Just in time to ruin the holiday weekend, ransomware attackers have apparently used Kaseya — a software platform designed to help manage IT services remotely — to deliver their payload. Sophos director and ethical hacker Mark Loman tweeted about the attack on Friday, and reported that affected systems will demand $44,999 to be unlocked. A note on Kaseya’s website implores customers to shut off their VSA servers for now “because one of the first things the attacker does is shutoff administrative access to the VSA.”
On Saturday, Kaseya issued another update, saying that it had been advised by its outside experts that “customers who experienced ransomware and receive a communication from the attackers should not click on any links – they may be weaponized.”
News Flash: cybercriminals are a$$holes.— Chris Krebs (@C_C_Krebs) July 2, 2021
Keep all the Incident Response teams in mind this holiday weekend as they're in the thick of it...again.
If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate IR. Here's the binary: https://t.co/NIuGJZW84p https://t.co/GSXPlOPjFt
According to a report from Bleeping Computer, the attack targeted six large MSPs and has encrypted data for as many as 200 companies.
At DoublePulsar, Kevin Beaumont has posted more details about how the attack seems to work, with REvil ransomware arriving via a Kaseya update and using the platform’s administrative privileges to infect systems. Once the Managed Service Providers are infected, their systems can attack the clients that they provide remote IT services for (network management, system updates, and backups, among other things).
In a statement, Kaseya told The Verge that “We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only.” A notice claims that all of its cloud servers are now in “maintenance mode,” a move that the spokesperson said is being taken due to an “abundance of caution.”
Later on Friday evening, Kaseya CEO Fred Voccola issued a statement saying they estimated the number of MSPs affected is fewer than 40, and are preparing a patch to mitigate the vulnerability.
“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” Voccola said in the statement, adding that the company’s SaaS customers were never at risk, and reiterating that “only a very small percentage of our customers were affected.”
On Saturday, Bloomberg reported that the attack was affecting more than 1,000 businesses in a ripple effect; the attack focused on managed service providers, but these providers offer IT services to other companies that may now be affected as well. A grocery chain in Sweden reported it couldn’t open 800 of its stores on Saturday when the attack resulted in its cash registers malfunctioning, Bloomberg reported.
The attack has been linked to the notorious, REvil ransomware gang (already linked to attacks on Acer and meat supplier JBS earlier this year), and The Record notes that, collecting incidents under more than one name, this may be the third time Kaseya software has been a vector for their exploits. REvil has previously been linked with Russia.
But President Biden said late Saturday afternoon that the US government wasn’t sure whether Russia was involved in the attack, The Washington Post reported. “I directed the intelligence community to give me a deep dive on what’s happened, and I’ll know better tomorrow, and if it is either knowledge of and/or consequences of Russia, I told Putin we will respond,” he told reporters during a trip to Michigan. Biden added that he hadn’t yet called Russian President Vladimir Putin about the matter.
Kaseya said Saturday it would provide updates on the situation every three to four hours.
Update July 2nd, 10:40PM ET: Added statement from Kaseya CEO.
Update July 3rd 12:04PM ET: Added new information from Kaseya and updates about the spread of the attack
Update July 3rd 4:50PM ET: Added comment from President Biden