Managed service provider Kaseya hit by cyber attack
Kaseya – a US-based software company that develops software for managing networks, systems and information technology infrastructure – has been hit by a massive cyber attack.
In a statement yesterday, the company says: “Kaseya’s VSA [virtual systems administrator] product has unfortunately been the victim of a sophisticated cyber attack. Due to our teams’ fast response, we believe this has been localised to a very small number of on-premises customers only.”
According to Reuters, the hackers suspected to be behind a mass ransomware attack that affected hundreds of companies worldwide late on Sunday demanded $70 million to restore the data.
It says the gang broke into Kaseya, a Miami-based information technology firm, and used their access to breach some of its clients’ clients, setting off a chain reaction that quickly paralysed the computers of hundreds of firms worldwide.
Commenting on the attack, Ross McKerchar, Sophos vice-president and chief information security officer, says: "This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen.
“At this time, our evidence shows that more than 70 managed service providers (MSPs) were impacted, resulting in more than 350 further impacted organisations. We expect the full scope of victim organisations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations, with most in the United States, Germany and Canada, and others in Australia, the UK and other regions.”
Mark Loman, Sophos director of engineering, says Sophos is actively investigating the attack on Kaseya, which it sees as a supply chain distribution attack.
“The adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type. This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more. In other wide-scale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely used IT management are the conduit.
“Some successful ransomware attackers have raked in millions of dollars in ransom money, potentially allowing them to purchase highly-valuable zero-day exploits. Certain exploits are usually only deemed attainable by nation-states. Where ‘nation-states’ would sparingly use them for a specific isolated attack, in the hands of cyber criminals, an exploit for a vulnerability in global platform can disrupt many businesses at once and have impact on our daily lives.”
Loman notes that a day after the attack, it became more evident that an affiliate of the REvil ransomware-as-a-service leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s VSA software.
“Usually, this software offers a highly-trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environments.”
Based on Sophos threat intelligence, the company says REvil has been active in recent weeks, including in the JBS attack, and is currently the dominant ransomware gang involved in Sophos’s defensive managed threat response cases.