compromise Detection Tool, which can be used to assess whether vulnerabilities are present. If your MSP uses Kaseya VSA, then you should check with your MSP to determine whether your data was affected by the breach and consider changing all passwords associated with the MSP. Firms should operate under their incident response plan if their data was affected by the Kaseya attack.
As cybersecurity threats continue to increase, it is essential for firms to implement a well-designed cybersecurity program, including tailored policies and procedures, comprehensive vendor due diligence, employee training, and a thorough testing process. Fairview Cyber can assist with implementing policies and procedures designed to mitigate cybersecurity threats and position the firm to respond in the event that a data breach occurs. Contact us today for more information about our services.