- Kaseya, a provider of remote IT monitoring software, was unable to restore its VSA SaaS systems Tuesday as it worked to recover from the ransomware attack by REvil, which impacted its on-premises business. Kaseya shut down its SaaS servers as a precaution to protect customers, CEO Fred Voccola said last week.
- The company began the technical work on restoring its SaaS systems at Tuesday afternoon, and was planning to issue an on-premises patch within 24-hours of SaaS service restoration, Kaseya said in an update.
- Many of the organizations impacted by the ransomware attack are very small businesses that are just discovering the attack following the Independence Day holiday, according to Charles Carmakal, senior vice president and CTO at Mandiant, which is working with Kaseya on the recovery.
A clearer picture began to emerge of the Kaseya attack, as thousands of SMBs reopened on Tuesday following Fourth of July weekend, and federal officials got a closer look at the impact of the REvil attack.
"I would first say the attack over the weekend underscores the need for companies and government agencies, as well, to focus on improving cybersecurity," said Jen Psaki, White House press secretary, during the daily briefing on Tuesday. "And we've talked a bit in the past about the importance of the private sector hardening their own cybersecurity, putting in place the best practices that have been recommended by the federal government for some time."
As Kaseya worked with federal officials and outside cybersecurity specialists to restore its monitoring service to thousands of customers worldwide, one security researcher warned the downstream effects on these businesses needed to be closely monitored.
"Our current concern is that if organizations shut down their on-premises VSA servers, there could be a chance that these systems are powered off in a state with sleeping jobs still queued to ransom more downstream endpoints," John Hammond, senior security researcher at Huntress said. "We significantly hope that the eventual patch may also come with a detailed procedure for booting up these systems without networking, walking through a variety of diagnostics to check for signs of compromise, removing any pending jobs if applicable and then finally applying the patch."
REvil, the actor behind the attack, demanded $50 million for a universal decryption key, down from the initial ask of $70 million, a spokesperson for Palo Alto Networks, said via email. REvil also asked for $45,000 in ransom from each victim for decryption, according to Palo Alto. REvil posted information related to various organizations around the world on a Dark Web site, with victims ranging from retailers to restaurants, hotels, real estate and medical organizations.
Cozy Bear targeted the Republican National Committee, in an intrusion during the Kaseya attack, Bloomberg reported Tuesday. The threat actor was previously implicated in the 2016 attack on the Democratic National Committee and the 2020 attack on SolarWinds.
"Over the weekend, we were informed that Synnex, a third-party provider, had been breached," Richard Walters, chief of staff at the RNC said in an emailed statement. "We immediately blocked all access from Synnex accounts to our cloud environment."
The RNC team worked with Microsoft on a review of its systems and after an investigation found no RNC data was accessed, Walters said. The RNC plans to continue working with Microsoft and federal law enforcement on the situation.
Synnex previously confirmed outside threat actors attempted to access its systems, but the firm had not confirmed whether this attack was related to Kaseya or a separate attack.
"As noted in our media Tuesday morning, we are conducting a thorough review of a few instances in which outside actors have attempted to gain access, through Synnex, to customer applications within the Microsoft cloud environment," Michael Urban, president of worldwide technology distribution solutions at Synnex, said via email.
Mandiant, while not confirming any details of the hack, said that political parties are considered ideal targets for espionage attacks when threat actors are trying to collect military, political or economic intelligence.
"Though these organizations have been famously involved in aggressive hack and leak campaigns, more often than not, Russian hackers and others target them to quietly gather intelligence," John Hultquist, VP of analysis at Mandiant Threat Intelligence said.