Over the Fourth of July weekend, Kaseya’s Virtual System/ Server Administrator (VSA) software was targeted by the cybercrime gang REvil. REvil executed a supply chain ransomware attack and demanded $70 million in Bitcoin. Kaseya is an IT management software company, whose customers include large MSPs. As a result, around 1,500 small to medium sized businesses experienced the attack through their MSPs. The victims of the attack spanned at least 17 countries, although no critical infrastructure was affected. After the CEO, Fred Voccola, announced a potential attack against VSA, Kaseya immediately shut off their VSA infrastructure and urged clients to shut down their VSA servers. Customers were notified and FireEye Mandiant was called in to assist in the investigation. The attack was triggered by an authentication bypass vulnerability. This vulnerability allows attackers to gain authentication controls and an authenticated session. The attackers then performed an SQL injection.
Kaseya has since obtained the decryption key and were able to decrypt their data. This key has also recently been leaked on several hacking forums. New blog posts and articles suggest that Kaseya did not focus enough on security. Some problems mentioned were the company’s use of weak encryption and passwords, inconsistency with patching software, and overall lack of attention to security. Kaseya has since released a new version of a compromise detection tool for companies to determine if Indicators of Compromise (IoC) of REvil are present within their systems. According to Threatpost, new security measures taken by Kaseya include:
- 24/7 independent SOC for every VSA with the ability to quarantine and isolate files and entire VSA servers.
- A complementary CDN with WAF for every VSA
- Customers who whitelist IPs will be required to whitelist additional IPs
Kaseya also introduced the use of a personal authentication token for REST APIs, rather than using the standard username and password. Since the attack, Kaseya has been improving their release of patches affecting their customers and have committed to a more security- focused way of business.