Zero-Day Vulnerability Causes Major Problems for IT Providers

A new ransomware attack has surfaced, this time mostly targeting IT companies and their clients. The attack is specifically targeting the Kaseya platform. Kaseya is management software that many IT companies use to remotely manage and support technology. The attack in question attacked Kaseya’s supply chain through a vulnerability in its VSA software; this attack is notable because of how it targeted the supply chain, not only striking at the vendor’s clients—notably IT companies—but also their customers. Basically, this attack had a trickle-down effect that is causing widespread chaos for a massive number of businesses.

Let’s dive into the details and see what can be learned from this ransomware attack.

What is Kaseya?

Kaseya is a software vendor that works closely with managed service providers (MSPs) to provide IT solutions. The software designed by Kaseya is meant to be used by managed service providers and large enterprises to manage and support technology across multiple networks. As reported by ZDNet, at least 40,000 companies worldwide use at least one tool created by Kaseya.

The attack in question leveraged a vulnerability in Kaseya’s VSA service, which is basically a remote monitoring and management tool. 

Since Kaseya plays such a key role in connecting IT companies to the businesses that they support, it should come as no surprise that such a ransomware attack could have profound effects on both the MSP service industry and the countless businesses that are supported by them. If your IT provider happened to use this particular software, there is a good chance that you were unlucky enough to become a victim of this attack, especially if other countermeasures weren’t in place.

The Attack’s Timeline

To give you an idea of how this attack has progressed, let’s take a look at the timeline, as it was reported by ZDNet:

• July 2, 2021: Kaseya CEO Fred Voccola announced that the company experienced an attack against the VSA that was limited to “a small number of on-premise customers.” Voccola also urged users of the VSA service to disconnect all servers hosting the solution in an effort to prevent further infections. Kaseya informed those potentially affected by the attack, as well as shut down their own SaaS servers as a safety precaution.
• July 3, 2021: Kaseya released a Compromise Detection Tool to help customers determine if they have been compromised by the ransomware or not. The tool analyzes the endpoint or server to see if there is any indication of compromise on the system.
• July 4, 2021: Kaseya declared that they had become a “victim of a sophisticated cyberattack,” and brought in external security experts, including Mandiant, to aid in learning more about the attack and resolving the issue.
• July 5, 2021: Kaseya issued the following update: "We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration. We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers."

The attack itself is thought to have been administered via an automated malicious software update, bypassing authentication and executing commands remotely. More information on this attack can be found in Kaseya’s briefing on the incident here.

The Takeaway

Since this particular issue was caused by a zero-day vulnerability (a previously unknown vulnerability) in a provider’s systems, it is hard to fault anyone in particular for this hack, but it does further reinforce the importance of monitoring your system for irregularities, as this attack was only uncovered as a result of such monitoring. Imagine the damage that could have been caused by this threat if it were to remain undiscovered for an extended period of time. It just goes to show that even businesses that do everything right can still become victims of ransomware attacks.

While there are countermeasures to prevent ransomware attacks and restorative measures to get back in business after being attacked, if these measures weren’t in place for a company that was a victim of the attack, things probably aren’t looking very good. 

We can’t stress enough that it is critical to have a solid backup solution in place that is regularly tested and reviewed. It’s also a good idea to have your network hardened and evaluated at least once a year to help it withstand ransomware attacks and other threats. Even if you need a second option, we’re happy to help.

Therefore, you should always take preventative measures to ensure that ransomware is as mitigated as possible. We can help your business keep itself safe from threats of all kinds. To learn more, reach out to us at (847) 697-3282.