$70M Ransom Requested: Largest Ever Ransomware Attack Affects Thousands of Businesses

RansomwareZero-Day Vulnerability
Written By Lee Vaniderstine

Exploit: Ransomware
Company: Kaseya
Industry: Technology, Software
Sources: https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html,

https://www.ctvnews.ca/sci-tech/scale-details-of-massive-kaseya-ransomware-attack-emerge-1.5496208

Advisory:

It is highly recommended that any organizations with Kaseya VSA on-prem solution disable those servers immediately.

Thousands of businesses have been compromised in what appears to be the single biggest global ransomware attack on record. Details are emerging as to how REvil, a notorious Russia-linked cybercrime gang, may have carried out the attack.

Kaseya was alerted by the Dutch Institute of Vulnerability Disclosure (DIVD) of a number of zero-day vulnerabilities in Kaseya’s Remote Monitoring and Management Platform “Kaseya VSA” that were being exploited as a means to deploy ransomware.

The Threat:

The “Auto-Update” feature on on-premises instances of the software has been exploited to spread malicious updates – attempting to disable Microsoft Defender via PowerShell commands, utilizing legitimate filenames and paths for the VSA platform, and is digitally signed by valid Microsoft certificates, making this threat difficult to detect for endpoint protection services.

Recommendations:

In response to this sophisticated Supply Chain attack, Kaseya has taken down all VSA cloud servers, however, on-premises instances of the Kaseya VS platform remain vulnerable:

•       Turn off any on-premises VSA appliances until a security patch is released from Kaseya.

•       Block the port 5721/TCP which is used by VSA to communicate.

This highly sophisticated and evasive attack has already affected thousands of organizations as Kaseya VAS is a widely used RMM tool which significantly increases the attack surface. Many Endpoint Protection software and tools are currently being updated to isolate and quarantine the malicious threat. For now, it is highly recommended to follow the recommendations and be on the look out for more actions from your MSP, Cyber Security Advisors, Vendors, and other cyber security news sources.

A Note to our Clients:

Only on-premises VSA servers are being affected by the Kaseya VSA zero-day attack.

happier IT does not use Kaseya VSA. With a core focus on security first, we use a SaaS version of RMM for app security that we can better monitor internally, including immediate patch updates, etc.  

Do you need help protecting your business and your staff?

While it can be difficult to anticipate large scale supply chain attacks, we can help organizations take proactive approaches to protect their data and their staff. Talk to one of our cyber security experts today and find out how we can help implement cyber security measures to protect your business today.
Call us today: 1-888-974-2779

Lee Vaniderstine
Previous

Guess Announces Data Breach After Ransomware Attack

Next

Customers Warned of ID Theft after Ransomware Attack