Kaseya, whose VSA software platform is used by other tech companies to monitor and manage customers’ IT networks, has been the victim of an audacious cyberattack. On July 2, the business issued a security advisory urging its customers to immediately shut down versions of VSA running on their own servers. It also suspended its own cloud-based VSA service.
The company is at the epicenter of a security crisis that combines two of the most devastating tactics being deployed by hackers today: supply chain attacks and ransomware. The former involves targeting companies whose software is widely used by other businesses. Once inside the supplier’s system, attackers use it as a jumping off point to access its customers’ networks too. Then they install ransomware, which locks up victims’ data, only releasing it once a ransom payment has been made (typically in untraceable cryptocurrencies.)
The hackers targeting Kaseya managed to compromise its VSA platform and then use it as a jumping-off point to worm their way in to other companies’ systems. Once inside these, they deployed ransomware.
It’s still unclear exactly how much damage this one-two cyber punch has caused. In a security advisory posted on its website, Kaseya, whose U.S. headquarters is in Miami, said it currently believed the risk was limited to companies running VSA on their own servers rather than ones using the cloud service it provides. “Only a very small percentage of our customers were affected,” it added, “currently estimated at less than 40 worldwide.” The company’s advisory says it has over 36,000 clients in total.
However, some of the companies affected appear to be managed service providers, or MSPs, which manage IT services, such as upgrading software and monitoring networks, on behalf of a wide range of other organizations. MSPs are popular targets for hackers, who use access to their systems to then hop into those of MSPs’ customers too.
MORE FOR YOU
Cybersecurity firm Huntress Labs has said it believes eight MSPs have been compromised using the VSA platform—and three it works with directly have seen at least 200 customers in total hit by ransomware. The security business, which hasn’t named the MSPs affected, thinks a Russia-based hacking group known as REvil is behind the attack.
In the statement on its website, Kaseya said it learnt of a potential security incident at around midday on Friday and quickly called in forensic security experts to assist its internal investigation and notified the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), which is part of the Department of Homeland Security. It also issued the advisory warnings to its customers.
CISA said in a statement issued late Friday that it is “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software.” It also urged organizations to follow Kaseya’s guidance to shut down their own servers running the company’s software.
This new incident is the latest in a wave of ransomware attacks on U.S. companies, including meat-processing giant JBS and oil transportation business Colonial Pipeline, that have caused alarm across the business world and at the highest levels of government.
The U.S. is also still recovering from a supply chain attack on networking-software company SolarWinds that compromised hundreds of organizations’ systems, including businesses and government agencies. In a recent meeting with Vladimir Putin, President Joe Biden called on the Russian president to crackdown on Russia-based groups involved in ransomware attacks and other cyber crimes.