Kaseya, which is based out of Ireland (International HQ) and Miami (US HQ) provides IT Management solutions to many customers and MSPs. Hundreds of customers including railway, pharmacy chain and grocery chain in Sweden were hit by this REvil ransomware. The attack is similar to Solarwinds ransomware, in which the hackers managed to hack a software update to push malicious code to thousands of customers.
The hackers have exploited a vulnerability in Kaseya's VSA software against multiple managed service providers (MSP) and their customers. Kaseya announced on Jul 2 that it became infected and has asked the customers to shut down it's VSA servers. "It's critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA," said the Kaseya CEO Fred Voccola. Customers were also notified by Kaseya. The vendor has since shut down it SaaS servers and pull its data centers offline.
What is affected?
The vendor said that SaaS applications were never at risk, the current ransomware affects on-prem customers.
What is Kaseya doing?
- Communication of our phased recovery plan with SaaS first followed by on-premises customers.
- Kaseya will be publishing a summary of the attack and what we have done to mitigate it.
- Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.
- There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities.
- .We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart
What can you do?
Find if your organization, or any other vendor, or their subcontractors are using Kaseya software. You must work with your IT and Cybersecurity Teams to shut the VSA servers down, keep them offline and follow the development closely. Kaseya will release a patch before the servers can be brought back online. Kaseya has launched a tool to assess the Indicators of Compromise here.