The Kaseya VSA Supply Chain Attack Made Simple

What is Kaseya VSA?

Kaseya is a provider of infrastructure management solutions for managed service providers (MSP’s)[1] and internal IT organisations. Kaseya VSA is a cloud-based IT management and remote monitoring solution for businesses of all sizes across various industries.

What is the Kaseya VSA Supply Chain attack?

At 2 pm EDT on Friday 2 July 2021, attackers launched a supply chain ransomware attack against multiple MSP’s and their customers by leveraging a zero-day vulnerability in the VSA platform. Numerous endpoints and servers have been infected with encryption malware accompanied by ransom demands ranging from $45,000 to $5M

Who is responsible?

REvil[2] claimed responsibility with a post on their Dark Web leak site

What happened?

Hackers leveraged a zero-day vulnerability in the VSA platform to deploy encryption malware via a fraudulent software update pushed out from the VSA servers to multiple MSP’s and their customers. To the novice, this translates to those enterprise businesses which had a VSA solution are likely to have experienced some form of encryption on endpoint devices such as laptops, on-premises services, credit card terminals and POS machines.

What are the attack’s consequences?

The Kaseya VSA servers were shut down immediately. In a public statement, the Kaseya CEO urged clients to do the same with on-premises VSA servers until further notice. This advice remains unaltered as of Thursday, 8 July[3].

MSP’s and end-users of the VSA platform are potentially without remote access or visibility of their IT estate. They are also dealing with the usual fall out of file encryption such as corruption or failures of backup, extortion demands, reduction in utilisation and increased leakage. Operations will continue to be affected as machines are taken offline for security patches; this is often repeated as understanding the vulnerability improves.

REvil’s operators have posted a universal ransom demand of $70M, which reports suggest was prompted by the volume of enquiries that the operators had failed to appreciate before triggering simultaneous payloads.

Ransom demands for end-users starting at $50,000 have been reported. Below is an example of the pop-up which have greeted unfortunate victims.

The message from law enforcement is not to engage with the operators

There are also indirect consequences for the affected business around regulatory reporting, brand protection, and increased costs of working during manual workarounds. Tracking expenses will also be key for any contractual, insurance or civil recovery.

Who are the victims?

Kaseya report that whilst only 50-60 clients have been affected, the encryption malware has been pushed downstream to approximately 1,500 businesses[4]

The attack has left an international footprint with victims identified to date across 17 countries, including the US, AUS, EU and LATAM[5] , e.g. COOP supermarket chain in Sweden and schools in New Zealand[6].

What is the advice to customers?

Kaseya has released advice on what to do if a system has been infiltrated and continues to post regular updates on their website[7] and message boards, including shutting down VSA servers immediately, preparing servers for the security patch, and informing law enforcement. The National Cyber Security Centre has published advice[8] along with CISA and the FBI[9].