Another supply chain ransomware attack has so far affected over 1,000 companies worldwide. Kaseya’s VSA platform was attack by the REvil ransomware gang on Friday. The attack spread through Kaseya’s SaaS platform to its MSP customers, and in turn, those customer’s customers.
Huntress Labs’ John Hammond has written in his blog, “we are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited a SQLi vulnerability and have high confidence an authentication bypass was used to gain access into these servers.”
The sad part is, Kaseya was in the process of patching the vulnerability prior to the attack. According to BleepingComputer, the vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before they rolled it out to customers. Victor Gevers of DIVD said this in a blog post: “Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched.” It really is too bad that this vulnerability was exploited before it could be patched.
Kaseya has since shut down their SaaS servers and has advised all its VSA customers to immediately shut down their VSA server to prevent the attack’s spread while investigating. Kaseya says it will post an update about the SaaS restoration and on premises patch timelines at 1:00 pm today. Meanwhile, REvil has told BleepingComputer that they want $70 million in Bitcoin for the tool that allows all affected businesses to recover their files. This is the highest demand so far, beating out the $50 million REvil asked for after their attack on Acer.
More details are still to come in this case. If you are a Kaseya VSA customer, keep watching their website for further updates. If you just need someone to talk to about your cyber security concerns, contact Uzado with your cyber security questions.