IT for service providers biz Kaseya defers decision about SaaS restoration following supply chain attack

REvil gang asks for $70M as ransomware rampages through MSPs and perhaps 1000 clients


Updated IT management software provider Kaseya has deferred an announcement about restoration of its SaaS services, after falling victim to a supply chain attack that has seen its products become a delivery mechanism for the REvil ransomware.

The company’s most recent update on the incident, dated July 4, 2021 5:45 PM EDT, initially advised that further information would be posted “very late” on the same date after a meeting of the company’s executive committee.

The latest update says that committee met at 10:00 PM EDT and decided that “to best minimize customer risk … more time was needed before we brought the data centers back online.”

Further information is now “planned to be published July 5th in the morning EDT”.

The update is needed because last Friday Kaseya advised users of its on-premises software to shut it down ASAP after a detecting a supply chain attack on its VSA product — a tool that combines endpoint management and network monitoring. VSA can automate tasks such as patch management and backups, and provides tools for access control and remote management.

Kaseya’s main market is managed services providers (MSPs) — IT consultancies whose selling point is taking care of their clients’ tech — so an attack on VSA is potentially a superspreader event for REvil.

On learning of the attack, Kaseya urged customers to pull the plug on their VSA servers, because the attack shuts off administrator access to the suite. The company also shuttered its SaaS services as a precautionary measure.

Kaseya’s status update page for the incident initially stated the attack impacted “Only a very small percentage of our customers … currently estimated at fewer than 40 worldwide”. The company has not used that language again: it since prefers to state “a very small number of on-premises customers only” have been hit.

Security company Huntress, which was one of the earliest sources to detect the attack, estimates “~30 MSPs across the US, AUS, EU, and LATAM” have been breached and that over 1,000 organisations have been infected with ransomware as a result.

Reports of organisations impacted by the attack have emerged from around the globe. Schools in New Zealand are among the victims, as is Swedish supermarket chain Coop — which has advised customers that many of its stores are closed and those that are open can only accept its Scan & Pay system.

Kaseya’s assured customers that it is working hard to create a safe version of its software, has engaged external consultants to probe the incident, and informed authorities.

Its most tangible response to the incident is publication of a tool that detects any trace of the attack. It’s been posted to cloud storage locker Box and can be found here.

Zero-day race

Not long after the incident was disclosed, the Dutch Institute for Vulnerability Disclosure revealed that it recently “discovered severe vulnerabilities in Kaseya VSA”. A second post from the Institute stated that Kaseya took the bug reports seriously and was working on fixes.

But then things went pear-shaped.

“They showed a genuine commitment to do the right thing,” wrote the Institute’s Chair and Head of Research Victor Gevers. “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Huntress’s analysis of the attack is that it’s an SQL injection. The company stated it has “high confidence an authentication bypass was used to gain access into these servers”.

Gevers also noted that his scans suggest the number of VSA servers reachable from the internet has dropped from 2200 to fewer than 140 over the 48 hours prior to his post.

That drop suggests that users are heeding advice from authorities like the USA’s Cybersecurity and Infrastructure Security Agency (CISA) that has recommended following Kaseya’s advice to get VSA servers offline. The Agency has also recommended that users enable and enforce multi-factor authentication ASAP, get their backups in order and stored in air-gapped systems, and ensure that remote monitoring and management tools be limited to communication among known IP address pairs.

US President Joe Biden has ordered the nation’s government agencies to probe the incident.

While Biden has not attributed the attack, CISA has suggested it is the work of REvil, a gang widely assumed to be based in Russia and to have at least tacit support from the Russian government. Readers may recall that Biden called on his Russian counterpart Vladimir Putin to control ransomware gangs at a June 2021 between the two leaders. Putin rebuffed that suggestion, and claimed the USA is the perpetrator of many cyber attacks. ®

Updated to add at 13:09 UTC on 5 July

REvil this morning named its price: $70 million in Bitcoin. And according to a notice on its unindexed web blog, Happy Blog: “On Friday we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ [£50.56m, €59m] in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such a deal - contact is using victims 'readme' file instructions.”

Broader topics

Narrower topics


Other stories you might like

  • Running Windows 10? Microsoft is preparing to fire up the update engines

    Winter Windows Is Coming

    It's coming. Microsoft is preparing to start shoveling the latest version of Windows 10 down the throats of refuseniks still clinging to older incarnations.

    The Windows Update team gave the heads-up through its Twitter orifice last week. Windows 10 2004 was already on its last gasp, have had support terminated in December. 20H2, on the other hand, should be good to go until May this year.

    Continue reading
  • Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

    *Don't do this

    MediaTek claims to have given the world's first live demo of Wi-Fi 7, and said that the upcoming wireless technology will be able to challenge wired Ethernet for high-bandwidth applications, once available.

    The fabless Taiwanese chip firm said it is currently showcasing two Wi-Fi 7 demos to key customers and industry collaborators, in order to demonstrate the technology's super-fast speeds and low latency transmission.

    Based on the IEEE 802.11be standard, the draft version of which was published last year, Wi-Fi 7 is expected to provide speeds several times faster than Wi-Fi 6 kit, offering connections of at least 30Gbps and possibly up to 40Gbps.

    Continue reading
  • Windows box won't boot? SystemRescue 9 may help

    An ISO image you can burn or drop onto a USB key

    The latest version of an old friend of the jobbing support bod has delivered a new kernel to help with fixing Microsoft's finest.

    It used to be called the System Rescue CD, but who uses CDs any more? Enter SystemRescue, an ISO image that you can burn, or just drop onto your Ventoy USB key, and which may help you to fix a borked Windows box. Or a borked Linux box, come to that.

    SystemRescue 9 includes Linux kernel 5.15 and a minimal Xfce 4.16 desktop (which isn't loaded by default). There is a modest selection of GUI tools: Firefox, VNC and RDP clients and servers, and various connectivity tools – SSH, FTP, IRC. There's also some security-related stuff such as Yubikey setup, KeePass, token management, and so on. The main course is a bunch of the usual Linux tools for partitioning, formatting, copying, and imaging disks. You can check SMART status, mount LVM volumes, rsync files, and other handy stuff.

    Continue reading

Biting the hand that feeds IT © 1998–2022