In tribute to American Independence Day weekend, Kaseya announced that it suffered a cyberattack on its MSP and enterprise clients on July 2, over the weekend. As shown in the graph below, attackers leveraged a weakness in Kaseya’s VSA software to target multiple managed services providers (MSP) and their customers in a supply chain ransomware attack.
CEO Fred Voccola says that a smaller fraction of Kaseya’s customers were affected by the breach. However, the clientele of Kaseya includes MSPs which means that smaller businesses as well were affected.
Based on current estimates, it is estimated that 800 to 1000 companies of medium-sized that have experienced ransomware compromise through MSP.
This attack resembles the security fiasco at SolarWinds. A malicious update was pushed to thousands of customers after compromising the vendor’s software. In all, we remain unsure just how widely the ransomware incident may spread.
What is Kaseya?
Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. There are ten countries in which the vendor is active.
Kaseya offers IT support services such as the VSA tool, which can manage and monitor networks and endpoints remotely. As well as compliance solutions, the company provides service desks and a platform for professional services automation.
Kaseya says more than 40,000 organizations worldwide use at least one of its software solutions. The company’s software is designed specifically for enterprises and managed service providers (MSPs). As a software company that provides technology to MSPs, Kaseya serves a broader supply chain for many different companies.
What happened?
In a press conference reported by ZDNet, Kaseya CEO Peter Young announced that: Several on-premise customers have been affected by a potential attack against the VSA.
In the same vein, Voccola suggested that clients immediately shut down the VSA servers out of extreme caution.
Immediately taking steps to eliminate the threat is imperative because one of the attacker’s first actions is to disable access to the VSA, the executive advised.
Customers were notified of the breach via email, phone, and online notices.
In addition to shutting down the SaaS servers and moving the data centres offline, Kaseya’s has revised its stance on the incident. It now considers itself to be the victim of a sophisticated cyberattack. Other security companies were also called in to offer assistance, including FireEye’s Mandiant team.
In a July 5 update, Kaseya said that it had developed a fix that will initially be rolled out to SaaS environments upon completion of testing and validation.
Who has been impacted?
Only a few hundred customers have been impacted on-premises worldwide, and SaaS customers have never been affected.
Even though only a small number of Kaseya customers may have been directly affected, if these services are at the core of business processes for MSPs, SMB clients down the chain could also be affected.
There have been reports that the cash registers at 800 chain stores of the Coop supermarket chain in Sweden have not been open.
According to Hunter’s Reddit explainer, he encrypted workstations and servers at 1,000 companies. There is a possibility that thousands of small businesses could have been impacted, according to the vendor.
In Sophos’ latest report, Ross McKerchar said that this was one of the most intricate criminal ransomware attacks the company had ever seen. In total, we estimate this attack impacted over 350 other organizations. Neither one of the security companies claims to know the full scope of victim organizations.
A few days ago, Kaseya Updated previous estimates and mentioned that in addition, fewer than 1,500 downstream businesses have so far been affected, saying the total impact has been “fewer than 60” customers.
It has been 50 direct customers and between 800 to 1500 businesses down the chain, as estimated on July 6.
“No evidence of compromises of SaaS environments has been found,” Kaseya says of SaaS environments.
According to the reporter’s piece, Kaseya stated on July 6 that “while this attack affected approximately 50 of Kaseya’s customers, it did not pose a threat or compromise any critical infrastructure.
As of July 8, Palo Alto Networks reports 96% fewer vulnerable Kaseya servers online, visible, and accessible by attackers.
Kazuya CEO Fred Voccola says the attack “totally stinks,” considering the minimal number of users who have been breached.
Voccola commented that it had been two days since the event. It’s probably safe to say that 150 people have slept a total of only four hours in the past two days, and that’ll keep on going until everything is perfect.”
Less than 0.1% of the company’s customers experienced a breach.
“Unfortunately, things like this happen,” said the executive. “That doesn’t mean it’s okay. It just means it’s how our world operates today.”