On July 2, 2021, Kaseya, a software provider, announced that it had been attacked and that some of its clients may have been affected. The company advised its clients to shut down any VSA servers they’re running to prevent any potential or further breach in their systems.
Unfortunately, the company’s efforts were futile, and the supply chain attack by the REvil ransomware group was successful. The attack impacted an estimated 1,500 businesses, the majority being small to medium-sized businesses. In addition, a ransom note of $70 million was given – one of the heftiest, if not the largest ransom note, in ransomware history.
To understand the magnitude of this event, let’s break it down in detail and analyze the elements involved.
First of All, What is Kaseya?
Kaseya is a provider of IT management software used by different types of organizations, including IT departments and Managed Software Providers (MSPs).
It offers products such as Virtual System Administrator (VSA) for remote monitoring and management, BMS for professional services automation, Compliance Manager for compliance process automation solution, and Managed SOC for 24/7 threat monitoring.
Some of Kaseya’s customers include QA limited, Infinite Campus, INC., Rapid Fire tools, Unitrends, and Genesis AEC. These companies are all in the computer software industry and have a workforce of more than 1,000 employees, making $1-10 million dollars in revenue.
What is a Ransomware Attack?
Ransomware is malicious software (also known as malware) that can significantly and negatively impact victims, especially businesses, as it can steal and lock important data from computers it infects.
In exchange for the restoration of stolen data, attackers demand a ransom. The highest-paid ransom (as of 2021) is believed to be $40 million, which was the amount paid by CAN Financial, an insurance company, to recover its data from a ransomware attack. However, ransom demands — and subsequently, ransomware payments — are on the rise.
Details of the Kaseya Ransomware Attack
According to the investigation by the FBI, the attack was made possible by a vulnerability in Kaseya VSA’s software. Specifically, an authentication bypass vulnerability in the company’s system paved the way for the attacker’s easy access.
This single vulnerability gave the attackers the upper hand, allowing them to pose as authenticated users within Kaseya VSA’s backend, finally giving them the authority to inject a virus into the system.
Why Was Kaseya Targeted?
Attacking the VSA server directly benefits hackers greatly because of the authority that its users have given to its system. Looking at the details of the attack and Kaseya’s primary role among its users, it’s quite evident that the attack was launched because of Kaseya’s access to thousands of computer systems of thousands of businesses that placed their trust in the software company.
Virtual System Administrator or VSA, Kaseya’s product, is in charge of automating the computer operations of more than 1,000 companies. These IT operations include but are not limited to performance monitoring and reporting, auditing, and complaints handling.
All these activities are automated under VSA, which means that there’s no authentication involved every step of the way. This made it easy for the attackers to execute backend database manipulation using SQL injection.
What Did Kaseya Do After the Attack?
Kaseya’s response to the attack was immediate. Announcing the attack early on was the perfect move to mitigate further damage, as this announcement allowed their customers to prevent the attackers from digging deeper into their databases. The company also approached external security experts to give them a solid assessment of their code’s readiness to resume services.
Two days after the attack, the company announced its recovery plan, prioritizing transparency among its users. In addition, Kaseya promised to publish a summary of what happened during the attack and the actions it took to combat the vicious cyber barrage it received from REvil.
As a response to REvil’s abuse of VSA’s vulnerability, the company decided to remove some legacy VSA functionalities that are not largely responsible for the software’s efficiency to minimize or eliminate existing security loopholes. In addition, the company also added new security measures that aim to strengthen its SaaS server monitoring system.
What Can SMBs Learn from the Kaseya Ransomware Attack?
Ransomware attacks are on a steady rise. They’re becoming more popular, especially with today’s industries relying more and more on electronic data. With data being the currency of our modern world, cybercriminals are seeing more value in carrying out these risky attacks.
Not only that, but cybercriminals are also becoming increasingly innovative with the attack methods they use against businesses, including SMBs. This leaves prevention and readiness as the primary defense against such malicious intrusions.
How Can You Spot a Ransomware Attack?
Successful ransomware attacks are silently executed, giving the target a small amount of time to react before all their data are stolen. This is why knowing the signs of a potential ransomware attack is very important.
In this recent blog post, we’ve identified some tell-tale signs that business owners should watch out for to keep themselves on top of ransomware attacks. Anything that may be out of the ordinary can signify someone trying to break into your database. However, a diligent tech team and robust cybersecurity monitoring system should be enough to spot such irregularities.