Businesses are contending with the after-effects of a supply chain security incident this week, after Kaseya, a provider of remote IT monitoring software, suffered a ransomware attack last week.
The attack was uncovered after threat actors exploited multiple zero-day vulnerabilities in Kaseya’s on-premises VSA product. An affiliate of REvil/Sodinokibi was able to deploy a ransomware encryptor to connected endpoints, according to Mandiant, which was hired by Kaseya to investigate the attack.
While the effects of the incident are still unfolding, questions remain as Kaseya works to control the incident’s damage and companies, particularly small- and medium-sized businesses, confront the impact.
Cybersecurity Dive collected details of the incident thus far. While questions remain, the full extent of the supply chain attack is unfolding.
Who was impacted:
The attack impacted fewer than 60 of Kaseya’s direct customers, most of them managed service providers or other companies that provide IT services to small businesses and other organizations. But about 1,500 end-customers, including businesses and other organizations — including schools, medical offices and local governments — were impacted by the attack. Kaseya has more than 36,000 customers globally.
What was the ransom:
REvil on July 4 claimed credit for the attack and posted a ransom demand of $70 million for a universal decryptor key. Those demands were later dropped to $50 million, according to researchers. Individual companies have also received ransom demands as well.
Federal officials are investigating an attack against the Republican National Committee involving one of its contractor firms, Synnex Corp., which took place over the same time period.
The $70 million ransomware demand is the largest in history, according to Mandiant. The attack follows a series of high-profile supply chain attacks, including the 2020 attack on SolarWinds by the threat actor that Microsoft calls Nobelium and the Microsoft Exchange Server attack.
Since those incidents, the U.S. has been hit by two major ransomware incidents, including the Colonial Pipeline ransomware attack in May and the June ransomware attack against meat supplier JBS, which paid $11 million in ransom to REvil.
Kaseya has released technical details of the attack, including network and endpoint indicators of compromise, as well as file names linked to the deployment of the encryptor and web log indicators. The company has also released a compromise detection tool, to help companies understand whether their systems have been directly impacted. Kaseya produced runbooks for both on-premises and SaaS customers.
The company released a patch for its VSA on-premises customers on Sunday and SaaS customers went live Monday morning. Despite unplanned maintenance on its VSA SaaS infrastructure Monday afternoon, all VSA SaaS instances are live, the company said in an update. The company has a series of new requirements designed to harden the defenses of the VSA system, including new password updates and multifactor authentication requirements.
What remains to be seen is whether any backdoors have exposed those companies to opportunistic attacks from other threat actors. Independent researchers validated the efficacy of the patch, which successfully eliminates the attack vector when installed, Huntress researchers said.
Federal officials have not officially made attribution for the attacks and have not made final decisions on how they plan to address the incident, however President Joe Biden spoke with Russian President Vladimir Putin Friday and warned that the U.S. would defend itself from further attacks, according to senior administration officials.
Whether that includes some form of formal counterstrike from the Pentagon, economic sanctions, or other response is not yet clear.