CDI’s Statement on the Kaseya Ransomware Attack
By Josh More, Chief Information Security Officer, CDI
Summary of Kaseya Attack:
(Updated: July 6, 2021)
On July 2, 2021, the ransomware group REvil compromised the Kaseya VSA servers and infected around 60 organizations with malware.
Kaseya VSA is a tool used by Managed Service Providers (MSPs) for remote monitoring and management of servers, allowing for anti-malware management, patch management, and automation – all capabilities that are critical to MSPs. Unfortunately, these are also all capabilities that help ransomware groups.
While Kaseya provided a potential number of 60 impacted organizations, it is believed that the ransomware group targeted the MSP’s customers and that the total number of businesses affected is significantly larger than this – likely approaching 1,500. Like the SolarWinds attack at the end of 2020, this is a supply chain issue and, as such, neither the affected MSP’s nor their customers could have done much to prevent the attack. Unlike the SolarWinds attack, there is no evidence that the attackers had a long-term presence in Kaseya’s network or that Kaseya had neglected any basic security practices. Additionally, Kaseya shut down their cloud service very early in this process, a decision which greatly reduced the potential damage from the attack.
Fundamentally, there is an issue here of product design, where having the same tools that controls security defenses (anti-malware, patching) is also used to manage the backups. This approach effectively places recovery operations at the same layer as prevention, making it difficult to operate them independently.
Impact on CDI and CDI’s Customers:
CDI does not use and has not used Kaseya for system management, so there is no impact to CDI’s operations or, by extension, to CDI’s customers via CDI’s use of tooling.
Moreover, CDI deliberately uses separate layers between system management/automation and backups, to improve resilience operations.
Starting on Friday, July 2, CDI began scanning customer environments and proactively reaching out to customers who were known to use the tool. As CDI keeps customer environments completely isolated, there was no risk of any ransomware spreading from one environment to another. Moreover, current evidence suggests that in the absence of the Kaseya cloud service, the attackers were limited to their initial 40 compromised businesses.
In short, if you are not running Kaseya on your own network, there is no risk to you from this attack.
If you are running Kaseya, please use their detection tool. Be aware that this tool is under active development and may need to be downloaded and run again later in the week to provide sufficient assurance.
If you believe that you have been impacted by this attack, do not click on any links the attackers may have sent you and please contact us as soon as possible.
For further questions or to schedule a call with CDI’s information security team, please contact us at CDI.Security@cdillc.com.
For technical details of this issue, please see previous notifications from CDI or contact us at email@example.com.
This attack brings the largest number of victims from this attacker group and there is evidence that their ransom website is failing, making it difficult to pay the ransom should businesses wish to do so. There is also evidence that the attackers knew how to use Kaseya once they gained access, accelerating their attack. Kaseya is designed to rapidly push software changes to many systems, so the tool was functioning as intended, though it was being operated by a different group.
The attack involves a very large number of command-and-control servers and affiliated domains so a domain shutdown response is unlikely to be helpful, limiting the role a strong central party – such as Microsoft – could play.
While Kaseya is used in many organizations, only 40 organizations were directly impacted, reflecting the speed with which the issue was addressed. While it is unfortunate that the attackers then went after their customers and true numbers are not known, this attack could have been much, much worse. Due to the speed of Kaseya’s response, it appears as though the attackers did not have time to exfiltrate data, reducing the “second phase” of such attacks, where attackers demand more money to not release sensitive internal files publicly.
It appears only systems that were running the Kaseya agent were encrypted, so if an organization was not using Kaseya to manage backups, it is likely that backups were not impacted by this attack.
If you were running a Kaseya or are currently using a tool that both handles automation and backups, it would be wise to ensure that backups are stored in a way that is inaccessible to the automation agent. Expect supply chain attacks to continue and to target any application. We need to consider resilience as well as prevention. Zero trust network designs, privileged user management, micro-segmentation, immutable backups, multiple backup solutions, can all help in the face of supply chain attacks like this.
You can see Kaseya’s updates on this issue at: https://www.kaseya.com/potential-attack-on-kaseya-vsa/