Leading into the Fourth of July weekend this year, individuals in charge of cybersecurity at small and medium businesses (SMBs) were more likely to be found in front of a computer screen than at a barbecue.
That’s because hackers compromised software by Kaseya, a leading provider of IT and security management solutions for managed service providers (MSPs) and SMBs. The attackers then leveraged vulnerabilities in that software to victimize more than 1,500 Kaseya customers, including many SMBs, with ransomware.
The attack is the latest significant attack to impact many SMB organizations. Companies that utilize Kaseya software should make sure they are aware of the significant elements of the attack and know what steps to take to ensure they aren’t at risk.
On July 2, Kaseya announced it had been the victim of a cyberattack, as part of which hackers exploited vulnerabilities in its popular VSA software to deploy ransomware attacks against SMBs and MSPs who had it in their environments. The attack was a supply chain attack, where hackers leverage a vendor’s vulnerable software to attack a more extensive set of victims.
Cybersecurity firm Huntress said it appeared hackers were incredibly sophisticated. The attack has been attributed to REvil, a well-known ransomware threat group that has also been tied to other significant attacks like the one on JBS. JBS is the world’s largest meat processing company forced to shut down operations due to ransomware. The attackers demanded $70 million from all victims collectively to release the decryption codes for the ransomware.
A full rundown of events and the latest updates regarding the Kaseya attack can be found here.
How to remediate
An estimated 40,000 organizations worldwide use Kaseya software. While Kaseya quickly disabled its SaaS offering and urged its remaining VSA customers to shut it down immediately until further notice, it has since conducted further investigation and released a patch for applicable on-premise and SaaS solutions.
Kaseya also urged its customers to use multi-factor authentication and ensure access to systems is restricted to administrators. Additionally, access should follow least privilege principles. It also urged customers to conduct regular audits, review logs, and ensure access is appropriately allocated. The company released best practice guides for on-premise and VSA SaaS software, found here and here, respectively. Organizations using the software should take time to ensure they have patched their systems and are following best practices.
As ransomware attacks increase, the Kaseya attack was yet another example of how SMBs are at risk. Cybersecurity and IT leaders should ensure they take every necessary step to protect their organization from risk from the Kaseya vulnerabilities and limit future risk.