Supply Chain Attack on Kaseya: Is the Same Security Fiasco Looming as at SolarWinds?
by Svenja Koch
The American company Kaseya offers IT solutions such as VSA, a unified remote monitoring and management tool for dealing with networks and endpoints. In addition, the portfolio includes compliance systems, service desks and a professional service automation platform.
The company's software is designed for enterprises and managed service providers (MSPs). According to Kaseya, over 40,000 companies worldwide use at least one of its software solutions. As a technology provider for MSPs, Kaseya is central to a broader software supply chain.
What is known about the supply chain attack so far
The extensive cyberattack on SolarWinds is still with us, and now comes another supply chain attack whose scale appears to be similar: IT management software Kaseya, used in MSP (managed service provider) environments, has been hit by a supply chain hack. As with the SolarWinds incident, this latest attack uses a two-step malware delivery process that is infiltrated through the backdoor of technology environments. Unlike SolarWinds, the cybercriminals behind this attack apparently had monetary gain rather than cyber espionage as their goal. By exploiting the trust relationship between Kaseya and its customers, they placed REvil-type ransomware as a further step and demanded a ransom payment of US$70 million via the Darknet for the decryption of the data.
The supply chain effect
Kaseya has more than 36,000 customers in total. Using Kaseya's VSA programme, companies manage software updates in computer systems. An intrusion into the VSA software can therefore open many doors at once for attackers. The IT security company Huntress spoke of more than 1000 companies where systems had been encrypted.
Kaseya announced over the weekend that, according to current knowledge, fewer than 40 customers had been affected. However, the domino effect of the attack should not be underestimated, because among the affected companies were also service providers who themselves have several customers. The attack also hit the Swedish Coop chain via this supply chain route, where the checkout systems no longer functioned. Only 5 of the 800 stores and the online shop remained open.
Kaseya's Incident Response Measures
Kaseya notified "a potential attack against VSA that was limited to a small number of customers on site" at 2:00 p.m. EDT on 2 July. That same day, the company halted its cloud service and notified its customers of the breach via email, phone and online notifications. They were simultaneously instructed to immediately turn off their locally running VSA systems. According to the company, customers of the cloud service were not at risk at any time - all affected companies reverted to local VSA installations.
Kaseya's incident response team also decided to proactively shut down its SaaS servers and take its data centres offline. The company is currently working around the clock in all regions to resolve the security issue and get customers back online. In an update on 5 July, Kaseya said a fix is being developed and will be deployed to SaaS environments first.
Kaseya is providing further updates on this security incident on its corporate page.
Currently, there is evidence from IT security experts involved that more than 70 managed service providers were affected by the supply chain attack, resulting in more than 350 additional organisations affected. It must be assumed that the total number of victim organisations is higher than the reports from individual security companies. For example, an affected IT service provider from Germany has already reported to the BSI. Its customers were affected, said a BSI spokesperson. Several thousand computers at several companies were affected. It cannot be ruled out that more companies will report problems in the coming days that can be traced back to the Kaseya attack.
What is ransomware?
The overarching goal of attackers who use ransomware is to blackmail the data owner. Sensitive data is encrypted or access to it is prevented in order to demand a ransom for decryption or release. It is precisely because of the lucrative monetary prospects of success that the number of cyber attacks with extortion software or so-called crypto-Trojans continues to increase. Companies are often threatened by such attacks with consequences that threaten their very existence.
Once a victim's system or network has been encrypted, cybercriminals place a ransom note on the system and demand payment in exchange for a decryption key (which may or may not work).
Today's ransomware operators can be part of Ransomware-as-a-Service (RaaS) when they "subscribe" to access and use a specific type of ransomware. Another cybercrime development is double blackmail, where a victim's information is stolen during a ransomware attack. If they refuse to pay, they are threatened with the sale or online publication of their data.
Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze and Darkside.