IT and security management services company Kaseya reported an attack against a “small number” of customers Friday afternoon, but a bigger supply chain incident might be afoot heading into the July 4 holiday weekend.

The attack, which some researchers believe to be the work of ransomware group REvil or one of its affiliates, could be the beginning of a mass ransomware event with the potential to strike a wide swath of industry and local government. The FBI in June blamed the Russia-based group for a ransomware attack against global meat supplier JBS. Vaseya said the incident is affecting its VSA software platform used by managed services providers.

“We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only. We have proactively shut down our SaaS servers out of an abundance of caution,” Dana Liedholm, senior vice president of corporate communications at Kaseya wrote in an email to CyberScoop. “We have been further notified by a few security firms of the issue and we are working closely with them as well.”

The firm is recommending that all customers shut down their VSA server immediately.

Multiple cybersecurity firms have reported clients who have been affected by the attack.

“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” Huntress Labs wrote in a post on Reddit. “We are aware of at least 8 impacted MSP partners at this time.”

“We strongly believe a REvil/Sodinokibi RaaS affiliate is behind these intrusions,” the firm wrote in the same post.

Sophos also reports “an active industry wide supply chain attack using Kaseya to deploy ransomware” and notes that the attacks are “geographically dispersed.”

Jake Williams, chief technology officer of BreachQuest and Rendition Infosec, said on Twitter that multiple clients who used Kaseya had been hit with Sodinokibi ransomware.

Kaseya appears to have shut down its cloud services though it has not reported any affected cloud customers. The firm claims 40,000 customers.

The infection appears to take over administrator rights, trickling down from managed service providers to their clients, cybersecurity researcher Kevin Beaumont wrote in a blog.

Managed service providers remotely manage customers’ IT infrastructure and user systems.

This isn’t the first time hackers have used Kaseya to push ransomware. In 2019 hackers used compromised credentials to gain unauthorized and spread ransomware to customers.

The post Kaseya hit with suspected cyberattack, raising fears of major supply chain incident appeared first on CyberScoop.

Read More – CyberScoop


By |2021-07-02T21:19:16-04:00July 2nd, 2021|