REvil ransomware attacks systems using Kaseya’s remote IT management software
Just in time to ruin the holiday weekend, ransomware attackers have apparently used Kaseya — a software platform designed to help manage IT services remotely — to deliver their payload. Sophos director and ethical hacker Mark Loman tweeted about the attack earlier today, and now reports that affected systems will demand $44,999 to be unlocked. A note on Kaseya’s website implores customers to shut off their VSA servers for now “because one of the first things the attacker does is shutoff administrative access to the VSA.”
News Flash: cybercriminals are a$$holes.
Keep all the Incident Response teams in mind this holiday weekend as they’re in the thick of it…again.
If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate IR. Here’s the binary: https://t.co/NIuGJZW84p https://t.co/GSXPlOPjFt
— Chris Krebs (@C_C_Krebs) July 2, 2021
According to a report from Bleeping Computer, the attack targeted six large MSPs and has encrypted data for as many as 200 companies.
At DoublePulsar, Kevin Beaumont has posted more details about how the attack seems to work, with REvil ransomware arriving via a Kaseya update and using the platform’s administrative privileges to infect systems. Once the Managed Service Providers are infected, their systems can attack the clients that they provide remote IT services for (network management, system updates, and backups, among other things).
In a statement, Kaseya told The Verge that “We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only.” A notice claims that all of its cloud servers are now in “maintenance mode,” a move that the spokesperson said is being taken due to an “abundance of caution.” Later on Friday evening, Kaseya CEO Fred Voccola issued a statement saying they estimate the number of MSPs affected is fewer than 40, and are preparing a patch to mitigate the vulnerability.
Today’s attack has been linked to the notorious REvil ransomware gang (already linked to attacks on Acer and meat supplier JBS earlier this year), and The Record notes that, collecting incidents under more than one name, this may be the third time Kaseya software has been a vector for their exploits.
Beginning around mid-day (EST/US) on Friday July 2, 2021, Kaseya’s Incident Response team learned of a potential security incident involving our VSA software.
We took swift actions to protect our customers:
Immediately shut down our SaaS servers as a precautionary measure, even though we had not received any reports of compromise from any SaaS or hosted customers;
Immediately notified our on-premises customers via email, in-product notices, and phone to shut down their VSA servers to prevent them from being compromised.
We then followed our established incident response process to determine the scope of the incident and the extent that our customers were affected.
We engaged our internal incident response team and leading industry experts in forensic investigations to help us determine the root cause of the issue;
We notified law enforcement and government cybersecurity agencies, including the FBI and CISA.
While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability. We have received positive feedback from our customers on our rapid and proactive response.
While our investigation is ongoing, to date we believe that:
Our SaaS customers were never at-risk. We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24 hours;
Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.
We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.
I am proud to report that our team had a plan in place to jump into action and executed that plan perfectly today. We’ve heard from the vast majority of our customers that they experienced no issues at all, and I am grateful to our internal teams, outside experts, and industry partners who worked alongside of us to quickly bring this to a successful outcome.
Today’s actions are a testament to Kaseya’s unwavering commitment to put our customers first and provide the highest level of support for our products.
— Fred Voccola, CEO of Kaseya
Update July 2nd, 10:40PM ET: Added statement from Kaseya CEO.