A ransomware attack prompted Kaseya to roll out new patches as a means of securing customers. Specifically, the Virtual System Administrator, or VSA, was exploited by cybercriminals. Potentially, 1,500 or more businesses worldwide were affected by ransomware owing to holes in associated security.
Kaseya told customers that were suspected of being infected with this ransomware to deactivate servers ahead of the coming patch. It took about ten days, but now a patch has arrived. Specifically, this patch rectifies a number of notable security flaws. These include the following:
- Fixing a bypass in two-factor authentication
- Logic flaw and credential leaks
- Vulnerabilities in cross-site scripting
Understanding What Happened to Secure Your Business
Since Kaseya’s software is primarily of the Software as a Service (SaaS) variety, infection at the core of Kaseya ultimately affects a diversity of users. It’s like poisoning a river while it’s a creek up the mountain: the waters keep flowing, and many downstream get poisoned.
Well, in this case, the “downstream” folks were those using endpoints, of which current estimates put the number impacted in the neighborhood of a million. At least, that was the claim of the hackers. It’s a plausible claim. If each affected business had 1,000 endpoints, then 1,500 affected businesses would average a little under 700 endpoints per operation.
The Timeline of the Attack
Initial instances of contamination were observed around July 2nd, and as of July 13th, things had been curbed. REvil and Sodinikibi were first realized to be the ransomware culprits. By July 4th, a detection tool was launched to help businesses know if they were compromised.
Damages from the ransomware were only lightly covered by media outlets and the full extent of the cyberattack was not explored in depth. By July 5th, a $70,000,000 demand was issued by hackers to Kaseya. By the 6th, a patch was supposed to be online, but delays knocked it back. The delay continued through July 7th. By the following day, fake email warnings were going out, further compromising affected parties.
On the 10th of July, it was revealed key leaders among Kaseya knew about the vulnerability exploited by hackers, but said nothing; or at least not enough–whistleblowers revealed this. By the 11th, real patches began to be implemented. Progress was made by the 12th, by the 13th, IT Glue Integration was able to be reactivated.
What Can Be Learned?
This was a “zero day attack”, and more details are explained in The Washington Post. Essentially, the cybercriminals exploited an attack even sophisticated higher-level IT officials were unaware of–but for those exposed by the whistleblower, of course. Call what happened to Kaseya a sort of canary in the coal mine. An attack like this will happen again, and to another large company providing services via cloud-based technology.
Certainly, there will be increases in security. Patches will be disseminated. However, zero day attacks incorporating “streams” of data at cloud-based “nodes” will continue to affect a wide variety of customers going forward. That’s just the unattractive reality of the situation. Also, this is a sort of hack attack that has government influence–the Post article seems to believe the Kremlin could have halted the attack.
Well, it’s hard to know whether the Post is playing politics or not these days. What’s easy to know is that patching solutions for security are perhaps more fundamental than ever. When new security options become available, you need to tap into them right away. Also, it’s important to have failover protections in place that can cover several weeks of operating without core tech functionality.
What To Do
Cybercrime is nothing new, but sometimes the way in which it is pursued is novel. Therefore, it would be best to have all the latest security, and partner your business with cybersecurity professionals who make top-tier security a primary prerogative. Also, it is wise to compartmentalize sensitive data so that ransomware attacks like this won’t impact your business operations. Lastly, keep employees well-trained on the latest best practices to ensure they’re always up to date on how to conduct themselves amid shifty digital waters safely.