Kaseya is an American firm that develops software for managing networks, systems, and information technology infrastructure is now facing the largest supply chain ransomware attack on its VSA product. It was speculated that REvil, a private ransomware-as-a-service (RaaS) operation was the mastermind of the attack and was able to gain access to Kaseya’s backend infrastructure. This attack allowed cybercriminals to control the standard VSA product functionality and deploy ransomware to Kaseya’s clientele.
The Miami-based company conducted an incident analysis of the ransomware attack on the Kaseya VSA software. The attackers exploited zero-day vulnerabilities in the VSA product to run arbitrary commands. There was no clear evidence that the codebase of the VSA product had been modified, but it gave the advantage to compromise managed service providers and breach their customers. On the other hand, Huntress Labs revealed that cybercriminals gained access into the VSA servers using an arbitrary file upload, code injection vulnerability, and an authentication bypass.
Fred Voccola, CEO, said there were about 60 managed service providers and 1500 businesses that were paralyzed by the ransomware attack by the Russia-linked REvil RaaSgroup. The hackers initially demanded $70 million in Bitcoins for data decryption and negotiated to lower the amount to $50 million if their demands were met. The group is one of the most prolific RaaS operators and able to earn $100 million, Kaspersky researchers added. The incident in Kaseya supply-chain attack led the US CISA to provide precautionary measures to prevent future ransomware attacks such as enabling multi-factor authentication, limiting communication with remote monitoring, managing capabilities to known IP address pair, placing administrative interfaces of RMM behind VPN or a firewall on a dedicated admirative network.