Is Your Miami & South Florida IT Company Running Kaseya VSA?

Many cybersecurity experts believe that the REvil gang, a notorious Russian-speaking ransomware syndicate might be behind the attack that targeted Kaseya software provider.

Is Your Miami and South Florida IT Company Running Kaseya VSA? Take Note of the Following

A recent ransomware attack targeting Kaseya VSA has paralyzed many businesses’ computer networks across the globe. According to the country’s public broadcaster, SVT, the attack on major US IT service providers forced several Swedish grocery chains Coop’s 800 stores to close down because their cash registers stopped working. Swedish local pharmacy chains and State Railways were also affected.

Many cybersecurity experts believe that the REvil gang, a notorious Russian-speaking ransomware syndicate might be behind the attack that targeted Kaseya software provider. The attackers used Kaseya’s network-management package as an avenue to spread the ransomware via cloud-service providers. So, if your IT Company runs Kaseya VSA to manage client IT networks, it’s prudent you take the necessary precautions to mitigate the ransomware attack.

Kaseya Working on a Patch

According to Kaseya CEO Fred Voccola, the company believes it has pinpointed the source of the vulnerability and will soon “release the patch to get its customers back up and running.” So far, there are multiple managed-services providers (MSPs) hosting IT infrastructure for multiple customers who have been hit by ransomware. The attackers typically encrypt user networks until the victims pay them off.

It’s projected that the ransomware attack could potentially impact thousands of small businesses based on comments and complaints on Reddit. But according to Kaseya CEO Fred Voccola, fewer than 40 of their customers were identified to be affected. As things keep unraveling, the ransomware could still be impacting hundreds more organizations relying on Kaseya’s clients that offer broader IT services.

Voccola reiterated that the problem is mostly affecting its “on-premise” clients, which means companies running their in-house data centers. However, it’s not affecting cloud-based services that run various software solutions for customers, but as a precaution, Kaseya shut down those cloud servers as well.

According to the company, “any customer who experienced ransomware attack and received a communication from the cyber criminals should not click on any links since they may be weaponized.”

Proper Disaster Preparedness Is Key to Survival

Following the ransomware attack, Kaseya quickly sprang to action. However, it’s unclear whether their affected customers had the same level of disaster preparedness. According to Gartner analyst Katell Thielemann, “They reacted with great caution, but the reality of this incident is that it was designed for maximum impact, conjoining ransomware attack with a supply chain attack.”

Typically, supply chain attacks infiltrate widely used software solutions and spread malware while updating it automatically. To complicate the matter further, the attack happened at the onset of a significant holiday weekend in the U.S., catching most corporate IT teams off-guard as they weren’t fully staffed.

The timing also left those organizations unprepared to address other security vulnerabilities. For instance, a dangerous Microsoft bug could affect software for print jobs. It’s such a disastrous time for Kaseya customers who must race against time to develop the necessary updates for other critical bugs.

In that light, the federal Cybersecurity and Infrastructure Security Agency (CISA) announced it is closely monitoring the situation and liaising with the FBI to gather more information on the impact of the ransomware attack.

CISA advised anyone affected to “observe Kaseya’s guidance by shutting down VSA servers immediately.” Typically, Kaseya’s virtual system administrator (VSA) remotely manages and monitors clients’ networks. The privately held company is based in Dublin, Ireland, but with a US-based headquarters in Miami.

About the Attackers

REvil, the syndicate tied to the cyber-attack, was the same ransomware attacker that the FBI linked to the attack on JBS SA, a giant global meat processor. Just like the recent attack, it happened during the Memorial Day holiday weekend.

Since April 2019, the group has been providing ransomware-as-a-service, developing network-paralyzing software and leasing it to affiliates who infect targets and demand ransoms. According to the Brazil-based meat company, they paid about $11 million ransom to the attackers, forcing U.S. law enforcement agencies to make calls to bring such syndicates to book.

MSPs Are the Primary Targets

The hackers seem to have gained access into an MSP-centric security console from Webroot, exploiting remote monitoring and management (RMM) software from Kaseya. According to both vendors, the issues involved compromised user credentials as opposed to software vulnerabilities or breaches in their products. Already, Webroot has made a two-factor authentication service mandatory to add an extra layer of protection.

Webroot’s Advanced Malware Removal specialist also discovered that a few customers were impacted by threat actors exploiting a combination of weak cyber hygiene practices regarding authentication and RDP. To enhance protection for the wider Webroot customer community, Webroot decided to make two-factor authentication a mandatory service. The company achieved that through a software update and console logout on June 20.

On Kaseya’s part, CTO John Durant said that “We are aware of limited instances where a few customers were targeted by hackers who leveraged compromised user credentials to access their privileged resources. Every available evidence we’ve gathered points to the utilization of compromised credentials. We’ll continue to monitor the situation closely.”

According to Durant, research suggests that 80% of security breaches are associated with compromised credentials regardless of the system or software you use. “As we’ve investigated the latest instances experienced by our customers, compromised user credentials are to blame for the attacks. Therefore, we urge customers to employ cybersecurity best practices to secure their credentials, such as regularly changing passwords and making their security hygiene more robust,” added Durant.

In short, tech leaders in the industry, including Kaseya, are continually raising the bar of cybersecurity processes and practices as the threat landscape evolves. Durant maintains that Kaseya will continue to help its customers through educational materials, training, and other assistance to establish the best security practices.

Is Your IT Company Running Kaseya VSA?

So, is your IT service company running Kaseya VSA? If that’s the case, have you taken measures to protect your clients? At 4it, we have the experience and expertise to offer IT support for managed service providers throughout Miami and Fort Lauderdale. Our goal is to help you minimize risks and deliver IT solutions by establishing an exchange between our clients, partners, and employees. Contact us today to schedule a consultation with one of our skilled IT engineers!

4it Tech Insights

We use cookies to gather information about the way you interact with our website, to create reports, and overall help us in improving the website. To learn more about our cookie policy, view our Privacy Policy. By clicking “Accept & Close”, you consent to the use of cookies unless you have disabled them.