Story image

Kaseya ransomware attack: MSPs warned to shut down VSA servers

By Nick Forrester, 05 Jul 2021

IT infrastructure and software firm Kaseya confirmed it had been hit by a ransomware attack over the weekend.

The attack targeted VSA, the company’s remote monitoring & management solution, used by MSPs and IT teams. 

On Friday, Kaseya CEO Fred Voccola confirmed that the company’s incident response team had caught wind of the breach. As a result, the company shut down its SaaS servers and notified its on-premises customers to shut down their VSA servers to prevent them from being compromised. 

Kaseya then directed its incident response to determine the attack’s root cause, and also informed the FBI and CISA, the US federal cybersecurity agency.

Vocolla says, “While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability. 

“We have received positive feedback from our customers on our rapid and proactive response.”

Secureworks chief threat intelligence officer Barry Hensley says he has not yet seen a ‘significant impact’ across his company’s customer base.

“Less than ten organisations appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software,” says Hensley. 

“We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organisations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers.

“Based on what we know right now, we believe that this was an orchestrated attack against a subset of Kaseya VSA clients, largely managed IT service providers (MSPs),” Hensley continues. 

“The evidence we have does not indicate that Kaseya’s software update infrastructure has been compromised. That does mean that, while we have seen limited impact across our customer base, there may be larger clusters of victims elsewhere based on use of common MSPs.”

Yesterday Kaseya engaged the services of computer incident response firm FireEye to identify specific indicators of compromise (IoCs) in order to determine which systems and data were accessed. Kaseya then began remediating the code and working with select customers to field test the changes’ once we have completed the work and tested it thoroughly in our environment’. 

“At this time, we believe that none of our NOC customers (neither SaaS nor on-premises) were affected by the attack,” Kaseya said in an update on its website yesterday.

The company also rolled out a Compromise Detection Tool, designed to help customers identify their system’s status. This was rolled out to around 900 customers who requested the tool.

In an update posted on July 5, Kaseya confirmed that it would bring its SaaS data centres back online on a one-by-one basis — starting with its  EU, UK and APAC data centres and followed by its North American data centres.

NCSC, New Zealand’s cybersecurity agency, today posted an update on its website confirming it is aware of the attack and that it may present ‘significant risk’ to organisations in New Zealand. 

The agency says that preliminary details about the activity suggest that VSA admin accounts are disabled shortly before ransomware is deployed.

The NCSC’s update said: “The NCSC strongly recommends that organisations determine if Kaseya VSA is utilised in your environment, either by your own internal IT team or by a service provider who has access to your network.”

Recent stories
More stories