The 4th July is traditionally the day that we reach out to family and friends across ‘the pond’ and wish them a Happy Independence Day. The national holiday, marked by patriotic displays, commemorates the Declaration of Independence of the United States, on July 4, 1776, when the Continental Congress declared that the American colonies were no longer subject to British rule and were now united, free, and independent states.
This year however, the celebrations were somewhat curtailed by news that the hacking group REvil carried out the biggest ransomware attack to date has hit U.S. businesses, with some estimates suggesting that as many as 1,500 businesses were affected.
The gang targeted Kaseya, an IT and security management services provider, by hijacking the firm’s unified remote monitoring & management desktop tool VSA, to push a malicious update to its customers.
REvil launched the attack on 2nd July and demanded $70M for a universal decryptor.
In announcing the breach Kaseya stated: “We are in the process of investigating the root cause of the incident with an abundance of caution, but we recommend that you immediately shutdown your VSA server until you receive further notice from us. It’s critical that you do this immediately because one of the first things the attacker does is shutoff administrative access to the VSA.”
The breach was so severe that the FBI have worked with Kaseya in supporting those organisations affected. In a brief statement the Bureau said: “The FBI is investigating this situation and working with Kaseya, in coordination with CISA, to conduct outreach to possibly impacted victims. We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities.”
Even President Biden became involved.
10 days after the attack, and 95% of businesses affected are back up and operational thanks to the deployment of a patch. Given the scale and nature of the attack, questions are being asked of Kaseya’s security.
An article published by Bloomberg highlights claims made by several Kaseya ex-employees suggesting that the company had been made aware of potential security flaws within VSA on several occasions but did not act. Issues surfaced included outdated code, weak encryption and passwords, and perhaps most damning of all, failure to adhere to basic security practices such as regular patching.
It will be some time before the full implications of the attack on Kaseya are known. The company has received some plaudits for the speed in which it alerted customers on discovery of the breach and its subsequent communications but what of the long-term reputational damage?
Again, this attack demonstrates organisations must adopt a ‘Prevention first strategy’ when it comes to cyber security. It may be boring, it may be repetitive but its essential.
If you’d like to find out more about vXtream’s approach to system and data security, then get in touch now.
Update: 26th July 2021
In a statement today Kaseya stated: “Kaseya has maintained our focus on assisting our customers, and when Kaseya obtained the decryptor last week we moved as quickly as possible to safely use the decryptor to help our customers recover their encrypted data. Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal. While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment. As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”