
Kaseya ransomware attack makes headlines as the largest to date
No doubt you have read or heard about the recent ransomware attack that has crippled or adversely affected about 1500 businesses worldwide. This is dubbed the Kaseya ransomware attack and details are emerging on what it is, who is likely behind it, motivations and demands, and questions on how could such an expansive attack happen across so many different organizations. More details have emerged as I penciled this; about 60 MSPs have been compromised, thousands of MSPs no longer have access to Kaseya’s flagship VSA products since last Friday and the impact of the breach spans across 17 countries. CRN has more details.
About the attack
What we know about the attack is that it finds its way very rapidly into end user systems including Windows systems, servers and other endpoints and attempts to encrypt the drive holding the companies hostage. The attack seems to have been carried out by the REVil group.
How did the attack happen?
Based on what is being made public by various security research and response companies its that Kaseya’s product called VSA was the vehicle. Think of it has a command-control used to manage various endpoints and PC assets for various small and medium businesses. Kaseya flagship VSA software is used by many MSPs, **and this supply chain attack **only amplifies the extend of reach of the ransomware. Specifically, a zero-day (ie previously unknown) attack was launched against the VSA platform that provided the entry into the server that manages thousands of assets across the companies. Malicious code was then sent down to the Kaseya agents installed on endpoints and it provided a wide reaching implication of being able to execute the code that came from a trusted source. Interestingly, a vulnerability on Kaseya was reported by DIVD CSIRT https://csirt.divd.nl/ and was being fixed as it was exploited by REvil before that could happen. The SaaS instance of Kaseya VSA was not impacted per the company, but the SaaS platform was taken offline for good measure. I’m sure we will hear a lot more about this and why the different as details are disclosed. Sophoslabs has published a lengthy writeup based on their research of how the exploit was carried out.
Who has been affected?
According to various sources, there does not seem to be a targeted industry or specific company. Kaseya VSA was the launch platform and it has infiltrated just about any small and mid-size companies across every industry. There also does not seem to be any specific country being targeted, with reports of incidents in USA, Sweden, Germany and more. Swedish supermarket Coop had to close all their retails stores and continues to be closed as a result, per their statement on Monday.
Response from Kaseya
Kaseya has been working with law enforcement FBI/CISA to discuss the situation and for how to restore operations. They are working on a patch but they have a strong warning for customers of their on-premise VSA to keep all systems offline and to follow their guidelines. I can only guess that patching would have to be very deliberate and bringing systems online will have to be only after the patch has been checked to run the latest patch instance. Kaseya recommends to download their detection tool to understand indicators of compromise. Follow the detailed FBI/CISA response for more details.
Prepare for the unexpected
Security practitioners are pouring over the details as they investigate the extent of the breach and various security incident response teams are quickly responding to their clients on how to emerge from this attack and better prepare. Knowing the indicators of compromise is critical but not enough to stay ahead. Sadly, while one can say with certainty that they are secure, a continuous security monitoring practice and a zero-trust mindset for employees, applications, network and services for all the data in motion is critical to defend.
You can find our more out Keysight’s active participation in security operations and network visibility solutions to validate and monitor their entire business operations, from Edge to core and cloud.