- Federal officials, security researchers, private companies and other organizations worldwide scrambled Tuesday to get a clearer picture of the Friday ransomware attack on IT monitoring firm Kaseya. The REvil group, the threat actor behind the JBS meat distributor attack in June, claimed credit for the attack that was already publicly attributed to them and demanded a $70 million bitcoin payment for a universal decryptor. Some researchers, however, are questioning the validity of the posted claim, saying the ask has dropped to $50 million.
- Kaseya is aware of about 50 customers directly compromised by the attack, all of which used the on-premises version of VSA, the company said Tuesday. Many of Kaseya's customers provide IT services to other firms, and less than 1,500 downstream businesses were impacted, the company said. VSA was the only product impacted by the attack and Kaseya did not had not receive any additional reports of direct customers being impacted since Saturday.
- Kaseya has developed a patch for the on-premises offering, which is going through testing and validation, the company said. The firm expects to make the patch available within 24 hours of its SaaS servers coming back online. Those servers are expected to be brought back Tuesday afternoon, but a final decision on the timeline is expected before noon. The company plans to release VSA in stages.
The attack has directly impacted managed service providers, who provide IT management services to thousands of end customers. Miami-based Kaseya provided IT monitoring and other services to more than 36,000 customers worldwide.
Analysts said the attack on Kaseya is impacting companies, schools, retailers and other organizations worldwide in ways that have yet to be fully understood.
"It’s going to be very difficult to evaluate the actual scale of impacts, other than to say the attack was architected for maximum reach and impact," Katell Thielemann, VP analyst, security & risk management at Gartner. "The Kaseya tool in question is used by many IT service providers globally and the IT service market is very large."
Thielemann said the global IT services market is expected to grow to $1.2 trillion by 2023. Thielemann expressed concerns this attack will have real-world impacts on people; the attack already shut down payment services at hundreds of stores at Sweden’s Coop Stores and Supermarkets chain.
The Sweden-based grocer expected to open a few hundred stores Tuesday and hundreds of stores will allow payment with the company’s Scan and Pay app; it is working to also replace checkout systems at closed stores. Coop is aware of other companies in Sweden and internationally that were impacted by the Kaseya attack.
Synnex Corp., a Fremont, California-based provider of IT distribution services, confirmed outside actors have attempted to access its customers through the Microsoft cloud environment. The company said the attempt may be related to the MSP attacks, but did not name Kaseya or use the word ransomware. Synnex is working with Microsoft and a third-party cybersecurity firm to investigate the attack.
Security firm Huntress is tracking more than 30 MSPs across the U.S., Australia, Europe and Latin America, and Kaseya VSA was used to encrypt more than 1,000 businesses, it said. Huntress confirmed the attackers exploited an arbitrary file upload and code injection vulnerability in order to attack the IT services provider. The attack also involved using an authentication bypass to gain access to the servers.
Kaseya met with officials from the FBI and Cybersecurity and Infrastructure Security Agency Monday to help make sure customers harden systems before attempting to bring back up the system for both on-premises and SaaS customers.
More than 2,000 downloads have taken place since it released a Compromise Detection Tool that was developed after the attack, Kaseya said.
The FBI on Sunday asked companies to follow the guidance from Kaseya and CISA to shut down VSA servers and to report any compromises to the FBI at ic3.gov.
The FBI and CISA recommended MSPs affected by the attack:
- Enable and enforce multifactor authentication on all accounts controlled by the organization, and whenever possible do the same for customer-facing services.
- Implement allowlisting to limit communications with remote monitoring and management capabilities to known IP address pairs or put RMM administrative interfaces behind a VPN or firewall of a dedicated administrative network.