While the rest of us were heading off to celebrate the 4th of July with a long weekend, threat actors were hard at work on yet another cyber security attack.
This time, they targeted the IT software giant, Kaseya.
Specifically, Kaseya’s virtual system/server administrator (VSA) servers were part of a ransomware supply-chain attack, which was conducted by the REvil ransomware group.
Below, we give you an in-depth look at the developing Kaseya ransomware incident, including:
- An overview of the culprits
- How they initiated the attack
- Who and how many were impacted
- CoreTech’s response as a security-first IT service provider
Bad Guy Brief: Who is REvil?
Dubbed one of the world’s “most notorious ransomware operators” by Palo Alto Networks, REvil is a ransomware group that has attacked multiple companies in the past month, including a meatpacking company and a Brazilian medical diagnostics company. Most recently, they conducted the Kaseya VSA attack. These attack demands total over $85 million.
Cyber security experts first encountered this ransomware group in 2018, and they have grown beyond basic malvertising exploits to exfiltrating massive amounts of data and making demands for multimillion dollar ransoms.
What happened at Kaseya?
While the full extent of the breach is still unknown, on July 2nd, Kaseya’s CEO reported a potential attack against VSA. At the time, it only affected a few on-premise customers. In response, the company prompted their clients to shut down any VSA servers those clients might have been using.
At the same time, Kaseya moved their own servers offline to isolate the attack. They believed it was a minor incident, but on July 4th, they changed their perspective, calling the breach a “sophisticated cyber attack.”
On July 5th, Kaseya released another update, saying they were testing and validating a patch. When testing is complete, they plan to release the patch for their clients.
On July 7th, Kaseya announced that a timeline extension was needed, and the company is now aiming for Sunday, July 11th to begin bringing their systems back online.
You can see the latest updates on Kaseya’s response on their website.
Analyzing the Attack
Cyber security companies Huntress, Sophos, and FireEye stepped in to investigate. Sophos believes Kaseya was targeted because the VSA servers require a high level of trust with clients.
When prompted with a VSA alert, most clients act without question, so this makes the distribution of any malicious packet easy for threat actors like REvil—which is exactly what happened. REvil pushed the ransomware under the guise of a software update called the “Kaseya VSA Agent Hot-fix.”
From there, the fake update deployed down the chain, infecting IT service providers and their clients with ransomware—even clients that may not purchase the software from their IT service company.
How many businesses have been impacted by the Kaseya attack?
Huntress estimates around 1,000 companies now have encrypted servers and workstations because of the attack. It is one of the farthest-reaching ransomware attacks to date, according to Sophos.
What are REvil’s demands?
REvil is demanding $70 million in bitcoin in exchange for a supposedly universal decryption key, but other demand notices range from $45,000 to $5 million for single workstations.
Why are managed service providers (MSPs) and their clients vulnerable to the Kaseya ransomware attack?
MSPs purchase the VSA product from Kaseya for remote monitoring of client systems. The attack could spread to MSP clients who receive remote monitoring from their IT service providers using the Kaseya VSA solution.
It is a targeted supply chain breach, similar to the SolarWinds attack.
How has CoreTech responded to the Kaseya ransomware attack?
Even though we do not use the VSA solution from Kaseya, our technical team followed industry recommendations from the FBI, DHS, and CISA and verified current configurations to ensure our systems were secure from the REvil attack. In addition, we also kept a close eye on our systems over the holiday weekend.
News like this sends shockwaves through our industry, but as a CompTIA Security Trustmark + certified provider, the CoreTech team continues to adhere to prescribed compliance measures and our commitment to industry security standards. We stay updated on industry news of breaches and attacks, and we take a thorough, proactive approach to all IT security matters with continuous network monitoring and layered security solutions.
Should a breach occur, we have thorough incident response plans and backup protocols in place to speed up resolution.
How does this impact your SMB? How can you stay secure from cyber threats?
As an experienced IT service provider, we understand the vulnerabilities that can come from supply chain attacks like the one at Kaseya or SolarWinds. Nevertheless, it’s imperative that your company does everything within in its power to shore up the vulnerabilities of third-party access.
Always be sure to:
- Vet all technology vendors (or have an IT service provider help you do so)
- Provide only as much access as is required for vendors to complete necessary tasks
- Take advantage of advanced IT security, such as artificial intelligence solutions
- Train all staff members on the latest cyber security threats
- Implement a thorough, layered cyber security strategy
If you are a CoreTech client, and have questions about your business’ security stance, please reach out to us. CoreTech has vetted security vendors that meet industry best practices and standards, and are continuing to adjust their tools to meet new hacks and vulnerabilities.
Have questions or concerns about the ongoing Kaseya incident?
CoreTech’s technical services team is happy to answer any questions you may have about the ongoing development of the Kaseya incident.
Simply drop a comment below and our team will get back to you promptly.
If you have any concerns about your company’s current cyber security, contact CoreTech to schedule a cyber security assessment today.