SecureWorld News

Kaseya Ransomware Attack Through the Eyes of the Victim

Written by SecureWorld News Team | Tue | Jul 6, 2021 | 3:25 PM Z

While the United States was celebrating the 4th of July holiday weekend, a Russia-based cybercrime group launched a ransomware attack against a piece of the IT security supply chain.

At the center of the attack is a company called Kaseya.

Let's look at the attack through the company's eyes, as it explains what happened, what it was doing during the incident response, and what is coming next.

The ransomware attack target: Kaseya software

What does Kaseya do?

Kaseya VSA is a Virtual System/Virtual Server Administrator that gives companies the power to monitor their IT network and endpoints and manage vulnerabilities through patch management. The company offers these services through the cloud and on-premise VSA servers.

Many managed service provides (MSPs) use Kaseya's VSA to secure their clients, most of which are small and medium-sized businesses. 

Kaseya ransomware attack: updates reveal timing and scope

What was the timeline of the Kaseya ransomware attack?

Friday, July 2, 2021, 4 p.m. ET 

Kaseya issues its first statement on the attack; it is five sentences long. Here are two of them:

"We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only. We have proactively shut down our SaaS servers out of an abundance of caution."

Friday, July 2, 10 p.m. ET update

Company CEO Fred Voccola provides a late evening update. The tone, for this update, is surprisingly upbeat, and there is no mention of ransomware:

"We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.

I am proud to report that our team had a plan in place to jump into action and executed that plan perfectly today. We've heard from the vast majority of our customers that they experienced no issues at all, and I am grateful to our internal teams, outside experts, and industry partners who worked alongside of us to quickly bring this to a successful outcome."

This sounds hopeful, doesn't it? But by the next morning, the optimism seems to vanish.

Saturday, July 3, 10:30 a.m. ET update

The tone of the messages from Kaseya now changes dramatically, and ransomware is suddenly dropped into company communications:

"Kaseya's VSA product has unfortunately been the victim of a sophisticated cyberattack....

We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links —they may be weaponized."

And the tone of this update becomes so serious it includes some warnings typed in all caps:

"ALL ON-PREMISEs VSA SERVERS SHOULD CONTINUE TO REMAIN OFFLINE UNTIL FURTHER INSTRUCTIONS FROM KASEYA.

SAAS & HOSTED VSA SERVERS WILL BECOME OPERATIONAL ONCE KASEYA HAS DETERMINED THAT WE CAN SAFELY RESTORE OPERATIONS."

July 3, 9 p.m. ET update

Next, we received the Saturday evening ransomware attack update. The updates are getting quite long, which can be confusing. However, the company does a nice job of distinguishing what is new by underlining those items. Clearly, this is what the company thought worthy of highlighting:

  • "A Compromise Detection Tool will be available later this evening to Kaseya VSA customers by sending an email to support@kaseya.com with the subject 'Compromise Detection Tool Request' from an email address that is associated with a VSA customer.
  • With the availability of the Compromise Detection tool, we strongly recommend that compromised customers immediately begin the recovery process.
  • Fred Voccola, CEO of Kaseya, will be interviewed regarding this incident on Good Morning America on the ABC network on Sunday, July 4th. Please consult your local TV listings for times in your region. (This is subject to last minute rescheduling by the network)
  • There has been only one new report of a compromise occurring today due to a VSA on-premises server being left on. We are confident we understand the scope of the issue and are partnering with each client to do everything possible to remediate. We believe that there is zero related risk right now for any VSA client who is a SaaS customer or on-prem VSA customer who has their server off.
  • We have engaged a computer incident response firm (FireEye Mandiant IR) to identify the indicators of compromise (IoCs) to ensure that we can identify which systems and data were accessed. We have identified a set of preliminary IoCs and have been working with our affected customers to validate them. The availability of the Compromise Detection Tool is based on our interactions with our outside experts."

You can sense the urgency in this update, can't you? And with good reason. The ransomware attack is now making headlines around the world, with security researchers pointing the finger at Russian ransomware operator REvil, which recently attacked the world's largest meat producer, JBS.

Kaseya ransomware attack: what InfoSec is saying

By the time we've had two days of Kaseya updates on the attack, word is out about major impacts. One example: Swedish grocery giant Coop is forced to close several hundred of its stores because it can no longer collect payment at its registers. 

The company statement suggests the scope of the event is global:

"During Friday evening, July 2, Coop was hit by major IT disruptions that affected our cash registers in stores. This is part of a larger global event aimed at the American software company Kaseya. Several other Swedish and international companies have been affected by the same event."

And this is big news on #InfoSecTwitter, which is sharing about victims of the attack. 

Kevin Beaumont also shared a statement from retail point-of-sale company Visma Esscom. It reveals the heart of the problem here and why attacking the IT security supply chain is such a "great" target for REvil.

"The attack results in the Kaseya software that Visma Esscom and many other service providers use in their deliveries to the retail industry being used to spread a ransomware virus to clients and servers in customers' IT environments. The most critical consequence is that the stores cannot charge their customers when the checkouts are contaminated."

And then there was talk about the ransom wanted by REvil, which was in flux over the weekend:

Kaseya cyberattack updates continue: days 3-5

Sunday, July 4, 10 a.m. ET update

The major news here is the 24/7 incident response work the company is involved in, and some key details now available for customers. Again, the company underlined what was new. This includes, as you will see, a more stable version of a new vulnerability testing tool:

"We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24-48 hours but that is subject to change) on a geographic basis. More details on both the limitations, security posture changes, and time frame will be in the next communique later today.

The new Compromise Detection Tool was rolled out last night to almost 900 customers who requested the tool. Based on feedback from customers, we will be publishing an update to the tool this morning that improves its performance and usability. 

There are no changes that will require a re-run of the tool on systems that have been scanned. This new version of the Compromise Detection Tool will be automatically sent to customers who received the first version. New requests can be made by sending an email to support@kaseya.com with the subject 'Compromise Detection Tool Request.'"

[RELATED: The Holiday Hacker Case Study]

July 4, 5:30 p.m. ET update

As barbecues and fireworks are happening across the United States, Kaseya finally has some good news for customers: it will restart its SaaS based offering on Monday, July 5th. It offers these key points in its communication:

  • "In the spirit of responsible disclosure, Kaseya will be publishing a summary of the attack and what we have done to mitigate it.
  • Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.
  • There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities.
  • We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart."

The company adds that it is still working on remediation for its on-prem VSA customers. And it affirms that all hands are working around the clock: 

"...security, support, R&D, communications, and customer teams continue to work around the clock in all geographies."

Sunday, July 5, 1 p.m. ET update on delays

The main point of this update was to announce it had delayed the restart of the SaaS services for its customers.

Sunday, July 5, 9:30 p.m. ET update, incident details emerge

A single supply chain attack that reaches more than 1,000 customers; that appears to be what REvil has pulled off in this ransomware attack:

"To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack.

While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised."

This time, the company also included two crucial updates for customers. For on-prem customers:

  • "The Patch for on-premises customers has been developed and is currently going through the testing and validation process. We expect the patch to be available within 24 hours after our SaaS servers have been brought up."

When, exactly, will that occur? Customers are left guessing, based on the update for SaaS clients: 

  • "The current estimate for bringing our SaaS servers back online is July 6th between 2:00 PM – 5:00 PM EDT. A final go/no-go decision will be made tomorrow morning between 8:00 AM EDT – 12:00 AM EDT. These times may change as we go through the final testing and validation processes."

So that is a look at how Kaseya responded to its ransomware attack, according to its own updates and public statements. 

If you were impacted by this data breach, did you have a different experience than the one the company depicted in its updates? Let us know in the comments below.

There is more to come on this story, we are sure.