Following a supply chain attack on Kaseya VSA, the vendor is currently trying to bring its Unified Remote Monitoring & Management solution back online. The attack, attributed to the ransomware group REvil, is estimated to affect up to 1,500 companies.
Kaseya struggles with the consequences of VSA attack
On July 2, it became known: Attackers are trying to spread ransomware via Kaseya VSA. And according to Kaseya, the attack could have been far more consequential. When the first irregularities in VSA systems became apparent on July 2, the company said it took action within an hour and shut down its own servers. In addition, all on-premise users were asked to do the same.
Was the vulnerability known beforehand?
At the same time, however, the Dutch Institute for Vulnerability Disclosure also writes: Kaseya had been informed about zero-day vulnerabilities that were now being exploited. According to MITRE, the ID CVE-2021-30116 was already created in April. According to reports, Kaseya has been cooperative and has made efforts to fix the vulnerabilities.
Apparently, however, not fast enough, because now the “REvil” group could still strike, behind which Russian hackers are suspected according to media reports. They apparently wanted to install ransomware via manipulated updates. Security service provider Eset lists this under the name “Win32/Filecoder.Sodinokibi.N”; Kaseya has published a tool that is supposed to detect compromised systems.
SMEs affected via IT systems houses
According to Kaseya’s estimates, around 50 customers of the Remote Monitoring & Management (RMM) module are apparently affected; because this also includes IT system houses, this would ultimately result in restrictions for up to 1,500 companies supported by service providers.
IT disruptions at the Swedish shopping chain Coop proved to be particularly effective in the media: the chain had to close hundreds of supermarkets because the checkouts were paralyzed.
Kaseya is currently working on bringing its own servers for VSA SaaS back online and providing additional security. Among other things, the company is relying on the service provider Cloudflare and has adjusted the IP addresses of its own offering accordingly. As of July 7, however, SaaS deployment has been delayed due to unexpected problems.
Kaseya plans to deploy a patch for locally installed servers (on-premises) within 24 hours of restoring its own SaaS.
The BSI has classified the incident as business-critical (IT threat level: 3/Orange) and summarized current findings in a BSI cyber security warning. Kaseya itself provides regular updates on the “VSA Security Incidient” via helpdesk.
Kaseya claims communications sovereignty
Incidentally, the vendor also wants its homepage, including regularly updated updates, to be seen as the definitive and most up-to-date source of information. In addition, the company published a YouTube video on the incident on July 6. In it, CEO Fred Voccola speaks of an outrageous and criminal attack on the company’s customers and provides further assessments. The tenor: security incidents are inevitable, as attacks on Microsoft, Juniper Networks, and SolarWinds have shown in the past; however, Kaseya is currently well prepared and has reacted quickly to limit the impact.