The Kaseya ransomware attack: Everything we know so far

Updated: The latest major software supply chain hack has impacted more than 1,500 companies. Here is everything we know so far.

The Kaseya ransomware attack: Everything we know so far

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend.  

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya's VSA software against multiple managed service providers (MSP) – and their customers.

According to Kaseya CEO Fred Voccola, less than 0.1% of the company's customers were embroiled in the breach -- but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident. 

Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP. 

The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor's software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya's ransomware incident will prove to be. 

Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya's international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. 

Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. 

The firm's software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced "a potential attack against the VSA that has been limited to a small number of on-premise customers."

At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. 

"It's critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA," the executive said. 

Customers were notified of the breach via email, phone, and online notices. 

As Kaseya's Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. 

By July 4, the company had revised its thoughts on the severity of the incident, calling itself the "victim of a sophisticated cyberattack." 

Cyber forensics experts from FireEye's Mandiant team, alongside other security companies, have been pulled in to assist. 

"Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service," Kaseya said, adding that more time is needed before its data centers are brought back online. 

Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. 

In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. 

"We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration," the company said. "We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers."

The ransomware attack, explained

The FBI described the incident succinctly: a "supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers."

Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with "high confidence" that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. 

According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. 

Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were "crazy efficient."

"There is no proof that the threat actors had any idea of how many businesses they targeted through VSA," Hanslovan commented, adding that the incident seemed to be shaped more due to a "race against time." 

"Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks," Sophos noted. "As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted."

The vendor has also provided an in-depth technical analysis of the attack. 

Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed "Kaseya VSA Agent Hot-fix".

"This fake update is then deployed across the estate -- including on MSP client customers' systems -- as it [is] a fake management agent update," Beaumont commented. "This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya's customers were still encrypted."

With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. 

On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. 

"In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure," the company says.

According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being "maliciously modified". 

Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.

"Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions," DIVD says. "Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. " 

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were "never at risk" and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. 

However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. 

According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.

Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest "thousands of small businesses" may have been impacted.

"This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen," commented Ross McKerchar, Sophos VP. "At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what's being reported by any individual security company."

On July 5, Kaseya revised previous estimates to "fewer than 60" customers, adding that "we understand the total impact thus far has been to fewer than 1,500 downstream businesses."

Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. 

When it comes to SaaS environments, Kaseya says, "We have not found evidence that any of our SaaS customers were compromised."

In a press release dated July 6, Kaseya has insisted that "while impacting approximately 50 of Kaseya's customers, this attack was never a threat nor had any impact to critical infrastructure."

Kaseya CEO Fred Voccola said that the attack, "for the very small number of people who have been breached, it totally sucks."

"We are two days after this event," Voccola commented. "We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that'll continue until everything is as perfect as can be."

Less than 0.1% of the company's customers experienced a breach.

"Unfortunately, this happened, and it happens," the executive added. "Doesn't make it okay. It just means it's the way the world we live in is today."

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. 

In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. 

Once a victim's system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). 

Today's ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they 'subscribe' to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. 

If they refuse to pay up, they may then face the prospect of their data being sold or published online. 

Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside.