Kaseya Cybersecurity Breach: What Happened & How to Respond

troysolisCloud Solutions, Security, TechnologyLeave a Comment

Kaseya announced that it was hit with a sophisticated cyberattack over the July 4th Weekend.

What Happened?

This supply-chain ransomware attack leveraged a vulnerability in Kaseya VSA (Virtual System Administrator) software.  To clarify, VSA is a set of tools used by MSPs (Managed Service Providers) to manage and monitor computers. This is one of the worst cyber-attacks to have hit the IT Industry thus far!  More details can be found here:  Source

Who Was Impacted?

 Kaseya’s CEO, Fred Voccola, estimated that up to 1,500 business were impacted by this ransomware attack. He indicated it was difficult to estimate the precise number because those affected were primarily downstream customers of Kaseya’s customers.  In contrast, independent researchers have estimated the number of business impacted to be closer to 2,000.  Kaseya clarified that the compromises only impacted customers using an on-premises version of VSA.  However, customers using the SaaS (Software as a Service) version of the VSA product were not impacted.

 Who is Responsible for the Attack?

 REvil, a well-known hacking group suspected of originating in Russia, claimed responsibility for the Kaseya attack on their Dark Web leak site, writing “On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is $70,000,000 in BTC.”  REvil is believed to be named from “Ransomware” and “Evil”. Additionally, they are the group behind the recent JBS Food Processing ransomware attack. In addition, they were responsible for other high profile ransomware attacks like Quanta, a Taiwanese company that sells components to Apple.

Response by Kaseya/US Government Agencies

The incident, which is currently under investigation by the Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA), has wreaked havoc on thousands of businesses across the country.  The FBI and CISA have released a joint statement regarding the security incident and are recommending managed service providers (MSP’s) take the following actions:

  • Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IOCs) are present.
  • Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization. Also, to the maximum extent possible, enable and enforce MFA for customer-facing services.
  • Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

Kaseya announced they are expecting the On-Premises Patch to be available on Sunday, July 11, 2021 at 4:00 pm EST.  Additionally, they will begin the deployment to their VSA SaaS Infrastructure.

Have You Been Affected?

If your IT Provider has not yet reached out to confirm you were not affected, it may be a good idea to run a cybersecurity evaluation to determine if your network has been affected.

Let us know if you would like us to help with a cybersecurity evaluation. We would love to enhance your business’s cybersecurity solutions for your organization.  Give us a call at 952.279.2424. SOL-I.S. Technology Solutions – we are here for you!

Leave a Reply

Your email address will not be published. Required fields are marked *