Is Your IT Company Running Kaseya VSA?
Following recent high-profile ransomware attacks that affected a major gas pipeline and a leading global food company, another attack has happened and has wreaked havoc over the weekend.
Kaseya VSA, software commonly used by MSPs to manage their clients’ entire IT environments, was used as part of a supply chain attack over the holiday weekend delivering REvil ransomware to thousands of organizations across the globe. Kaseya VSA is the industry’s only unified RMM solution that allows MSPs to maintain, automate, collect information, and patch IT equipment via a remote centralized interface.
According to multiple reports, the attackers used access to the VSA software to deploy ransomware associated with the REvil (also known as Sodinokibi) ransomware-as-a-service group.
According to Kaseya, the attack was carried out by exploiting a vulnerability in its software. Over the weekend, Kaseya released a statement that recommended that any business or organization using Kaseya VSA should shut down the system quickly. The Cybersecurity and Infrastructure Security Agency (CISA) released a statement asking businesses and organizations to follow the guidance that was released in Kaseya’s statement.
Due to the holiday weekend, the majority of Kaseya’s IT staff were away from the office, providing the cybercriminal group with the perfect opportunity to strike. The full scope of the attack is not known at the time, but over 30 of Kaseya’s customers have been impacted. If all or the majority of those customers are MSPs, this means thousands of businesses and organizations have been attacked with ransomware. Thousands more of Kaseya’s customers have been indirectly affected by the attack.
What is Happening?
Multiple MSPs across the globe where Kaseya VSA was used to encrypt thousands of businesses are being tracked and assessed for damages. Whenever any event like this happens, it impacts numerous businesses and organizations, even those who were not impacted. Unfortunately, these types of events can destroy the reputation and trust of any MSP. Even if a business or organization has not been directly impacted, MSP relationships are built on trust, and many customers will begin to question if remote support tools are safe.
Kaseya’s Response to the Attack
Over the weekend, Kaseya has released several updates and statements on their website and their social media accounts, advising all their customers to take servers offline and has not provided a date they could go back online. Kaseya executives immediately reached out to its impacted customers to understand the impact the attack has caused and what type of assistance they need.
On July 3, Kaseya released a compromise detection tool to the customers who requested it. As of July 4, there had not been any additional reports of compromise since Saturday. As more businesses return to work operations this week, Kaseya is prepared for the numbers to rise.
On July 4, 2021, Kaseya made an announcement that it will attempt to reactivating its servers overnight in Europe, Asia, and the UK. Kaseya hopes to do the same in North America on Monday, July 5, 2021.
Kaseya’s July 4 statement said: ”Our security, support R&D, communications, and customer teams continue to work around the clock in all geographies through the weekend to resolve the issue and restore our customers to service.”
Kaseya also released the following SaaS Restoration Timeline Updates:
Our executive committee will meet on July 5th at 5:00 AM UTC (12:00 AM EDT) to make a readiness decision on restarting SaaS within the following time windows:
- EU, UK, & APAC Data Centers: July 5 – 9:00 AM UTC — 1:00 PM UTC (4:00 AM EDT — 8:00 AM EDT)
- North American Data Centers: July 5 – 5:00 PM EDT — 10:00 PM EDT
How do I know if I am affected?
At this time, Kaseya and other sources are still assessing who may be affected. However, there are steps businesses can take to evaluate the risk to their business and its systems. If you begin to notice any unusual behavior across your servers or workstations, you may have already been affected by the attack. If you have noticed any differences in your desktop images or if any of your file names have been changed, you need to take immediate action. Businesses are encouraged to reach out to their MSP if they are unsure if they use Kaseya.
For MSPs that use Kaseya, what should they do?
If a business uses Kaseya VSA (Virtual System Administrator) server, they have been encouraged to firewall it off from the internet and restrict access. This can be completed successfully by configuring the firewall or internal network to separate the server from the other parts of the network or by completely shutting down the Virtual System Administrator server. If a business is using backups or a backup server, it is important to make sure the backups and/or backup server is separated from the rest of the network, including the network that is hosting the Kaseya server. Malicious actors have already been targeting and deleting backups.
How can affected businesses recover?
When Kaseya’s systems are back online, businesses should have their Kaseya VSA systems inspected immediately to identify if any administrative accounts have been disabled. If it is discovered that some systems were directly impacted by ransomware, those systems will need to be restored from backups. Unfortunately, many businesses will discover their backups have been affected or that their backups are not current. Businesses will need assistance in restoring more recent valid configuration changes.
Many of the MSP partners did not have the capacity in place to simultaneously respond to the numerous encrypted businesses at the time. Many MSPs have had their entire client based cleared because of an incident they did not have any control over. Many more victims may not learn of the severity of the impact to their business until they return to work on Monday or Tuesday.
The majority of end customers of MSPs do not know what kind of software is used to keep their networks running. Kaseya’s fast and consistently updated response to the attack can hopefully mitigate significant reputational damage to businesses, but the financial damage will be monumental. For more information on the recent ransomware attack and what businesses can do to determine if their IT company was running Kaseya VSA, do not hesitate to reach out to Acom Networks today at (888) 381-9310.