The Kaseya Zero-Day Supply Chain Ransomware Attack

Kaseya ransomware attack banner

On July 3, 2021, we witnessed one of the largest global ransomware attacks in history. Cybercriminals deployed a supply chain ransomware attack on Kaseya, which supplies IT management software to managed service providers (MSPs) and IT teams. Kaseya estimates as many as 1,500  businesses around the world have been impacted by the ransomware attack. The hackers, believed to be the same group responsible for the JBS Foods attack, are demanding $70 million in cryptocurrency to restore the affected businesses’ data.

The reason this single attack has impacted so many companies is because Kaseya VSA software is used by MSPs to help manage client networks. Kaseya reports that fewer than 60 of its customers have been impacted, and this is tied exclusively to those running the software in house. Clients of these managed service providers have felt the downstream effect of this zero-day attack. Those clients include dentist offices, accountants, supermarkets, schools and numerous other small businesses.

The Kaseya ransomware attack has drawn the attention of the White House. President Biden ordered U.S. Intelligence agencies to investigate the attack. The Cybersecurity & Infrastructure Security Agency (CISA) issued guidance for MPSs and their customers impacted by the attack.

Proactive Cybersecurity Measures

MSPs commonly use multiple tools from different vendors to deliver their services. If Kaseya VSA is one of those tools, they likely notified their clients. But even if they are not using Kaseya, businesses should be taking immediate, proactive measures to ensure that they do not become compromised.

Here are some steps internal company IT staff or their MSPs can take:

  • Validate that client endpoints did not have the Kaseya agent installed.
  • Check with their different vendors to determine what their potential exposure is; in cases where there were integrations, ensuring those integrations have been terminated.
  • If they use a partner for remote management, ensure they are proactively looking for indicators of compromise across all their tools and their clients
  • Confirm that their security vendors have already blacklisted the known applications and services that this attack is using.

In addition, internal IT resources and MSP partners must remain vigilant in their cyber hygiene efforts. We work closely with JDL Technologies, an MSP that is a fellow CSI company. JDL Technologies does not use Kaseya VSA and was not compromised by the attack. Nevertheless, they took action to ensure their clients remain secure. Robert McClure, CIO of JDL Technologies said, “Our team is actively pursuing additional cybersecurity accreditations. We stay up to date with news and alerts. We keep our solutions updated and we offer cyber threat awareness training, penetration testing, IT assessments, and more.”  

In the current environment of rampant cybercrime and ransomware attacks, it’s important to prioritize cybersecurity protection and training. If your IT environment hasn’t been audited in a while, an IT assessment is a great place to start so you can identify vulnerabilities and potential exposures. Schedule yours today to begin the process of securing your business against known threats.

To see more details about the Kaseya attack, including server-side code, follow the Huntress Labs thread on reddit.

For more information about Ecessa services and solutions, please contact us.