The Kaseya technology management software was hijacked in a global ransomware attack that started on Friday.
Attackers changed a Kaseya tool called VSA, used by IT professionals to manage servers, desktops, network devices and printers.
Kaseya has responded to the attack by shutting down some of its infrastructure in response and is urging customers that use VSA on their premises to immediately turn off their servers.
Some customers were infected before managed service providers could warn them.
Hundreds of US businesses were hit on Friday, ahead of the Independence Day holiday weekend, and the attack spread globally on Saturday. Among the victims are the Swedish Coop retail group, which had to shut over 800 stores over the weekend.
Ross McKerchar, Sophos vice-president and chief information security officer, comments: “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen.
“At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organisations to be higher than what’s being reported by any individual security company.”
Kaseya has responded to the attack. It believes it has managed to limit its spread, and it working to resolve the issues.
So far, Kaseya has not brought its servers back online, but expects to start bringing them back by the end of the day today (5 July).
In the meantime, the company recommends that all on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on companies can increase security posture.
“We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponied,” the Kaseya statement adds.
The FBI says is investigating this situation and working with Kaseya, in co-0ordination with CISA, to conduct outreach to possibly impacted victims.
“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately,” according to an FBI statement. “As always, we stand ready to assist any impacted entities.”
Mark Loman, Sophos director of engineering, points out that the adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type.
“This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more. In other widescale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely-used IT management are the conduit.”
He adds that some successful ransomware attackers have raked in millions of dollars in ransom money, potentially allowing them to purchase highly valuable zero-day exploits. “Certain exploits are usually only deemed attainable by nation-states. Where ‘nation-states’ would sparingly use them for a specific isolated attack, in the hands of cybercriminals, an exploit for a vulnerability in global platform can disrupt many businesses at once and have impact on our daily lives.
“A day after the attack, it became more evident that an affiliate of the REvil Ransomware-as-a-Service (RaaS) leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s Virtual Systems Administrator (VSA) software. Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environments.”
Based on Sophos threat intelligence, REvil has been active in recent weeks, including in the JBS attack, and is currently the dominant ransomware gang involved in Sophos’ defensive managed threat response cases.