Kaseya says the REvil supply chain ransomware attack breached the systems of about 60 of its direct customers using the company’s local VSA product.
In total, the cloud-based software provider MSP added that it is aware of up to 1,500 subsequent victims whose networks were managed by MSP using Kaseya’s remote management tools.
“The attack had limited impact, with only about 50 of Kaseya’s more than 35,000 clients being raped,” Kaseya saying in a press release.
“Of the roughly 800,000 to 1,000,000 local and small businesses that Kaseya’s customers run, only about 800 to 1,500 have been compromised.”
The company provides network and endpoint indicators of compromise (IOCs) to assist security investigators and customer investigations, as well as a updated version of your compromise detection tool to check systems for signs of non-compliance.
Kaseya says that he is currently working on the restoration process and reading to implement a zero-day exploited solution for VSA customers.
All local VSA servers should remain offline until they receive instructions from Kaseya on when it is safe to restore operations. You will need to install a patch before restarting the VSA and a set of recommendations on how to increase your security posture. – Kaseya
Zero-day exploitation while Kaseya validated patches
To deploy ransomware payloads on the systems of Kaseya customers and their customers, REvil operators exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya VSA, RMM (Remote Monitoring and Management) software commonly used by MSPs to manage customer networks.
Kaseya was in the process of patching the privately reported zero-day vulnerability by researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), as BleepingComputer later discovered.
However, the REvil affiliate behind the attack obtained the zero-day details and exploited it to implement the ransomware before Kaseya could begin offering a solution to VSA customers.
“Attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and execute arbitrary command execution,” Kaseya Explain.
“This allowed attackers to take advantage of the standard functionality of the VSA product to deploy ransomware on endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified.”
REvil now claims to have encrypted over 1,000,000 systems and, after initially demanding $ 70 million, is now requesting $ 50 million for a universal decryptor.
This is not the first time ransomware groups have targeted Kaseya’s cloud-based MSP platform.
GandCrab, REvil (Sodinokibi), and Ragnar Locker targeted Kaseya’s remote management tools to make it much more difficult for the victim’s MSP to detect and block ongoing ransomware attacks.
In related news, CISA and the FBI have shared guidance for victims of the supply chain ransomware attack.
The White House National Security Council is also urging the victims to report any incidents and follow the instructions issued by Kaseya.