IT and security management services company Kaseya reported an attack against a “small number” of customers Friday afternoon, but a bigger supply chain incident might be afoot heading into the July 4 holiday weekend.
The attack, which some researchers believe to be the work of ransomware group REvil or one of its affiliates, could be the beginning of a mass ransomware event with the potential to strike a wide swath of industry and local government. The FBI in June blamed the Russia-based group for a ransomware attack against global meat supplier JBS. Vaseya said the incident is affecting its VSA software platform used by managed services providers.
“We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only. We have proactively shut down our SaaS [software as a service] servers out of an abundance of caution,” Dana Liedholm, senior vice president of corporate communications at Kaseya wrote in an email to CyberScoop. “We have been further notified by a few security firms of the issue and we are working closely with them as well.”
The firm is recommending that all customers shut down their VSA server immediately.
Multiple cybersecurity firms have reported clients who have been affected by the attack.
“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” Huntress Labs wrote in a post on Reddit. “We are aware of at least 8 impacted MSP partners at this time.”
“We strongly believe a REvil/Sodinokibi RaaS affiliate is behind these intrusions,” the firm wrote in the same post.
Sophos also reported “an active industry wide supply chain attack using Kaseya to deploy ransomware” and notes that the attacks are “geographically dispersed.”
Jake Williams, chief technology officer of BreachQuest and Rendition Infosec, said on Twitter that multiple clients who used Kaseya had been hit with Sodinokibi ransomware.
Kaseya appears to have shut down its cloud services though it has not reported any affected cloud customers. The firm claims 40,000 customers.
The infection seems to take over administrator rights, trickling down from managed service providers to their clients, cybersecurity researcher Kevin Beaumont wrote in a blog.
Managed service providers remotely manage customers’ IT infrastructure and user systems.
This isn’t the first time hackers have used Kaseya to push ransomware. In 2019 hackers used compromised credentials to gain unauthorized and spread ransomware to customers.
What’s happening to Kaseya caught the attention of the Department of Homeland Security’s Cybersecurity and Infrastructure Agency.
“CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software,” the agency wrote. “CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.”
Updated 7/2/21: To include CISA statement.