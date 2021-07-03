



Just in time to ruin a holiday weekend, ransomware attackers apparently used Kaseya, a software platform designed to help manage IT services remotely to deliver payloads. .. Sophos director and ethical hacker Mark Loman tweeted about the attack today, reporting that it would cost $ 44,999 to unlock the affected system. A note on the Kaseyas website asks customers to block the VSA server for now, as one of the first things an attacker does is block administrative access to the VSA.

Breaking News: Cyber ​​criminals are a $$ hole.

Keep in mind that all incident response teams are busy this holiday weekend … again.

If you are using Kaseya VSA, * shut down * now * until you are instructed to reactivate and start the IR. The binaries are: https: //t.co/NIuGJZW84p https://t.co/GSXPlOPjFt

Crisclebs (@C_C_Krebs) July 2, 2021

The attack targeted six large MSPs and encrypted data from as many as 200 companies, as reported by Bleeping Computer.

In DoublePulsar, Kevin Beaumont posted more details on how the attack works. REvil ransomware arrives via the Kaseya update and infects the system using platform administrator privileges. When a managed service provider becomes infected, the system can attack clients that provide remote IT services (network management, system updates, backups, etc.).

In a statement, Kaseya told The Verge that he was investigating a potential attack on VSA. This shows that it is limited to a small number of on-premises customers. According to the notification, all cloud servers are currently in maintenance mode. This is done by a spokesperson because of the careful attention paid to it. Late Friday night, Kaseya CEO Fred Voccola estimated that the number of affected MSPs was less than 40 and issued a statement that he was preparing a patch to mitigate the vulnerability.

Today’s attack is linked to the infamous REvil ransomware gang (already linked to attacks on Acer and meat supplier JBS earlier this year), and The Record collects incidents by multiple names. Because of that, Kaseya software said it could be the third time it was a vector of their abuse.

Beginning around noon (EST / US) on Friday, July 2, 2021, the Kaseyas Incident Response team was informed of potential security incidents related to VSA software.

We have taken immediate steps to protect our customers.

Immediately shut down the SaaS server as a precautionary measure, even if you have not received a breach report from your SaaS or hosted customer.

Immediately notify on-premises customers by email, in-product notification, and phone, and shut down the VSA server to prevent breaches.

Next, we followed an established incident response process to determine the scope of the incident and the extent of its impact on our customers.

We involved an in-house incident response team and industry-leading experts in forensic research to identify the root cause of the problem.

Notified law enforcement agencies such as the FBI and CISA and government cybersecurity agencies.

Early metrics showed that only a few on-premises customers were affected, but we took a conservative approach when shutting down SaaS servers to maximize the protection of over 36,000 customers. did. We have received positive feedback from our customers regarding their prompt and proactive response.

The investigation is underway, but so far I think:

SaaS customers were not at risk. Once we have confirmed that our customers are not at risk, we will restore service to these customers. This will be completed within 24 hours.

Currently, the percentage of affected customers is negligible and is estimated to be less than 40 worldwide.

We are confident that we have patches to mitigate the vulnerability for on-premises customers who have identified the source of the vulnerability and are thoroughly tested. We will release the patch as soon as possible so that you can recover and run it.

We are proud to report that our team has a plan to take action and has fully implemented that plan today. The majority of our customers said they had no problems at all, but we thank our internal team, external experts and industry partners for their quick success. I am.

Today’s actions are a testament to Kaseyas’ unwavering commitment to putting our customers first and providing the highest levels of support for our products.

Kaseya CEO Fred Voccola

Updated to ET at 10:40 pm on July 2nd: Added statement from CEO Kasaya.

