THE KASEYA HACK AND WHY IT’S SUCH A BIG DEAL FOR BUSINESS
You may have been hearing news about the recent Kaseya VSA ransomware attack that happened just as most of us were easing into the long July 4th weekend. Major ransomware attacks are on the rise and while many victims are larger, global companies, small companies are also being breached in increasing numbers. Here’s a look at the Kaseya VSA attack, the results and fallout of the hack, and what the breach means for your business.
What is Kaseya VSA?
Kaseya is a software as a services (SaaS) product that allows managed service providers (MSPs) such as Dox Electronics to manage hundreds or even thousands of clients remotely. Various MSPs worldwide use Kaseya VSA to provide monitoring and management services to thousands of clients worldwide in a number of industries.
The Ransomware Attack
Kaseya was compromised on one specific module of the software. When the cybercriminals attacked the headquarters of Kaseya, they were able to use the software to move through the supply chain to impact hundreds of managed service providers utilizing the software for their clients. Clients of the MSPs are known as endpoints.
As the threat actors rode the Kaseya software down through the MSP supply chain to the endpoint clients, they encrypted hundreds to thousands of endpoint users’ data and demanded a ransom. It became a chain reaction of encryption moving from connected device to connected device. Luckily, Dox and its clients were not impacted by the Kaseya hack.
Who Committed the Attack?
This spring, CVE 2021-30116 was discovered by cybersecurity researchers at the Dutch Institute for Vulnerability Disclosure (DIVD). At nearly the same time, the vulnerability was also identified by a group of notorious bad actors in Russian known as REvil (pronounced R Evil). The vulnerability allowed the remote monitoring and management console to be compromised and gave hackers access to the data of thousands of endpoint customers. The attack was timed to occur on Friday, July 2, 2021, just before Americans took to their long weekend to celebrate Independence Day.
Results of Compromise
When the attack occurred, REvil said it compromised millions of devices. Kaseya CEO Fred Voccola announced that between 50 and 60 of Kaseya’s on-premises remote monitoring and management customers were breached by the REvil ransomware on July 2. Voccola said that equates to roughly 1,500 endpoint customers that had data compromised.
This attack prompted Kaseya to notify law enforcement and government cybersecurity agencies in the United States to get involved in the investigation of the attack. This included the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).Through assistance with these law enforcement agencies, it was determined that REvil was responsible for the attack. REvil then demanded $70 million in Bitcoin for a global decryptor for all of the data it encrypted worldwide. This makes the Kaseya attack one of the largest ransomware attacks in history. REvil has since dropped its demand to $50 million.
According to a piece by SC Magazine, “Well over a thousand customers of managed service providers using Kaseya VSA were infected with ransomware. The company took the SaaS services offline as a precautionary measure.”
Voccola also announced Kaseya has “locked down” all vulnerabilities leveraged in the attack and has added new layers of security for the software at the suggestion of consultants assisting in the recovery post-attack. Kaseya released pre-patch instructions on Wednesday, July 7, and was back online as of yesterday, July 11.
As part of the pre-patch instructions, VSA clients were told to install FireEye agent, which Kaseya is providing a complimentary license for to MSP clients. Voccola also announced plans to provide financial assistance to MSP customer negatively impacted by the hack. You can download the Kaseya VSA Detection Tool to analyze your system to determine if there are any indications of compromises present as well as security updates including Kaseya VSA version 9.5.7a which was released today, July 12.
Cybersecurity researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) had identified the vulnerability used in the attack in April 2021. The DIVD announced last Wednesday that it had disclosed evidence to Kaseya supporting the disclosure of several vulnerabilities in the software in April so the vulnerabilities could be addressed. The organization said it only notified Kaseya since a widespread notification of the vulnerabilities could fall into the wrong hands and make more people susceptible to an attack even sooner.
A blog by the DIVD explains that there were seven separate vulnerabilities identified in the Kaseya VSA, four of which had already been patched at the time it had notified Kaseya of the security flaws. Of the three that had not yet been patched, REvil exploited one to commit its ransomware attack. The vulnerability it hacked was the credentials leak and business logic flaw (CVE-2021-30116). A cross-site scripting vulnerability (CVE-2021-30119) and a two-factor identification vulnerability (CVE-2021-30120) do not appear to have been exploited in the attack.
In 2012, legislation was proposed at the federal level to require businesses in critical industries to implement stronger cybersecurity practices to stifle such ransomware attacks. Unfortunately, the legislation was defeated after the U.S. Chamber of Commerce and other business groups lobbied against the bill framing is as government interference in the free market.
To date, the United States has no federal cybersecurity requirements for companies found outside of the banking, electric, and nuclear industries, according to a piece by National Public Radio (NPR). Some states, however, such as New York, California, and Massachusetts have implemented local cybersecurity laws for companies based in or operating in those states.
The hacking group REvil has become infamous for breaching data systems and demanding high ransoms. In addition to high ransoms, REvil has threatened to auction off sensitive information to the highest bidder of stolen data if victims refuse to pay the demanded ransoms.
REvil attacked JBS, a global meatpacking manufacturer, just last month in June 2021. A ransom of $11 million was paid by JBS to protect meat plants from further disruption post COVID-19 in an attempt to mitigate the impact of the hack on ranchers, grocery stores, and restaurants.
Additionally REvil attacked celebrity law firm Grubman Shire Meiselas & Sacks as well in May 2020. In that attack, REvil initially demanded $21 million but increased the ransom to $42 million when the group discovered files related to then U.S. President Donald Trump. REvil has previously attacked other large companies as well including Apple.
An online article by The U.S. Sun reports that the Russian-based hacking group earns more than $100 million annually by targeting huge global companies and demanding ransoms be paid through Bitcoin. While the organization is located in Russia, there is currently no evidence it is linked to Russian officials. The group also runs a page on the Dark Web called Happy Blog where it has leaked sensitive data from companies it has targeted in the past.
How This Impacts Your Business
With the number of ransomware attacks on the rise, no business of any size is safe. Unfortunately, we now operate in a world where it’s no longer a matter of “if” a company will be attacked, but a matter of “when.” While your business may be small, that doesn’t mean it can’t or won’t be targeted for a ransomware attack. This means your business needs to be prepared to thwart attacks and recover from a breach when one does occur.
Every business should have up-to-date firewalls as well as anti-virus and anti-malware programs. Continuous monitoring and data backup should also be employed to help identify threats as quickly as possible and protect data in the event a ransomware attack does occur.
For more information on preventing and protecting your business from a ransomware attack, contact Dox Electronics at (585) 473-7766 today. The call is free and there is no obligation.