WHAT WE KNOW
- Enterprise tech firm, Kaseya, has confirmed within the past 24 hours that approximately 1,500 businesses were impacted as a result of an attack on its remote device management software, which was used to spread ransomware.
- It appears that the attackers carried out a supply chain ransomware – click to read more.
- The US has launched an investigation as gang demands giant $70 million payment. Kaseya worked with the FBI and CISA on Monday evening to discuss systems and network hardening tasks prior to restoring services for its SaaS and on-premises customers.
- If you happen to be an NSA/Datto client, you should not be impacted & continue to have your automated back-ups run as usual. Datto disconnected any Kaseya RMM links to their backup solutions to prevent even a remote possibility of an infection.
WHO DOES THIS IMPACT
- ANY NSA OR TUG MEMBERS THAT MAY BE USING THE ON-PREMISE VERSION OF KASEYA’S REMOTE MONITORING SOLUTION, PLEASE TAKE NOTE OF A RECENT ATTACK ON KASEYA AND STEPS TO TAKE IF YOU’RE AFFECTED.
ACTIONS TO TAKE IMMEDIATELY
- Kaseya urges customers to immediately shut down VSA server (Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief)
- Kaseya has developed a patch for customers running VSA on their own servers and should be available after SaaS servers are brought back online last night, Kaseya said in an update.
- Kaseya also released a new, free comprise detection tool that customers can use to check networks and computers. The new version searches for indicators of compromise, data encryption, and the REVil ransom note. “We recommend that you re-run this procedure to better determine if the system was compromised by REvil,” Kaseya said. “A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service on July 6th.”
UPDATES FROM KASEYA:
“To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised.” Kaseya said in an update on the attack.
HOW DID THIS HAPPEN?
- The attackers exploited a previously unknown flaw in Kaseya’s VSA software, which is used by MSPs and their customers. VSA is remote monitoring and management software, which is used to manage endpoints, such as PCs, servers, and cash registers, as well as manage patching and security vulnerabilities.
- On Sunday, the attackers asked for $70 million in exchange for a universal decryption tool that would supposedly resolve the REvil issue for Kaseya and its customers.
- Kaseya noted that it had not received reports of VSA customers that had been compromised since Saturday. It says that no other Kaseya products were compromised.
- While Kaseya’s software-as-a-service (SaaS) line of VSA was not affected, its servers were taken down during the incident response and remain offline today.