Kaseya’s VSA product has been the victim of a sophisticated ransomware attack, affecting 60 Kaseya customers and an estimated 1,500 downstream businesses.  Attackers are allegedly demanding $70 million in return for a universal decryptor software key that would unscramble all affected machines. 

Kaseya VSA is an IT remote monitoring and management tool used by IT and network administrators to automate patching on endpoints and servers, manage backups and antivirus deployments, automate other IT processes and remotely resolve and troubleshoot IT issues.

According to Kaseya, fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, Kaseya estimated the total impact thus far has been to fewer than 1,500 downstream businesses. Kaseya says they have not found evidence that any of their SaaS customers were compromised.

It is believed attackers leveraged a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers to deploy the REvil ransomware. The attack prompted Kaseya to urge its customers to immediately shut down their servers until the patch is released.

A patch for on-premises customers has been developed and is currently going through the testing and validation process.  It is expected to be available within 24 hours after Kaseya SaaS servers have been brought up. 

Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “It shouldn't surprise that extortionists would target critical IT software that could serve as the initial access into more victims' networks. Extortionists are operating a business and want to generate as much revenue from as many victims as possible. Managed Service Providers (MSPs) leverage Kaseya's software, making them an attractive target because extortionists can quickly increase potential targets. In addition, companies that leverage MSP are typically less mature small and medium-sized (SMBs) business which usually have less mature security programs. These victims are a desirable target as they may not have the means to eradicate the adversary and restore their IT systems, forcing them to pay the ransom. Targeting an MSP that serves vulnerable SMBs is a diabolical extortion tactic.”

In addition, the company met with the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.  A set of requirements will be posted prior to service restart to give Kaseya customers time to put these counter measures in place in anticipation of a return to service on July 6th.

“It’s been more than half a year since the SolarWinds case was discovered; since then, how many systematic security audits have occurred of managed service providers and SaaS vendors? In a successful cyberattack, these organizations become unwitting distribution hubs for havoc. Each incident like this teaches a lesson – but we have to be listening,” says Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based AI cybersecurity company.

“The Kaseya attack extends a clear pattern we’ve been too slow to recognize. As in the SolarWinds incident, REvil infiltrated one service provider connected to a long list of targets. It’s an efficient way to inflict multiple clusters of damage in a single blow. Because SolarWinds was so successful, we should have seen a rerun coming,” Sheth adds. “I hope this attack prompts hard questions from customers of MSPs or SaaS vendors. When your business relies on a product like Kaseya VSA, you’re only as secure as your provider. When more businesses outsource critical functionality to the cloud, the Kaseya case suggests heightened risk. How much do these businesses really understand about their vendors’ security posture? Is there sufficient emphasis on rapid attack detection? The answers matter as much to customers as to the MSPs themselves – because in a security failure, it’s the customers who field the ransom demands.”

CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.

CISA and FBI recommend affected MSP customers:

• Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
• Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
• Implement:
  • Multi-factor authentication; and
  • Principle of least privilege on key network resources admin accounts.

CISA and FBI also provide these resources for the reader’s awareness:

• For the latest guidance from Kaseya, see Kaseya's Important Notice July 3rd, 2021.
• For indicators of compromise, see Peter Lowe's GitHub page REvil Kaseya CnC Domains. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content.
• For guidance specific to this incident from the cybersecurity community, see Cado Security's GitHub page, Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content.
• For advice from the cybersecurity community on securing against MSP ransomware attacks, see Gavin Stone's article, How secure is your RMM, and what can you do to better secure it?.
• For general incident response guidance, CISA encourages users and administrators to see Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.