Company Outlines Steps After REvil Ransomware Attack
Watch for updates on this developing story.
In a Tuesday update, software vendor Kaseya said additional security measures are being put in place to protect its clients in the aftermath of the July 4 holiday weekend ransomware attack that affected about 60 of its MSP customers who supply IT management services and up to 1,500 of their clients (see: Did Kaseya Wait Too Long to Patch Remote Software Flaw?).
The company is implementing a 24/7 independent security operations center for every VSA server, and each center will have the ability to quarantine and isolate files and entire VSA servers.
Kaseya is also making a content delivery network with a web application firewall available for every VSA server.
Meanwhile, customers who whitelist IPs will be required to whitelist additional IPs.
Kaseya planned to post an article on its website Tuesday, offering additional background on the security measures.
Timing of Restoration of Service
The REvil attack affected vulnerable on-premises versions of the firm’s VSA remote IT management software and not its software-as-a service version. But Kaseya took down both versions as a precautionary move.
In the midday Tuesday update, Kaseya said it expected to bring its SaaS servers back online between 4 p.m. and 7 p.m. EDT.
“Our on-premises patch timeline is 24 hours (or less) from the restoration of SaaS services. We are focused on shrinking this time frame to the minimal possible – but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up.”
Kaseya reiterated that customers who experienced a ransomware attack and received communication from the attackers should not click on any links because they may be weaponized.
The Kaseya Attack
Late Monday, Kaseya reported that 60 of its customers had been compromised in the breach that exploited an unpatched vulnerability. Those customers supply IT management services to others, including up to 1,500 organizations that it suspects have been affected by the attack (see: Kaseya: Up to 1,500 Organizations Hit in Ransomware Attack).
The Eastern European criminal group REvil, aka Sodinokibi, used ransomware code to target affiliate businesses associated with Kaseya’s managed service provider customers. The types of businesses affected by the attack include dentists’ offices, small accounting offices, restaurants and others.
Attackers affiliated with the REvil group claim to have compromised 1 million organizations. On July 5, the criminal gang began demanding $70 million in bitcoins for a universal decryption tool that it said would decrypt all victims’ files. By late Monday, that figure had been reduced to $50 million.
In a Monday statement, Kaseya CEO Fred Voccola said: “Our global teams are working around the clock to get our customers back up and running. We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”
The company said it is actively engaged with various governmental agencies, including the FBI, the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security and the White House. FireEye Mandiant Incident Response is also working with the company.
On Sunday, U.S. President Joe Biden ordered federal intelligence agencies to investigate the incident, initially noting that “we are not sure yet” whether the Russian government held any blame in the REvil campaign (see: Biden Orders Investigation of Kaseya Ransomware Attack).
Assessing Company’s Response
Mike Hamilton, former CISO for the city of Seattle, says Kaseya made the right move in not prematurely revealing the vulnerability.
“Kaseya was working on a patch for the vulnerability when it was exploited. Making a vulnerability public before a patch is prepared and released just invites attack,” he says.
Hamilton, co-Founder of CI Security, notes, however, that Kaseya is likely wrong to assume that no critical infrastructure targets were victims of the attack.
“I’ll say that it’s highly likely that a good number of local governments are victims and that means water purification, waste treatment, communications for law enforcement all may have been impacted – and that’s critical infrastructure,” he says.
Michael Daniel, president and CEO of the Cyber Threat Alliance, notes: “There were some novel aspects of this particular incident that actually could have [made the impact] much, much worse. So I actually think, in many ways, compared to what people [initially] were afraid of, this ended up not being quite as bad.”
Daniel says the best way to mitigate the risk of ransomware attacks is through collaboration between the government and the private sector.
“We need to be bringing all the different diplomatic, economic and law enforcement intelligence cybersecurity tools to the field and employ them in different combinations that impose costs on the adversaries,” Daniel says.
Next Steps for Affected MSPs
On July 4, CISA and the FBI issued a joint statement with guidance for MSPs and their customers affected by the supply chain ransomware attack leveraging a zero-day exploit in Kaseya’s VSA software. Those recommendations include:
- Download the Kaseya VSA Detection Tool: The tool analyzes a system (either VSA server or management endpoint) and determines whether any indicators of compromise are present.
- Enable and enforce multifactor authentication: The agencies recommend enforcing MFA on every account that is under the control of the organization and for customer-facing services.
- Implement allowlisting: This will limit communication with remote monitoring and management capabilities to known IP address pairs.
- Use admin interfaces: The agencies urge those affected to place administrative interfaces of RMM behind a virtual private network or a firewall on a dedicated administrative network.