This article is more than 1 year old

IT for service providers biz Kaseya defers decision about SaaS restoration following supply chain attack

REvil gang asks for $70M as ransomware rampages through MSPs and perhaps 1000 clients

Updated IT management software provider Kaseya has deferred an announcement about restoration of its SaaS services, after falling victim to a supply chain attack that has seen its products become a delivery mechanism for the REvil ransomware.

The company’s most recent update on the incident, dated July 4, 2021 5:45 PM EDT, initially advised that further information would be posted “very late” on the same date after a meeting of the company’s executive committee.

The latest update says that committee met at 10:00 PM EDT and decided that “to best minimize customer risk … more time was needed before we brought the data centers back online.”

Further information is now “planned to be published July 5th in the morning EDT”.

The update is needed because last Friday Kaseya advised users of its on-premises software to shut it down ASAP after a detecting a supply chain attack on its VSA product — a tool that combines endpoint management and network monitoring. VSA can automate tasks such as patch management and backups, and provides tools for access control and remote management.

Kaseya’s main market is managed services providers (MSPs) — IT consultancies whose selling point is taking care of their clients’ tech — so an attack on VSA is potentially a superspreader event for REvil.

On learning of the attack, Kaseya urged customers to pull the plug on their VSA servers, because the attack shuts off administrator access to the suite. The company also shuttered its SaaS services as a precautionary measure.

Kaseya’s status update page for the incident initially stated the attack impacted “Only a very small percentage of our customers … currently estimated at fewer than 40 worldwide”. The company has not used that language again: it since prefers to state “a very small number of on-premises customers only” have been hit.

Security company Huntress, which was one of the earliest sources to detect the attack, estimates “~30 MSPs across the US, AUS, EU, and LATAM” have been breached and that over 1,000 organisations have been infected with ransomware as a result.

Reports of organisations impacted by the attack have emerged from around the globe. Schools in New Zealand are among the victims, as is Swedish supermarket chain Coop — which has advised customers that many of its stores are closed and those that are open can only accept its Scan & Pay system.

Kaseya’s assured customers that it is working hard to create a safe version of its software, has engaged external consultants to probe the incident, and informed authorities.

Its most tangible response to the incident is publication of a tool that detects any trace of the attack. It’s been posted to cloud storage locker Box and can be found here.

Zero-day race

Not long after the incident was disclosed, the Dutch Institute for Vulnerability Disclosure revealed that it recently “discovered severe vulnerabilities in Kaseya VSA”. A second post from the Institute stated that Kaseya took the bug reports seriously and was working on fixes.

But then things went pear-shaped.

“They showed a genuine commitment to do the right thing,” wrote the Institute’s Chair and Head of Research Victor Gevers. “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Huntress’s analysis of the attack is that it’s an SQL injection. The company stated it has “high confidence an authentication bypass was used to gain access into these servers”.

Gevers also noted that his scans suggest the number of VSA servers reachable from the internet has dropped from 2200 to fewer than 140 over the 48 hours prior to his post.

That drop suggests that users are heeding advice from authorities like the USA’s Cybersecurity and Infrastructure Security Agency (CISA) that has recommended following Kaseya’s advice to get VSA servers offline. The Agency has also recommended that users enable and enforce multi-factor authentication ASAP, get their backups in order and stored in air-gapped systems, and ensure that remote monitoring and management tools be limited to communication among known IP address pairs.

US President Joe Biden has ordered the nation’s government agencies to probe the incident.

While Biden has not attributed the attack, CISA has suggested it is the work of REvil, a gang widely assumed to be based in Russia and to have at least tacit support from the Russian government. Readers may recall that Biden called on his Russian counterpart Vladimir Putin to control ransomware gangs at a June 2021 between the two leaders. Putin rebuffed that suggestion, and claimed the USA is the perpetrator of many cyber attacks. ®

Updated to add at 13:09 UTC on 5 July

REvil this morning named its price: $70 million in Bitcoin. And according to a notice on its unindexed web blog, Happy Blog: “On Friday we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ [£50.56m, €59m] in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such a deal - contact is using victims 'readme' file instructions.”

More about

TIP US OFF

Send us news


Other stories you might like