Fraud Management & Cybercrime , Governance & Risk Management , Ransomware
Kaseya Sees Service Restoration Delay After Ransomware Hit
Vendor of IT Remote Management Software Promises Security Improvements After Attack(Update: Kaseya said midday Wednesday it will publish a "runbook" of changes and the planned availability of its patch for on-premises VSA by 5 p.m. July 7. The vendor is also resolving an issue with its SaaS VSA update and expects service to be restored by the evening of July 8.)
See Also: Ransomware Response Essential: Fixing Initial Access Vector
Cue delays for customers of Kaseya waiting for their software-as-a-service and on-premises software to get emergency fixes.
Following a ransomware attack involving Kaseya's VSA software that came to light Friday, the U.S. Cybersecurity and Infrastructure Security Agency advised all users of the on-premises version of VSA to immediately deactivate the software. The Miami-based IT remote management software vendor said that to be safe, it also took the SaaS version of VSA offline, although it was not exploited by attackers.
Kaseya estimates that the July 4 holiday weekend ransomware attack hit about 60 of its IT managed service provider customers as well as up to 1,500 of their collective managed service clients. The company says many of the crypto-locked organizations - the MSP clients - are smaller businesses, such as dentists' offices, small accounting offices and restaurants (see: Kaseya: Up to 1,500 Organizations Hit in Ransomware Attack).
Kaseya had previewed fixes being in place for its SaaS software, allowing for the service to be restored, by Tuesday, to be followed by patches for on-premises VSA software being distributed within 24 hours. But in a Wednesday update, the company announced that its SaaS service remains offline, and no on-premises software patches are yet available (see: Did Kaseya Wait Too Long to Patch Remote Software Flaw?).
"Unfortunately, during the deployment of the VSA [SaaS] update, an issue was discovered that has blocked the release. We have not yet been able to resolve the issue," Kaseya says in a Wednesday morning update. "The R&D and operations teams worked through the night and will continue to work until we have unblocked the release."
In a Monday statement, Kaseya CEO Fred Voccola said: "Our global teams are working around the clock to get our customers back up and running. We understand that every second they are shut down, it impacts their livelihood, which is why we're working feverishly to get this resolved."
Security Improvements Planned
On Tuesday, Kaseya announced that it is implementing a number of security improvements, including a 24/7 independent security operations center for every VSA server. Each center will have the ability to quarantine and isolate files and entire VSA servers.
Kaseya says it is also putting in place a content delivery network with a web application firewall for every VSA server.
Credit for the ransomware attack involving Kaseya's VSA software has been claimed by the REvil ransomware-as-a-service operation, also known as Sodinokibi.
Kaseya has continued to warn organizations that were hit in the VSA-targeting attacks to not click on any links supposedly sent by REvil, noting that the links may have been weaponized.
With its typical bluster, the REvil operation claims to have compromised 1 million VSA-using organizations. On Monday, the ransomware operation also began demanding $70 million in bitcoins for a universal decryption tool that it said would decrypt all victims' files. Due to no uptake, the group appeared to have lowered its asking price for the tool shortly thereafter to $50 million.
Federal Probe
On Sunday, U.S. President Joe Biden ordered federal intelligence agencies to investigate the incident, initially noting that "we are not sure yet" whether the Russian government held any blame in the REvil campaign (see: Biden Orders Investigation of Kaseya Ransomware Attack).
Kaseya says it's working with multiple governmental agencies that are probing the attack, including the FBI, CISA, the Department of Homeland Security and the White House. FireEye's Mandiant incident response group is also assisting the company.
While the full damage from the incident is still coming to light, some experts have voiced cautious optimism. "There were some novel aspects of this particular incident that actually could have [made the impact] much, much worse," Michael Daniel, president and CEO of the Cyber Threat Alliance, tells Information Security Media Group. "So I actually think, in many ways, compared to what people [initially] were afraid of, this ended up not being quite as bad."
Grading Kaseya's Response
Kaseya has continued to keep the details of the software vulnerability that attackers exploited, and for which it is still preparing a patch, under wraps, which Mike Hamilton, formerly the CISO for the city of Seattle, says is the right move. "Kaseya was working on a patch for the vulnerability when it was exploited. Making a vulnerability public before a patch is prepared and released just invites attack," he says.
Hamilton, co-founder of CI Security, says that although Kaseya has stated that the ransomware attack did not hit any organizations operating in critical infrastructure, he suspects such organizations may indeed have fallen victim. "It's highly likely that a good number of local governments are victims, and that means water purification, waste treatment, communications for law enforcement. All may have been impacted - and that's critical infrastructure," he says.
As the pace and severity of ransomware attacks continue to worsen, experts say that obviously, more needs to be done. Daniel of the Cyber Threat Alliance says the best way to mitigate the risk of ransomware attacks continues to be through collaboration between the government and the private sector.
"We need to be bringing all the different diplomatic, economic and law enforcement intelligence cybersecurity tools to the field and employ them in different combinations that impose costs on the adversaries," he says.
Next Steps for Affected MSPs
On July 4, CISA and the FBI issued a joint statement with guidance for MSPs and their customers affected by the supply chain ransomware attack leveraging a zero-day exploit in Kaseya's VSA software. Those recommendations include:
- Download the Kaseya VSA Detection Tool: The tool analyzes a system (either VSA server or management endpoint) and determines whether any indicators of compromise are present.
- Enable and enforce multifactor authentication: The agencies recommend enforcing MFA on every account that is under the control of the organization and for customer-facing services.
- Implement "allowlisting": This will limit communication with remote monitoring and management capabilities to known IP address pairs.
- Use admin interfaces: The agencies urge those affected to place administrative interfaces of RMM behind a virtual private network or a firewall on a dedicated administrative network.
This story has been updated.