Information Technology

Kaseya has released its promised patch to resolve security flaws responsible for a ransomware attack. 

Kaseya attack

The software solutions provider, which counts managed service providers (MSPs) among its client base, was the subject of a ransomware outbreak on July 2. Kaseya said the threat group responsible, REvil, exploited unpatched vulnerabilities in the firm’s VSA remote monitoring software to trigger both bypass authentication and code execution, allowing them to deploy ransomware on customer endpoints.  It is estimated that between 800 and 1500 businesses have been impacted. REvil has demanded $70 million for a universal decryption key. Kaseya pulled its SaaS systems offline and urged customers to shut down their VSA servers when the first reports of cyberattacks came in. Initial attempts to relaunch SaaS servers were made and set for July 6, however, technical problems prompted a further delay. According to Kaseya, the decision was made by CEO Fred Voccola in order to give the company the time to bolster existing security mechanisms. On Sunday, the tech giant said that the rollout is underway and going “according to plan.”

In total, 95% of the company’s SaaS customers are now live, with servers “coming online for the rest of our customers in the coming hours.” On-premise clients now have access to the VSA patch, too, and support teams are working with organizations that need assistance in applying the security update.  The release notes for both VSA on-prem and SaaS deployments include fixes for three CVE-issued vulnerabilities: a credentials leak and business logic flaw (CVE-2021-30116), a cross-site scripting (XSS) bug (CVE-2021-30119), and a two-factor authentication bypass (CVE-2021-30120).  In addition, Kaseya has resolved a secure flag problem in User Portal session cookies, an API response process that could expose weak credentials to brute-force attacks, and an unauthorized file upload vulnerability impacting VSA servers.  Due to the speed necessary in deploying the patch, some VSA functionality has been disabled temporarily — including some API endpoints.  “Out of an abundance of caution, these API calls are being redesigned for the highest level of security,” Kaseya says. “Individual functions will be restored in later releases this year.” Kaseya has also temporarily removed the ability to download agent installer packages without authentication to VSA and the User Portal page. A number of legacy functions have been permanently removed. Clients will need to change their password once they have installed and logged in to the latest build. Kaseya has also provided VSA SaaS and on-premise hardening and best practice guides.Bloomberg reports that in the past, former employees sounded the alarm on cybersecurity worries including outdated code, weak encryption, and a lack of robust patching processes. However, the ex-staff members claimed their concerns were not fully addressed.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In the first six months of 2021, Australians lost over AU$7 million by letting scammers access their home computers — up 184% when compared to last year.The latest data from the ACCC’s Scamwatch reveals so far this year almost 6,500 Australians have reported phone calls from scammers trying to convince them to download software that gives access to home computers and their bank accounts. “Remote access scams are one of the largest growing scam types in Australia. Scammers take advantage of the digital world and the fear of fraud and cybercrime to access people’s devices and steal their money,” ACCC deputy chair Delia Rickard said.”These types of scams target and impact all people and can be convincing.”People aged 55 and over lost over AU$4.4 million, accounting for almost half of total losses. Young people reported losing on average AU$20,000 and eight Indigenous Australians, some in remote communities, lost a total of AU$38,000, across 84 reports.The ACCC said the scammers pretend to be from organisations such as Telstra, eBay, NBN Co, Amazon, banks, government organisations, police, and computer and IT support organisations. Telstra was impersonated 1,730 times, with reported losses of AU$1.95 million, followed by NBN Co with 1,023 reports and reported losses of AU477,980.

The scammer’s modus operandi is to create a sense of urgency to make victims provide access to their computers via remote access software. A common tactic used by the scammers, too, is to say the victim has been billed for a purchase they didn’t make, then convince the victim their device has been compromised, or account “hacked”, as a result.”The scammer will pretend to assist you or ask you to assist them to catch the scammer,” the ACCC cautioned. “They will tell you to download remote control software such as AnyDesk or TeamViewer.”Once the scammer has control of the device, they will ask the individual to log into applications such as emails, internet banking, or PayPal accounts, which is how they obtain the log-in credentials.”It is really important not to let anyone who contacts you out of the blue access your devices, as once you give them access, you have no way of knowing what the person will do to your computer or what programs they may install,” Rickard added.”If you receive contact from someone claiming to be from a telecommunications company, a technical support service provider or online marketplace, hang up. If you think the communication may have been legitimate, independently source the contact details for the organisation to contact them. Don’t use the contact details in the communication.””Also, don’t click on any of the links.”Australians in 2020 lost a total of AU$8.4 million to remote access scams.RELATED COVERAGEAustralians spent AU$26.5m in cryptocurrency to pay scammers in 2020The total number of scams received by the ACCC’s Scamwatch during the 2020 calendar year was 216,087, with a total of AU$156 million lost.Australian telcos have blocked over 55 million scam calls since DecemberLess than four months since the scam call blocking code was registered, millions of calls have been stopped in Australia.Automating scam call blocking sees Telstra prevent up to 500,000 calls a dayTelco reaches the third part of its Cleaner Pipes program. More

Ransomware reflects the complexities and limitations of the web. It’s worth remembering those limitations as we rely ever more on computer systems that often have pretty shallow foundations when it comes to security and reliability.For example, much of the web has been built on trust, with security very much an after-thought. There’s always been hacking, of course, but the difficulty of making it pay meant that, apart from state-sponsored attacks and industrial espionage, the impact was quite limited.But the rise of cryptocurrency, which enables hard-to-track payments, plus the general insecurity of many computer systems, and our total reliance on them, has created the perfect ransomware storm that now engulfs so many companies.Fixing this problem is not easy. The US administration may now be threatening to take action against ransomware gangs, but because many of them operate from Russia, that’s going to be tough.True, the US could try to break the infrastructure that the gangs use, but that’s not without its problems. For a start, these gangs don’t have huge infrastructure to attack, and what they do have is easily replaced. Then there’s the risk of accidentally disrupting the systems of an innocent organisation in a foreign country, which — particularly when you’re dealing with Russia — is a good way to raise international tensions.Most likely the US could try to put a tight financial squeeze on ransomware gangs — something it has already done by seizing some of the bitcoins sent to them. These gangs are entirely motivated by money, so taking away the ability to receive ransoms or spend their ill-gotten gains is likely to be the most effective way of curtailing their activities. Banning the payment of ransoms might have some impact, but it would also force some unlucky firms out of business if their data was locked up forever.The ransomware era will probably come to an end at some point, most likely to be replaced with another security worry. Indeed, the rise of supply chain security flaws, which are currently being exploited to spread ransomware, is at least as big a problem.

But the ransomware problem also serves as a reminder: we are increasingly reliant on the web, and the internet beneath it. And much of that infrastructure is creaking, or held in place by obscure but fragile systems or pieces of code. So even after ransomware is long forgotten, the security worries won’t go away.ZDNET’S MONDAY MORNING OPENER The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America. PREVIOUSLY ON MONDAY MORNING OPENER: More

How hard is it to keep your iPhone — and the data that’s on it — safe from hackers and other bad folks out there? Not hard at all. While there’s no doubt that security is a massive subject, and you could devote your life to it, it’s not hard to get to a point where your iPhone is more secure than 99 percent of other iPhones out there.Here’s now.Must read: The best browser to replace Google Chrome on Windows, Mac, iPhone, and Android#1: UpdatesMake sure that your iOS is up to date. This is your primary line of defense against vulnerabilities. I know, I know, there are a lot of them, but that’s the world we live in these days.It’s also a good idea to keep your apps updated too, but that’s secondary to keeping iOS updated.

Personally, given the number of bugfixes in recent iOS releases, I don’t wait to install them. Sure, there might be bugs like battery issues and such that creep in to iOS releases, but these are, as far as I’m concerned, less of a problem.
#2: Strong passcodeIf you’re still rolling with 000000 or 123456 or something dumb like that, change it. Do it now.While web-based attacks do happen, the most likely way that your data is going to leak from your iPhone is by someone picking it up and unlocking it.#3: Reboot weeklyMost iPhone vulnerabilities rely on jailbreaking the iPhone. The good news is that a jailbreak can’t survive a reboot, so adding a weekly reboot to your schedule is no bad thing. Not only does it protect you from badness from getting onto your iPhone but it’ll also speed things up a bit by clearing the RAM.Want more? Check out my iPhone Security Checklist, which goes into much greater detail about settings and features you can tweak to make your iPhone more secure. More

Colorado has joined California and Virginia in passing a comprehensive data privacy law that forces companies to make wholesale changes to how they handle people’s sensitive information online.The Colorado Privacy Act, which was signed into law on July 7 by Governor Jared Polis, gives consumers the right to ask companies not to sell their personal information while also giving them access to any data companies have about them. Consumers can also ask companies to delete their data, and the law forces enterprises to ask for consent to hold certain sensitive information like Social Security Numbers, drivers license numbers and more. While some states have passed narrower laws focused on specific data collection and sale practices, Colorado is considered among experts to be the third state after California and Virginia to pass a commercial privacy law. In addition to the rights it gives consumers, the act also forces companies to respect opt-out requests submitted on behalf of consumers. The law applies to companies that collect personal data from 100 000 Colorado residents or collect data from 25 000 Colorado residents and derive some revenue from sales.The law, which takes effect in July 2023, was hailed by experts as a step forward for data privacy in the US, even though many had concerns about a number of loopholes in the bill that companies are already taking advantage of with California’s more comprehensive law. Charles Farina, head of innovation at Adswerve, said it was concerning that the bill did not have a private right to action and noted all of the exemptions — particularly for non-profits. “The CPA includes greater fines per violation, but without an overarching federal privacy law, there remain loopholes for gathering first-party data and continued doubt from consumers about the safety of their data,” Farina said. 

“Legislation like CPA is a step in the right direction, but signals that there is still more work to be done to ensure a transparent exchange of data between consumers and businesses.” Consumer Reports senior policy analyst Maureen Mahoney said the law would need to be strengthened down the road.Consumer Reports noted that the advertising industry has already used bad-faith interpretations of California’s more stringent regulations to claim “that the opt-out doesn’t apply to data shared with third parties for targeted advertising.”They added that the Colorado law should have had a provision making sure that consumers will not be charged for exercising their privacy rights.Tyrone Jeffrees, the US information security officer at Mobiquity, added that the law is expected to be more effective than others because it can be enforced by both the Colorado office of the Attorney General as well as local district attorney offices. “The CPA goes beyond California’s by requiring a blocking option for consumers to ‘opt-out’ of having their personal information shared to create consumer profiles. To ensure compliance with the CPA’s heavier guidelines, businesses and organizations must have a deeper understanding of how their data is collected and exactly what it is being used for when targeting new customers and sharing publicly,” Jeffrees explained. “I’m thrilled for the residents of Colorado. Ultimately, each new legislation is a win for US consumers and privacy advocates. As businesses start to comply with the law, consumers can expect to see more pop-up notifications on websites disclosing how information is being collected and how that information is used. These disclosures are ubiquitous in Europe and will start to increase across the digital landscape in the US as new privacy regulations come onboard. The good news for consumers is that many of the common privacy rights afforded to EU and California residents will become part of the standard way of engaging with businesses in the US going forward.”Dan Clarke, a data privacy law expert, working with lawmakers in multiple states on their own laws, said the Colorado law resembled the Virginia law and California’s CPRA more than the state’s CCPA. “It aligns a little better with GDPR as well. There are two things that I think are pretty big about the law. Number one is the requirement to respect the universal opt-out. Until July 1st, 2023, the attorney general has to provide the technical specifications for that opt-out, and then everybody gets a year actually to abide by it. This is a significant development because now you’ve got a requirement to abide by what can just be programmed into a browser as a default setting,” Clarke explained. 

“It can be programmed into your mobile phone as the default setting, and you have to abide by it. I think that will accelerate the industry’s adoption and understanding of these universal opt-out signals.”Clarke added that the other major development in the law is the demand for “privacy impact assessments, ” forcing companies to assess what kind of data they collect and have. “If you’re releasing a new product, or for example, did a kiosk to take people’s temperatures during COVID-19, you have to assess what kind of data you have. How are you using that data? How are you securing it? How long are you going to retain it? What’s the risk of it?” Clarke said.That is a feature of the GDPR and was included in the Virginia law but is largely invalidated due to a bevvy of exemptions. There are almost no exemptions in Colorado’s law, meaning companies will have to do impact assessments for any project that collects personal data, Clarke told ZDNet. New assessments will also need to be done if there are any changes to policies, vendors or staff. Clarke added that there is a one-year lookback period, so data collected at the end of this year will be within scope. Another key provision is the right to appeal, which Clarke said is unique among the world’s data privacy laws. According to Clarke, only the Virginia and Colorado laws allow consumers to appeal a company’s decision to refuse your request for your data to be deleted. If a company refuses to delete your data, you can appeal the decision, and another arm of the company has to look at the decision. Clarke said any organization complying with California’s CCPA and CPRA would be prepared for Colorado’s law for companies worried about complying with the laws. Clarke said the biggest issue for those who were not affected by California’s laws would be preparing to handle sensitive data like financial information.”With sensitive data, you have actually to ask for permission. So you have to say, ‘I want to opt into allowing you to use it and, in some cases, sell it,” Clarke said.Clarke predicted that New York, Texas and Florida might be the next states to pass data privacy laws, noting that the length of some states’ legislative sessions is part of what makes it difficult to pass these kinds of laws. Some states that looked likely to pass their own data privacy laws, like Washington, simply ran out of time because of how controversial the law became locally. “An important thing about the Colorado law is just the fact that another state piled on. It’s kind of surprising that you’ve got another state that has piled on so quickly, and I honestly think that’s the biggest news out of this whole story,” Clarke said.”You’ve got to deal with another state.” More

Cyber criminals are targeting energy, oil and gas and other companies around the world with a phishing campaign designed to deliver malware capable of stealing usernames, passwords and other sensitive information in what’s believed to be the first stage of a wider campaign. Detailed by cybersecurity company Intezer, the phishing campaign has been active for at least a year and those behind it appear to have put a lot of effort into making the phishing emails look as legitimate as possible.The phishing emails include references to executives, addresses of offices, official logos and requests for quotations, contracts and refer to real projects in order to look authentic. Cyber criminals have sent the emails to international companies in oil and gas, energy, manufacturing and technology around the world, with targets including companies in the United States, United Arab Emirates, Germany and South Korea. In one case detailed by researchers, the phishing email referred to a specific power plant project as a lure.This phishing email and others invite the victim to click on an attachment designed to look like a PDF but is actually is an IMG, ISO, or CAB file which redirects users to an executable file – if this is run, it will install malware on the PC. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Several different forms of Remote Access Tools (RATs) and information stealing malware are being deployed in these attacks, including Formbook, Agent Tesla and Loki. Many of these are malware-as-a-service operations, meaning that those behind the phishing attacks are leasing malware, rather than developing it themselves. “It appears that the use of malware-as-a-service threats helps blend in with the noise of other malicious activity. It appears that they are casting a wide net with these types of threats and also targeting a lot of small-medium sized suppliers. Both might also indicate that this is the first stage in what may be wider activity,” Ryan Robinson, a security researcher at Intezer told ZDNet. It’s currently unknown who exactly is behind the phishing attacks, but Robinson says their methods “show a decent level of sophistication.” While some of the infrastructure around the attacks has been removed, it’s likely that the phishing campaign remains active. “Treat emails with awareness and caution, especially emails that are received from outside your company’s domain. Most importantly, don’t open suspicious files or links,” warns the research paper. MORE ON CYBERSECURITY More

Microsoft’s emergency update which included a fix for the so-called PrintNightmare print spooler problem has the unexpected side-effect of causing a problem with some printers.

The PrintNightmare flaw is a major security risk for enterprise, where print spoolers are used on Windows machines. Microsoft considered it serious enough to rush out a patch last week, before its usual Patch Tuesday update.   Also: Best printers for your home officeThe PrintNightmare bug is being tracked as CVE-2021-1675 and CVE-2021-34527. One of them is a remote code execution flaw and the other is a local privilege escalation flaw. An additional concern was that exploit code was in the public domain before Microsoft released a patch for it.Microsoft notes that an attacker can use the bug to write whatever code they want with system privileges. From there, they could install programs; view, change, or delete data; or create new accounts with full user rights. But now that patches are being installed, some customers are reporting an impact on some printers.Microsoft itself has warned of the issue.

“After installing this update, you might have issues printing to certain printers. Most affected printers are receipt or label printers that connect via USB. Note This issue is not related to CVE-2021-34527 or CVE-2021-1675,” it said.”This issue is resolved using Known Issue Rollback (KIR). Please note that it might take up to 24 hours for the resolution to propagate automatically to consumer devices and non-managed business devices.”Restarting your Windows device might help the resolution apply to your device faster. For enterprise-managed devices that have installed an affected update and encountered this issue, it can be resolved by installing and configuring a special Group Policy,” it said.Printer maker Zebra confirmed that some of its devices were being affected.”We are aware of issues affecting multiple brands of printers when printing from PCs that have been recently updated via the Windows Update Service (KB5004945, KB5004760, or KB5003690). The most common symptom is print jobs being sent, but not actually printing,” it said.”This issue is observed after users install the Windows 10 out-of-band security update KB5004945 (or previous updates, KB5004760 and KB5003690). The KB5004945 security update addresses a remote code execution exploit in the Windows Print Spooler service, known as ‘PrintNightmare,'”it added.Microsoft rounded out its patches for Windows 10 systems this week, delivering patches for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012. It was serious enough for Microsoft to release patches for Windows 7, which reached mainstream end of support in January 2020. Microsoft still provides security updates to organizations paying for extended support on Windows 7. Microsoft has advised customers to disable the print spooler service until patches are applied. The patch introduces some changes to how organizations handle the installation of drivers on Windows machines. It prevents general users from installing printer driver software updates. Some security researchers have found there are ways to bypass Microsoft’s patch. More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. Also: Should Kaseya pay the ransom? Experts are dividedAccording to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.” “We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, “VSA SaaS Startup Guide,” and “On Premises VSA Startup Readiness Guide,” to assist clients in preparing for a return to service and patch deployment. Recovery, however, is taking longer than initially expected. “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment,” the company says. “We apologize for the delay and changes to the plans as we work through this fluid situation.”In a second video message recorded by the firm’s CEO, Voccola said:”The fact we had to take down VSA is very disappointing to me, it’s very disappointing to me personally. I feel like I’ve let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality.”The new release time for VSA is Sunday, in the afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment. 

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait until Sunday. Kaseya intends to bring customers back online on July 11, at 4 PM EDT. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that scammers are trying to take advantage of the situation. “Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.Do not click on any links or download any attachments claiming to be a Kaseya advisory.”

Kaseya attack More