Kaseya has taken all SaaS instances of its VSA remote monitoring and management tool offline following a “potential attack” against some on-premise VSA customers.
The New York and Miami-based IT service management vendor said it’s in the process of investigating the root cause of this incident. Kaseya said the fallout “has been limited to a small number of on-premise customers”, according to an “Important Notice” posted to the company’s website this afternoon.
A Kaseya spokesperson said that the company has received further information about the issue from “a few security firms,” and is working closely with them as well. The company put all its VSA SaaS servers into “maintenance mode”, at 2:19 p.m. ET Friday as part of an “emergency maintenance” action, with the company’s Cloud Operations Team notifying customers at 3:27 p.m. ET Friday that it’s investigating a VSA security incident.
“At this time, we have seen no SaaS VSA customers impacted,” Kaseya said on its status webpage. “However, out of an abundance of caution, we have taken the VSA SaaS instances offline while we investigate.”
Kaseya VSA is the company’s flagship product, offering both endpoint management and network monitoring in a single console. The product can be used to monitor everything from servers, desktops, and laptops to network devices and printers.
John Hammond, senior security researcher at cybersecurity firm Huntress, attributed the “potential attack” to the REvil/Sodinikibi ransomware gang, which has been active in attacks on other firms. The group was most recently behind the cyberattack on JBS, the world’s largest meatpacking company, CNBC reported on June 2.
Hammond said his team was first notified at 12:35 p.m. ET today and “it has been an all-hands-on-deck evolution to respond and make the community aware. The ransomware does have a digital signature. The Kaseya team has been very responsive with our threat intelligence.”
“We cannot emphasize enough that we do not know how this is infiltrated in Kaseya‘s VSA,” Hammond said in an emailed statement. “At the moment, no one does.”
Hammond said that Huntress is aware of four MSPs “where all of the clients are affected — 3 US and one abroad. MSPs with over thousands of endpoints are being hit. We have seen that when an MSP is compromised, we‘ve seen proof that it has spread through the VSA into all the MSP’s customers.”
The CEO for a large MSP, who did not want to be identified, said the Kaseya VSA issue is a “disaster” for all MSPs.
“This affects all our operations,” he said. “It’s bad news for all MSPs when a platform provider like this gets hit. I am glad they shut down hosted VSA for all their customers to stop further spread of a potential malware attack. At this point we don’t really know how big a problem this is and what is going to be the ultimate impact. The worst case scenario is a Ransomware attack that could affect our data.”
The CEO said he has been in touch with his customers who are impacted and informed those customers of a cloud outage. “All we can tell our customers at this point until we know more is that there is an outage,” he said. “We aren’t going to assume anything at this point. We are waiting for Kaseya to give us an update.”
The CEO said he and his team are on alert to keep customers informed and to make any changes necessary to move forward. “Luckily this is July 4 holiday, which means a lot of customers are offline anyway,” he said. “We are hoping this is all resolved in the next 48 hours.”
The CEO credited Kaseya for being proactive and working closely with MSPs to keep them informed on the issue. “Kaseya has done a good job of dealing with this in a straightforward and upright manner,” he said.
The potential attack comes nearly two years after Kaseya competitor NinjaRMM had its tool used to spread ransomware across multiple endpoints. The NinjaRMM breach was confined to one MSP and could have been prevented if two-factor authentication has been enabled.
“A malicious entity — or entities — was able to access the customer’s NinjaRMM account, most likely through a cached browser session, and was then able to use NinjaRMM to distribute ransomware across multiple endpoints,” NinjaRMM Chief Security Officer Lewis Huynh wrote in July 2019.