A ransomware attack on Kaseya serves as a timely reminder that the managed service provider (MSP) community is firmly in the crosshairs of cyber criminals.
It became clear over the weekend that Kaseya. which specialises in providing MSPs with tools to support customers, had been the target of a significant ransomware attack.
The Russian hacking group REvil attacked Kaseya’s VSA unified remote monitoring and management tools in a ransomware attack and is attempting to force the vendor to hand over millions of dollars. Initial signs were that around 20 to 40 MSPs had been affected, which in turn translated to around 1,000 customers. The criminal group is reported to be demanding $70m in bitcoin from Kaseya to unlock files encrypted in the attack.
“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyber attack. Due to our teams’ fast response, we believe that this has been localised to a very small number of on-premise customers only,” the vendor stated.
The firm is rolling out patches and is taking a transparent approach to communications with MSPs and customers to ensure it is as open as possible about the implications of the attack.
The firm has been providing users with regular updates and has advised that all on-premise VSA servers should continue to remain offline until further instructions, although that situation might change later today.
MSPs have been advised to take steps to protect themselves from ransomware attacks for a while, with the government recently launching a consultation on whether there should be mandatory conditions for firms to pass before they handle customer data.
The response from some in the industry was one of weary resignation to yet another attack and a call for further efforts to be made to try to reduce the chances for hackers in the future.
“The Kaseya attack extends a clear pattern we’ve been too slow to recognise,” said Hitesh Sheth, president and CEO at Vectra AI. “As in the SolarWinds incident, REvil infiltrated one service provider connected to a long list of targets. It’s an efficient way to inflict multiple clusters of damage in a single blow. Because SolarWinds was so successful, we should have seen a rerun coming.
“It’s been more than half a year since the SolarWinds case was discovered. Since then, how many systematic security audits of managed service providers and SaaS [software-as-a-service] vendors have occurred? In a successful cyber attack, these organisations become unwitting distribution hubs for havoc. Each incident like this teaches a lesson – but we have to be listening,” he added.
Barry Hensley, chief threat intelligence officer at Secureworks, said it was not seeing any significant impact across its customer base. “Less than 10 organisations appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software,” he said.
Jamie Moles, ExtraHop
“We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organisations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers,” added Hensley.
“Based on what we know right now, we believe that this was an orchestrated attack against a subset of Kaseya VSA clients, largely managed IT service providers. The evidence we have does not indicate that Kaseya’s software update infrastructure has been compromised. That does mean that, while we have seen limited impact across our customer base, there may be larger clusters of victims elsewhere based on use of common MSPs,” he added.
Jamie Moles, senior security engineer at ExtraHop, said this attack would prompt some questions from MSPs and their customers.
“Attacks such as the latest one on Kaseya aren’t new. Attackers are just getting better at it and we are more and more reliant on external entities for services,” he added. “Digitising business processes and more remote and flexible working makes this a growing problem, which naturally introduces more areas to track and protect.”
There has been a spate of high-profile attacks against US firms in the past few weeks, and the FBI indicated that it was supporting Kaseya in attempting to uncover what has happened in this latest case.
“The FBI is investigating this situation and working with Kaseya, in coordination with CISA, to conduct outreach to possibly impacted victims,” the law enforcement agency stated. “We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately.”