Mathe Responds To Ransomware Attack On Kaseya
On Friday, July 2, just as people were just starting to put the major SolarWinds software supply-chain attack behind them, another high-profile ransomware attack happened. Early reports indicated that the REvil ransomware gang was actively targeting managed service providers (MSPs) via a Kaseya VSA supply-chain attack.
The ransomware gang was able to release a malicious update for Kaseya’s VSA IT management software, affecting over 30 MSPs around the globe — and subsequently, their customers were affected by the ransomware attack. For example, the cyber attack forced a Swedish retail chain to close 800 stores on Saturday, July 3.
Currently, Mathe is monitoring the situation, as more details of the attack continue to pour in. Here is what we know so far.
What is Kaseya?
Kaseya was founded in 2000 and is privately held. Kaseya is based in Dublin, Ireland, with a U.S. headquarters in Miami and a presence in over 10 countries. Kaseya is software that provides a comprehensive framework for maintaining a business or organization’s IT policies. Kaseya VSA also helps businesses and organizations maintain their remote endpoints, in addition to providing the following:
- The ability to monitor any situation
- Provide patches and updates to improve the security of the IT infrastructure
- Control endpoint systems remotely
Kaseya VSA is an RMM (remote monitoring and management), endpoint management, and network monitoring solution.
The Initial Attack on July 2, 2021
It appears the attackers began distributing the ransomware on Friday, July 2. It is not surprising that this attack occurred on a long holiday weekend, as offices were not fully staffed due to it being the beginning of the July 4th holiday weekend. This is a common move by cybercriminals, as most businesses and organizations do not operate with a full staff during holidays, which makes it easier for cybercriminals to carry out their planned attack.
It appears the REvil ransomware gang exploited a zero-day vulnerability in the VSA manager to remotely access internet-facing VSA servers. As Kaseya is mainly used by MSPs, the attackers were able to gain access to the devices of the MSPs’ customers. Kaseya’s team immediately responded to the attack and has been providing constant updates on their website and social media accounts. After the initial attack, Kaseya immediately shut down its SaaS servers to stop any further impact. Kaseya also advised its customers to shut down their systems that had any VSA installations.
Our Response
The Kaseya attack is the next in an ongoing focus of organized hacking, making up the 21 century organized crime, targeting MSP Software providers. Why try breaking each door down to each business when they can get the keys to the service entrance.
Part of the issue over the past few years has been a feature race for most software and SaaS providers more focused on the next feature that will sell their software combined with MSPs focus on more multiuse software tools, central dashboards, and optimizing their time. This has been escalated by the purchase of many software companies over the past few years by investment companies, angel investors, wealth management groups, and others who only look at it as an investment.
We have seen it time and time again. Just looking at the bottom line, typically their first step is to maximize their investment by cutting service levels and R&D to maximize profit and only focus on the sizzle and not the steak. Other competitors have to keep pushing sizzle also and match features detracting from resources that should be spent on security and hardening their solutions.
The other challenge is while there is organization, funding, and significant planning to these attacks, there is very little organization or coordination in the response. When we did white hat hacking exercises in college it would take about 10 or more people to thwart one person trying to hack through a system because you had to be reactionary trying to anticipate what the hacker was doing and counteract their actions.
That was a number of years ago when programs were simpler and were developed by a handful of skilled programmers and not large teams including 3rd party contributors and subcontractors. With millions of lines of code, most systems have become too complex to manually monitor, review, and protect. Today’s protection software, as well as software tools, have to look at patterns, anomalies, and health monitoring.
This continues to escalate. No one is safe. MSPs are caught in the middle also with some being targeted directly and others getting caught in crossfire as the tools they rely on get perverted into virus and malware conduits into their client base. With the drowning man syndrome, companies impacted will rope in their IT providers into the lawsuits as well as the software makers.
Meanwhile, many are getting numb to the daily breaches thinking that everyone will be breached at some point. Meanwhile, the dark web is getting bloated with all the stolen data from all of these breaches giving the hacking community even more points of data for which to launch their next attack and of course seeing how lucrative these actions can be extorting their victims.
This cycle will only be broken or slowed down once the government and other countries agree that this is nothing more than organized crime on a global level and cooperatively agree to go after the perpetrating groups and anyone harboring these criminal organizations.
Mathe is diligently working with our customers, clients, partners, and others within the industry to determine the extent of the impact. We encourage all businesses and organizations to check their environments to determine whether there are any present indicators of compromise (IoCs).
Organized crime continues to leave the world reeling. The rise in ransomware attacks is part of an even bigger attack on security. The rise in ransomware strikes can be attributed to a variety of factors, including new IT vulnerabilities and the transition to remote and hybrid workforces.
At Mathe, we provide cloud desktop and cloud infrastructure services to organizations throughout the United States, and we are working around the clock to support those who have been impacted by this attack. Please do not hesitate to contact us today if you have questions or concerns about the Kaseya ransomware attack.
With over 35 years in the business of supporting and implementing technology for the SME market, and 6 years previously in Corporate IT and Voice. I have seen a great deal of change. The only common thread is I have always focused on the Business Wise application of Technology. We always try to look 5 years ahead of the current technology to make sure our clients are on the right track to meet current and future needs.