Fred Voccola (Kaseya)
An attack by cyber criminals on Kaseya’s VSA product has put managed service providers (MSPs) and their customers around the world at risk of falling victim to ransomware making use of Kaseya VSA servers as a means for deployment.
The US-based IT infrastructure management solutions vendor’s CEO, Fred Voccola, said in a post online that on 2 July (US time) the company’s incident response team learned of a potential security incident involving its VSA software.
It soon became clear that the VSA product had become the victim of a sophisticated cyber attack, with the vendor strongly recommending that its on-premises customers’ VSA servers remain shut down until further notice.
“We will also keep our SaaS [software-as-a-service] servers offline until further notice,” Voccola said.
Kaseya VSA is used by MSPs and others to deliver IT management services to customers, so the impact of the global breach is likely to be large.
According to John Hammond, senior security researcher at cyber security firm Huntress, at around 11am (ET) on 2 July, "many" Kaseya VSA servers were used to deploy ransomware, with the party behind the campaign appearing to be affiliated with the REvil group, which is believed to be linked with Russia.
“Our team continues to investigate the Kaseya VSA supply chain attack that's currently affecting a growing number of MSPs, resellers and their customers,” Hammond said in a post.
“We are tracking [around] 30 MSPs across the US, AUS [Australia], EU and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them.
“All of these VSA servers are on-premises and Huntress assesses with high confidence that cyber criminals exploited a vulnerability to gain access into these servers.
“Based on the forensic patterns, ransomware notes and the TOR URL, we strongly believe a REvil/Sodinokibi RaaS [ransomware-as-a-service] affiliate is behind these intrusions,” he added.
At 9pm on 3 July (US time), Kaseya reiterated that all on-premises VSA servers should continue to remain offline until further instructions from the vendor about when it is safe to restore operations.
The company also said a patch would be required to be installed prior to restarting the VSA, indicating that it hoped to provide a time estimate on the availability of a patch within a matter of hours.
Meanwhile, Kaseya noted that a new Compromise Detection Tool would be available to Kaseya VSA customers late in the evening on 3 July (US time) to help partners assess their systems’ status and those of their clients.
The effects of the attack have been felt in the Asia Pacific region, with New Zealand-based ICT services giant Datacom shutting down its Kaseya servers.
Datacom said it used Kaseya software but had been decommissioning it before the current attack.
"As soon as we were notified of the risk, we shut down our Kaseya servers immediately," the company said in a statement. "We are also actively monitoring customer environments and have not seen, nor been made aware of any qualified infections."
Reports suggested over 200 geographically distributed business had been successfully attacked and their files encrypted, Datacom said.
