Another ransomware attack… Around noon on Friday, July 2nd, we heard about the Kaseya VSA vulnerability and set into action. Our CISO, Gustavo Mastroianni, mobilized quickly by having all partners take their Kaseya servers offline. Next, we wanted to make sure all other cybersecurity and IT support providers were made aware of the incident. Our Security Engineer, Brian McCaleb, posted one of the first "pulses" (a summary of the threat, a view into the software targeted, and the related indicators of compromise (IOC) that can be used to detect the threats) in the AlienVault Open Threat Exchange.
While Apex does not use the Kasyea VSA product and our customers systems remain unaffected by this incident, we are making sure to stay up to date on all aspects of this ransomware attack and as always, we continue to actively monitor all of our clients to ensure they are always protected.
About Kaseya and why were they attacked:
Kaseya provides a variety of products/solutions to Managed Service Providers (MSP’s) and IT teams around the world. These MSP’s and IT teams utilize Kaseya’s products to provide support for their clients. One of those products in particular is Kaseya VSA, which is used to unify remote monitoring and management, providing endpoint management and network monitoring all in one. A cybercriminal group, REvil, was able to exploit a flaw in Kaseya VSA, which allowed them to infiltrate downstream and take ownership of over 1,000 businesses and encrypt their data.
In short, by attacking Kaseya, REvil was able to access hundreds of MSP’s and IT teams, in turn giving them access to the 1,000+ businesses they have now infiltrated and ecrypted. And unfortunately, while Kaseya is in the process of finding a solution, as of today, it is still advised that all on-premises VSA Servers should continue to remain offline until further instructions from Kaseya.
Who is REvil?
REvil is a criminal hacking group who is believed to be operating out of Eastern Europe or Russia since 2019. Per CNN Business, REvil quickly became a sort of "thought leader" in the hacking space, said Jon DiMaggio, the chief security strategist at cybersecurity firm Analyst1 who tracks ransomware groups. REvil is known to supply tools for other cybercriminals to carry out ransomware attacks [ransomware-as-a-service]. They have also been behind several other recent, high-profile ransomware attacks including, JBS Foods, Quanta Computer, and Acer. You can read more about ransomware in our recent blog, Ransomware: What Does That Mean for Your Business.
As for the attack on Kaseya, REvil stated on Sunday that more than a million systems have been infected and they are requesting $70 million in Bitcoin in exchange for the decryption key.
What is the key takeaway from this incident?
Simple. The importance of security.
As a security first company we take cybersecurity very seriously, not just for Apex but also for every single one of our clients. Cybersecurity is so much more than just having a firewall or antivirus software. Cybercriminals have evolved and unlike a decade or so ago, when a software virus meant that only one employee was impacted and potentially unable to use their computer for a while, today’s attacks are far more invasive, long-lasting, and destructive, attacking your entire business. They come with financial, operational, and reputational repercussions … not to mention the potential for non-compliance penalties for companies in regulated industries like healthcare and financial services.
What would it do to your business if you lost access to your digital assets or they became available for anyone to see? Make sure you are prepared, and your business is protected against cybercriminals and ransomware attacks. We recommend starting with our free Cybersecurity Self-Assessment. It is a simple 15 question overview to give you an idea of where you currently stand against cybercriminals. Our team of IT and Cybersecurity experts are prepared to help you understand where your risks are and build an action plan letting you focus on what’s important—your business. And we are always here to answer any questions you may have.
If you know anyone who has been impacted by this incident, please let us know so we can help. The MSP community is coming together, helping other MSPs that were exploited.
Updates on the incident are being posted on Kaseya’s support site: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689