Kaseya VSA Ransomware Attack Infects MSPs And Their Clients Across The Country

This past weekend, a ransomware attack on Kaseya’s remote monitoring VSA platform infected hundreds of businesses. While Intelice clients are unaffected, if your business or your IT company uses Kaseya, you might be at risk. 

Kaseya VSA Ransomware Attack Infects MSPs And Their Clients Across The Country — Are You One Of Them?

You need to find out if your IT company uses Kaseya’s VSA platform right away — if they do, your business could be infected with ransomware. Get in touch with your IT company right now and find out.

Kaseya VSA Ransomware Attack — Intelice Solutions’ Clients Are Unaffected

This past weekend, a ransomware attack on Kaseya’s remote monitoring VSA platform infected hundreds of businesses. While Intelice clients are unaffected, if your business or your IT company uses Kaseya, you might be at risk.

On July 2, around 11 AM ET, a number of Kaseya VSA servers were used to deploy ransomware. Kaseya VSA software is a remote monitoring and management tool used by IT managed service providers, like Intelice, to provide services to their clients. By design, these tools have administrative access to all systems they manage, making this breach particularly dangerous and damaging.

At this time, it is being reported that about 50 managed service providers (MSPs), and 800 to 1,500 of their clients, have been subjected to this breach. Please note: Intelice is not one of the affected MSPs. We do not use the Kaseya VSA software, and none of our clients are subject to this breach.

How Did This Attack Occur?

The hacker group, “REvil” had exploited a zero-day vulnerability to gain access to the Kaseya VSA software running under control of the MSPs. As a result of the infection, REvil was able to:

  • Remotely breach workstations and servers
  • Steal confidential and sensitive information
  • Install malware
  • Add new accounts
  • Delete valuable  data
  • Remove administrative access for key users
  • Hold businesses hostage

The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The nonprofit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place.

Long-term consequences for affected businesses will likely include extensive data loss, long-lasting downtime, and high costs for recovery. For example, a grocery store chain affected by the attack has had to close down 800 stores while they deal with the infection.

How Did Intelice Respond To This Incident?

Upon being altered to the incident by several of our IT community groups, we immediately reviewed our systems and our usage of all Kaseya products. As previously stated, we do not use the VSA platform targeted in this attack. However, we do use other software that Kaseya has purchased over the last several years; just to be safe, we disabled all integrations with all Kaseya software we currently use to service our customers.

The next step was to ensure that Kaseya VSA software was not installed on any client environments by previous MSPs. Our team quickly configured a monitor to discover this software’s agent installation. As of this post’s writing, we have not found any active instances of these Kaseya VSA agent software solutions running. We will continue to monitor for this software moving forward and plan to automatically remove it if found.

Lastly, we have been working with our malware/anti-virus vendors to secure client systems against this specific ransomware. We can now confirm they have already loaded the detection and remediation mechanisms to prevent this ransomware from loading on your systems.

How Does Intelice Actively Defend Against Threats Like This?

Our management systems are set up and secured in a manner to give admins only the necessary access required. Only those that can be identified as an Intelice employee and using Intelice compliant systems can access our tools. We know we are one of a few MSPs to ensure this level of security.

We also utilize the best of the security products, procedures, and services available to ensure these systems are protected from a breach. Key security solutions involved in our management systems include:

  • Third-party security operations center providing 24×7 monitoring of all management systems traffic and logs for security-related activity
  • Advance perimeter security on all managed systems to control access
  • Advance endpoint detection and response capabilities enabled on all systems
  • Email security with enhanced phishing security management
  • Web security management with GEO-IP Filtering
  • Encryption of all data at rest and in transit
  • Dark web monitoring of all Intelice accounts
  • Security awareness testing and training
  • Domain Reputation Management and Monitoring for misuse
  • Access control limited to compliant company issued systems
  • Access control limited to US Locations or other locations by exception only
  • Access to all systems requires multiple factors of authentication
  • All User and System accounts are reviewed monthly
  • Automated documentation and change management tracking (Including monitoring for all administrative access changes)
  • Patching of Operating Systems and Third-Party Software is completed within 30 days of release and commonly within 7 to 14 days. Zero-Day patches are applied ASAP.
  • Backups of all systems are completed in Full daily. Hourly backups are completed on our key datasets
  • Warm Site Recovery of all of our management systems, which is replicated to the Western US every hour, with full system restoration capabilities in under 2 hours
  • NIST Cyber Security Framework Compliance and Vulnerability assessments are completed bi-annually to ensure proper review of controls are in place to maintain security

What Can You Do If You’re Infected?

If you are not an Intelice client, and you’re worried that your business or your IT company uses Kaseya, you need to act fast. There are a few actions you can take that will potentially limit the damage:

  • Disconnect any devices and systems that are still connected to Kaseya VSA
  • Check your backups
  • Secure your networks using an IDS/IPS application tool
  • Implement a Next-Generation Endpoint Detection and Response Solution
  • Follow Kaseya’s recommendations including searching any Indicators of Compromise(IoCs)

If you have been affected by this attack and need expert assistance, get in touch with the Intelice Solutions team right away.

Don’t Hesitate — Act Now

If reading about ransomware attacks like this one makes you wonder if your business is vulnerable to security breaches and cybercriminal attacks, don’t wait until you are attacked to come up with a plan.

When you’re not sure if you have the skills or knowledge to get the job done, what can you do? Consult with cybersecurity professionals like those on the Intelice Solutions team.