Ransomware attack against Kaseya creates rippling supply chain compromise

Dive Brief:

Federal officials are scrambling to respond to a supply chain ransomware attack against Kaseya, a provider of remote monitoring software, an incident security researchers say has impacted hundreds of companies and is linked to REvil ransomware.
Kaseya warned customers Friday to immediately shut down their virtual storage appliance (VSA) servers following an apparent attack that impacted a "small number of on-premise customers," the company said in a statement.
Federal officials at the Cybersecurity and Infrastructure Security Agency (CISA) are monitoring the attack and working with the FBI to gather information about the impact, Eric Goldstein, executive assistant director for cybersecurity at CISA, said in an emailed statement. "We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya's guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities."

Dive Insight:

Kaseya CEO Fred Voccola said the company shut down its SaaS servers as a precaution to protect more than 36,000 customers. A company spokesperson, in an emailed statement, said it expects to restore service in about 24 hours once it confirms they are not at risk. The firm said that about 40 customers worldwide were affected.

"We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly," the statement said. "We will release that patch as quickly as possible to get our customers back up and running."

Kaseya provides IT management software that allows companies to gain visibility into their network environments. The company said it has engaged internal and third-party security experts and contacted the FBI and CISA about the incident.

When asked whether any ransomware demand had been made or whether REvil was involved, a spokesperson said an update would be provided in 24 to 48 hours on the situation.

Researchers say the attack would put customers of Kaseya at risk through a software upgrade.

Security firm Huntress said Friday it was aware of four managed service providers where all of the clients were impacted, hitting thousands of endpoints, according to John Hammond, senior security researcher at Huntress. Based on everything Huntress saw, it strongly believed REvil/Sodinokibi was behind the attack, Hammond said.

"This type of supply chain attack, similar to the SolarWinds attack, goes straight to the jugular of organizations looking to recover from a breach," said Chris Grove, technology evangelist at Nozomi Networks.

These types of tools carry large amounts of risk due to their large collection of enterprise accounts with escalated privileges, Grove said.

REvil is a common denominator in recent incidents, including the JBS USA ransomware attack in May. The group is known for identifying worthwhile targets and launching spearphishing campaigns, Brett Callow, threat analyst at Emsisoft, told Cybersecurity Dive in May.

The Kaseya incident has echoes of SolarWinds and Microsoft Exchange, where hackers rushed in to exploit organizations exposed in the supply chain. Regulators, in recent weeks, have scrutinized ransomware's effect on the greater supply chain, particularly focusing on his threats against the supply of critical goods.

"The increasing diversity of infrastructure and the tools we use to manage and secure it make supply chain attacks like this both an attractive target and to attackers and a huge challenge for security and IT teams to manage," Daniel Trauner, senior director of security at Axionus, said in an emailed statement.

"And in this case, although its still early, it looks like attackers are leveraging the one-too-many relationship of MSPs to cause maximum impact, especially right before a holiday weekend in the U.S.," Trauner said.