Software vendor Kaseya didn’t exactly have a good holiday weekend. On Monday, the IT solutions developer for managed service providers (MSPs) and enterprise clients announced that it had been the victim of a cyberattack on July 2. The attacks reportedly carried out a supply chain ransomware attack that leveraged a vulnerability in Kaseya’s VSA (Vector Signal Analysis) software and targeted multiple MSPs and their customers.
The multinational company, which is headquartered in Dublin, Ireland and has its U.S. operations based out of Miami, said in a statement that approximately 50 of its direct customers were breached in the attack, but in turn, hundreds and possibly as many as 1,500 businesses may have been compromised, as Kaseya’s customers in turn provide IT services to small businesses. Those include a diverse mix of businesses from restaurants to accounting firms to small retailers. Upwards of 40,000 organizations worldwide use at least one Kaseya software solution.
The attack has been described as reminiscent of the breach of SolarWinds, in which attackers managed to compromise a vendor’s software and then subsequently pushed a malicious updated to thousands of customers.
“Our global teams are working around the clock to get our customers back up and running,” Fred Voccola, CEO of the Dublin, Ireland-based firm, said in the statement on Monday. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”
The firm has already met with U.S. government agencies, including the FBI as well as the Cybersecurity and Infrastructure Security Agency (CISA). According to reports, Kaseya has engaged with the White House and cybersecurity firm FireEye Mandiant.
However, given the scale of this recent attack, the FBI has already said it may be unable to respond to each victim individually, but President Joe Biden pledged to direct “the full resources of the government to investigate this incident.” All companies that believed they were compromised were still urged to alert the FBI.
Another Week, Another Ransomware Attack
The FBI and CISA have already posted a guidance webpage for MSPs and their customers affected by the supply-chain ransomware attack. This provides a link to the Kaseya VSA Detection Tool, which analyzes a system to determine whether any indicators of compromise (IoC) are present.
The webpage further provides advice on what MSPs and their respective customers should do if they suspect they’ve been compromised in this most recent ransomware attack.
While this is just the most recent such cyber attack, this one is notable for the sheer number of firms that could be involved.
“If reports about the ransomware attack on Kaseya are accurate, this is a huge, bold step up for criminal actors,” Meg King, director of the science and technology innovation program at The Wilson Center in Washington, D.C., told ClearanceJobs via an email.
“No longer are complex, expensive attack methods only the focus of nation-states. That the entry point was a zero-day exploit demonstrates the expertise of criminal hacking groups is growing,” King warned.
“The well-coordinated attack on the Kaseya software brand has left both direct customers and their clients in tatters,” added Richard Blech, founder of Irvine, California-based XSOC Corp.
“These brands face a new week not running business as usual, but scrambling to respond to an attack so large the White House weighed in on a holiday weekend,” Blech told ClearanceJobs in an email. “The FBI and Cybersecurity and Infrastructure Security Agency are also onboard in the race to address this most recent attack, which includes a demand for a $70 million Bitcoin ransom.”
2021: Year of Ransomware Attacks
If 2020 is to be remembered as the year of the pandemic, 2021 could be already on course to be the year that ransomware attacks impacted everyday Americans like never before. In just the past month, we’ve seen shortages of gasoline and meat products due to such cyber attacks.
This latest attack could disrupt a large number of businesses, and could continue to have ripples throughout businesses of all sizes.
“If ransomware were a TV series this latest incident involving Kaseya VSA would be a great season finale; a ransomware attack affecting a competitor to Solar Winds,” explained Tom Garrubba, CISO at third party risk management firm Shared Assessments:
“Organizations must understand that we are in a ‘soft war’ with these RaaS (ransomware as a service) providers, and we must be expeditiously and continuously diligent on all-forms of IT and cyber hygiene,” warned Garrubba who told ClearanceJobs, “Everything from application code reviews to patch management, along with methodologies and processes to upgrading network and system components must be incessantly reviewed and any actions needed are immediate.”
REvil, which had successfully extorted $11 million from the meat-processor JBS after a Memorial Day attack, was demanding upwards of $70 million cryptocurrency in this past week’s attack.
“Both the timing of the Kaseya attack and the choice of victim played roles in the far-reaching outcome; the lack of preparation and awareness by Kaseya allowed the attack to spread to dozens of smaller businesses and organizations,” said Blech.
Garrubba added that it is time for organizations to be proactive in these endeavors and to further ensure their downstream suppliers and vendors and critical partners are doing the same.
“RaaS providers are to be viewed in the same light as cyber terrorists,” he further noted. “Whereas organizations need to be right all the time in their IT processes and cyber hygiene, these cyber terrorists need to be right just once to affect many.”
Supply Chain Vulnerability
Researchers have also noted that these recent attacks highlight the supply chain vulnerability to ransomware attacks, and even if firms believe they are doing everything right, a misstep by a vendor can create a massive ripple effect.
“Last year’s SolarWinds attack showed that hackers breaching one provider magnifies the cyber threat and provides an opportunity to launch a bigger attack at scale,” said David Bicknell, principal analyst, Thematic Research at GlobalData, a leading data and analytics company.
“Small and medium-sized companies will suffer the most,” Bicknell explained. “They trust their managed service providers for support and now face potentially devastating ransomware attacks delivered through IT management software used by those very managed service providers.”
The attack – which follows so soon after the Colonial Pipeline and JBS breaches – should also serve as a warning to CISA and America’s lawmakers that more needs to be done to provide greater cyber resilience for small business.
“If they fail to do so,” warned Bicknell, “then 2021 will see the launch of one successful supply chain cyberattack after another.”
