A Cyberattack On Technology Provider Kaseya Has Sparked A New Wave Of Ransomware.
Kaseya, whose VSA software platform is used by other technology companies to monitor and manage their customers’ information technology networks, has been the victim of a brazen cyberattack. On July 2, the company issued a security advisory advising customers to immediately disable any VSA instances running on their own servers. Additionally, it ceased operations of its own cloud-based VSA service.
The company is in the midst of a security crisis that combines two of the most lethal hacking techniques available today: supply chain attacks and ransomware. The former strategy entails focusing on businesses whose software is widely used by other businesses. Once inside the supplier’s system, attackers leverage it to gain access to its customers’ networks as well. Then they install ransomware, which encrypts victims’ data and holds it hostage until a ransom payment is made (typically in untraceable cryptocurrencies.)
The hackers who targeted Kaseya compromised its VSA platform and then used it as a launching pad for breaking into other companies’ systems. Once inside, they distributed ransomware.
It is still unknown how much damage this two-pronged cyber attack caused. Kaseya, which has its US headquarters in Miami, stated on its website that it currently believes the risk is limited to businesses that run VSA on their own servers rather than those that use the cloud service it provides. “Only a very small percentage of our customers were impacted,” the company added, “currently estimated to be less than 40 globally.” According to the company’s advisory, it has a total client base of over 36,000.
Reactions in series
However, several of the companies appear to be managed service providers, or MSPs, which manage information technology services, such as software upgrades and network monitoring, on behalf of a diverse range of other organizations. MSPs are popular targets for hackers, who use their access to gain access to the MSPs’ customers’ systems as well.
Huntress Labs initially stated that it believed eight managed service providers (MSPs) had been compromised via the VSA platform—and that three MSPs with whom it works directly had at least 200 customers affected by ransomware. The security firm, which has not identified the MSPs targeted, believes the attack was carried out by a Russia-based hacking group known as REvil. On July 3, a Kaseya spokeswoman told the Wall Street Journal that the company believes more than 30 of its customers were affected.
On July 4, the REvil group posted a ransom demand on a blog previously used by the group, offering to hand over code to unlock systems in exchange for a $70 million payment in bitcoin and boasting that the attack had impacted a million systems. The message contained the following passage: “We have launched an attack on MSP providers.” Over a million systems have been infected. If anyone wishes to negotiate the price of a universal decryptor, our price is $70,000,000 in Bitcoin, and we will make the decryptor publicly available.”
Kaseya initially stated on its website that it became aware of a potential security incident around midday on Friday and immediately engaged forensic security experts to assist with its internal investigation. It also notified the FBI and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA). Additionally, it notified its customers of the advisory warnings.
CISA stated late Friday that it is “taking action to comprehend and address the recent supply-chain ransomware attack against Kaseya VSA and the numerous managed service providers (MSPs) that use VSA software.” Additionally, it urged businesses to follow Kaseya’s lead and shut down their own servers running the company’s software.
Kaseya stated in a July 4 update that it hoped to have software to resolve the issue ready to deploy to customers within the next 24 to 48 hours. Additionally, it hopes to relaunch its cloud service around the time software is distributed. The following day, its CEO, Fred Voccola, told Reuters that he believed the attack had impacted between 800 and 1.500 businesses, though he admitted it was difficult to be certain.
Targets of ransomware
This latest incident is the latest in a string of ransomware attacks on American businesses, including meat-processing giant JBS and oil transportation company Colonial Pipeline, that have alarmed the business world and the highest levels of government.
Additionally, the United States is still recovering from a supply chain attack on networking software company SolarWinds, which compromised the systems of hundreds of organizations, including businesses and government agencies. President Joe Biden recently urged Russian President Vladimir Putin during a meeting to crack down on Russia-based groups engaged in ransomware attacks and other cybercrime.
When asked about the Kaseya hack during a July 3 visit to Michigan, Biden stated that his administration was “not certain” who was behind the attack and that he had requested an investigation by US intelligence agencies. “If it is with Russia’s knowledge and/or as a result of Russia, I assured Putin that we will respond,” Biden told reporters accompanying him on the trip.
The hack’s ramifications have spread beyond the United States. Swedish supermarket chain Coop closed nearly 800 stores on Friday following a cyberattack on its in-store technology. Although it is unknown whether the hack is directly related to the Kaseya VSA compromise, some reports indicate that one of Coop’s technology suppliers, Norwegian firm Visma, was impacted.