Kaseya’s IT Management Software Supply-Chain Attack Hits 40 Customers Worldwide With REvil Ransomware

Kaseya, a software firm fallen victim to a supply chain attack that has noticed its products become a delivery mechanism for the REvil ransomware.

The cyberattack against Kaseya’s VSA remote monitoring and management software has affected nearly 40 of the company’s on-premises MSP (Managed Services Providers), according to CEO Fred Voccola.

Supply-Chain Attack on VSA Product

A supply chain attack on the VSA product,  a tool that combines endpoint management and network monitoring. VSA can automate tasks such as patch management and backups and provides tools for access control and remote management.

Kaseya’s main market is managed services providers (MSPs), IT consultancies whose selling point is taking care of their clients’ tech, so an attack on VSA is potentially a superspreader event for REvil.

Ransomware attacks, where hackers breach systems and hold networks and data for ransom, have become an increasingly alarming phenomenon. The report says REvil, the Russia-linked hacking group behind the attack on meat processor JBS, is linked to the Kaseya attack.

In June, JBS, one of the biggest meat producers in the US, paid an $11 million ransom for an attack that temporarily knocked out its processing plants.

Therefore Kaseya urged customers to pull the plug on their VSA servers because the attack shuts off administrator access to the suite. The company also shuttered its SaaS services as a preventive measure.

The company mentioned that “all on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed before restarting the VSA and a set of recommendations on how to increase your security posture”.

Furthermore, customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized.

The new Compromise Detection Tool can be download at the following link: 

VSA Detection Tools.zip | Powered by Box  This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.

The company is working with both the FBI and the US Cybersecurity and Infrastructure Agency to investigate the attack.

“We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24-48 hours but that is subject to change) on a geographic basis,” the company noted.

The company ensures that it has been actively engaged with FireEye and other security assessment firms to assess the manner and impact of the attack to ensure that our R&D organization has properly identified and mitigated the vulnerability.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.