Kaseya Attack Hits Service Providers with Ransomware

Originally published on The Hacker News

Kaseya has announced that it is dealing with a massive ransomware attack that now may be affecting at least eight MSPs and hundreds of organizations.

Threat actors behind the notorious REvil cybercrime operation appear to have pushed ransomware via an update for Kaseya’s IT management software, hitting around 40 customers worldwide, in what’s an instance of a widespread supply-chain ransomware attack.

“Beginning around mid-day (EST/US) on Friday, July 2, 2021, Kaseya’s Incident Response team learned of a potential security incident involving our VSA software,” the company’s CEO Fred Voccola said in a statement shared late Friday.

Following the incident, the IT and security management services company said it took immediate steps to shut down its SaaS servers as a precautionary measure, in addition to notifying its on-premises customers to shut down their VSA servers to prevent them from being compromised.

Update: In a revised advisory shared on Saturday, Kaseya said it has been the “victim of a sophisticated cyberattack,” while warning customers to refrain from clicking on any links sent in communications with the ransomware operators. “They may be weaponized,” the company cautioned.

Besides roping in cybersecurity firm FireEye Mandiant to identify the indicators of compromise (IoCs), the company is recommending businesses to keep all on-premises VSA servers offline until further notice and use a Compromise Detection Tool that it has made available to commence the recovery process.

Huntress Labs said it’s tracking close to 30 MSPs across the U.S., Australia, European Union, EU, and Latin America, where Kaseya VSA was used to encrypt new fewer than 1,000 businesses.

“All of these VSA servers are on-premises and Huntress assesses with high confidence that cybercriminals exploited a vulnerability to gain access into these servers,” Huntress Labs researcher John Hammond said.

This raises the possibility that REvil used a zero-day flaw in Kaseya VSA software to gain access to the systems, making it the first time a ransomware group has used a zero-day in attacks. Kaseya, for its part, noted that it had isolated and replicated the attack vector, and that it’s working towards adding software remediations to address the security weakness.