Is anyone really surprised? This seems like just the next victim in the cyber attack war games. This one stings more because it’s part of the supply chain and that affects MSPs as well as their clients – Break one, get many.
It’s quite obvious that the bad actors are constantly working on the supply chain to find the next crop of vulnerabilities. I am sure Kaseya did a lot to prevent many more breaches. This one just got away. It is a good time to remember that the hackers only need to be right once.
Unfortunately this will not be the last. The big question is how much of the damage will be contained and what will be the final impact on the MSPs and their clients. We will sure be learning more about the fallout over time.
Right now, it’s the emergency triage phase to stop the bleeding and stabilize the situation. Then comes the recuperation period and finally the longer term medication to prevent this from happening again.
Today, it is great to see what appears to be the quick disclosure by Kaseya and the news media for amplifying the message quickly. This is a solid line of defence to quickly contain the damage.
Some reporting showed the ransom was about $70 million. Quite an amazing number as the hackers raise the game and become more bold.
Check out the Kaseys link for the latest updates: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-3rd-2021
The “incident” according to Kaseya:
To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.
We have not found evidence that any of our SaaS customers were compromised.
We have had no new reports filed of compromises for VSA customers since Saturday July 3rd.
VSA is the only Kaseya product affected by the attack and all other IT Complete modules are not impacted.
The Kaseya plan:
The Patch for on-premises customers has been developed and is currently going through the testing and validation process. We expect the patch to be available within 24 hours after our SaaS servers have been brought up. The current estimate for bringing our SaaS servers back online is July 6th between 2:00 PM – 5:00 PM EDT. A final go/no-go decision will be made tomorrow morning between 8:00 AM EDT – 12:00 AM EDT. These times may change as we go through the final testing and validation processes.
A new version of the Compromise Detection Tool can be downloaded at the following link: VSA Detection Tools.zip | Powered by Box
This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present. The latest version searches for the indicators of compromise, data encryption, and the REvil ransom note.
They recommend that you re-run this procedure to better determine if the system was compromised by REvil.