Globally, a new ransomware attack hit thousands of organizations that use a remote management tool called Kaseya. The extent of the attack is just now becoming apparent, and the scope continues to grow.
Who is attacking and how?
The REvil ransomware gang, based in Russia, launched the attack. REvil used a sophisticated chain of exploits that included a vulnerability in the Kaseya VSA (virtual system administration) tool. Managed IT service providers (MSPs) that use the VSA tool then unknowingly distributed the compromised version to their customers. REvil then had an open door into those customer networks and launched ransomware attacks. This was a very fast attack, not designed to carefully extort targeted victims, but rather to maximize the criminals’ return using scale and automation. Therefore, the damage has been limited.
What steps should we take?
The basic guidance has been to shut off the VSA tool on all computers where it is installed and wait for the fixed version to be deployed (ETA still TBD). Kaseya has also released a tool that will search for compromised versions of the agent. Network flow and firewall records should be searched for suspicious outbound connections from systems with the VSA installed. DHS/CISA and the FBI have published a list of indicators, and network traffic and systems should be searched for those indicators.
This attack utilized what is known as a “zero-day” vulnerability, which means there was no update or patch at the time the attack was identified as underway, and therefore could not have been prevented through tools that detect “known” malware. Network monitoring and analysis may identify aberrational behaviour, but this would be after the fact, with the extortion already underway.
If nothing has happened so far, are we okay?
If an organization was compromised using the VSA tool, criminals could have installed other tools for future access, and possibly on other systems inside the network. Organizations must still monitor very closely for signs of an attack in the coming weeks, as well as prepare to minimize the impact if one occurs.
If we don’t use Kaseya, are we okay?
This attack only impacts Kaseya users, but since this is the second time REvil has gotten into networks through 3rd party software updates, all organizations should see this as a future avenue of attack and prepare.
What we will do going forward
- Review backups to ensure their availability and integrity.
- Prepare duplicates of critical operation servers and disconnect them from the network, reviewing incident response, insurance, and availability of external resources
- Obtain all indicators being distributed, and searching for those indicators in logs and network traffic, including the Kaseya identification tool
- Monitor media and government sources for information and set up an assessment through Mid-Range for you.
Other Articles
Job Opp: Intermediate to Senior Technical Specialist (Expertise JD Edwards Development Tools)
October 16, 2024
Deliver technical support and services to Mid-Range Managed Services customer systems in accordance with their contracted agreement. This position…
Choosing the Right Path: VMware, Virtualization Alternatives, or Cloud?
October 8, 2024
The acquisition of VMware by Broadcom has introduced significant changes to the virtualization landscape, prompting organizations to reassess their…
7 Key Reasons Why You Need Veeam Backup for Microsoft Office 365
July 15, 2024
Discover the essential reasons why Veeam Backup for Office 365 is crucial for your business. Protect against accidental deletions, internal and…
The Looming Skill Gap: How IBM i Users Face a Retiring Workforce and a Talent Drought
February 9, 2024
Debunking common myths about cloud migration to unlock its potential. Simplified processes, robust security, cost savings, and performance…
Holiday Message from the Mid-Range Team 2023
December 19, 2023
Holiday message to our customers and partners for this holiday season.
Holiday Message from the Mid-Range Team
December 19, 2023
Holiday message to our customers and partners for this holiday season.
Maintaining Data Center Hygiene: Our Comprehensive Approach at Mid-Range
June 27, 2023
In the fast-paced and interconnected digital landscape, data centers have become the nerve centers that power our modern world. These facilities…
Debunking the Top 5 Myths about Migrating to the Cloud: Insights for IT Decision Makers
May 31, 2023
Debunking common myths about cloud migration to unlock its potential. Simplified processes, robust security, cost savings, and performance…