Just in time to ruin the holiday weekend, ransomware attackers have apparently used Kaseya — a software platform designed to help manage IT services remotely — to deliver their payload. Sophos director and ethical hacker Mark Loman tweeted about the attack earlier today, and now reports that affected systems will demand $44,999 to be unlocked. A note on Kaseya’s website implores customers to shut off their VSA servers for now “because one of the first things the attacker does is shutoff administrative access to the VSA.”
News Flash: cybercriminals are a$$holes.
Keep all the Incident Response teams in mind this holiday weekend as they’re in the thick of it…again.
If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate IR. Here’s the binary: https://t.co/NIuGJZW84p https://t.co/GSXPlOPjFt
— Chris Krebs (@C_C_Krebs) July 2, 2021
According to a report from Bleeping Computer, the attack targeted six large MSPs and has encrypted data for as many as 200 companies.
At DoublePulsar, Kevin Beaumont has posted more details about how the attack seems to work, with REvil ransomware arriving via a Kaseya update and using the platform’s administrative privileges to infect systems. Once the Managed Service Providers are infected, their systems can attack the clients that they provide remote IT services for (network management, system updates, and backups, among other things).
In a statement, Kaseya told The Stock Market Pioneer that “We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only.” A notice claims that all of its cloud servers are now in “maintenance mode,” a move that the spokesperson said is being taken due to an “abundance of caution.”
We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only. We have proactively shut down our SaaS servers out of an abundance of caution.
We are in the process of investigating the root cause of the incident with the utmost vigilance, we have:
a. Notified all of our on-premise customers to immediately shutdown their VSA servers
b. Shutdown our SaaS Servers
We have been further notified by a few security firms of the issue and we are working closely with them as well. While we continue to investigate the incident, we will update our customers (and interested parties) as we have more information.
Dana Liedholm – SVP, Corporate Communications Kaseya
Today’s attack has been linked to the notorious REvil ransomware gang (already linked to attacks on Acer and meat supplier JBS earlier this year), and The Record notes that, collecting incidents under more than one name, this may be the third time Kaseya software has been a vector for their exploits.