Information technology company Kaseya warned its 40,000 clients that there was a “potential attack” on its VSA tool, which is used to manage computers remotely. The company posted a security advisory to its help desk site, urging customers to shut down their servers running the service:
We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.
It’s believed that the same group of criminals behind the attack on JBS Meats engineered the current assault.
Huntress Lab’s John Hammond told NPR that this was “a colossal and devastating supply chain attack.” He suspects a major ransomware syndicate, the REvil gang, was behind the attack.
The cybercriminals sent two different ransom notes: one for $50,000 to smaller companies and one for $5 million to larger organizations.
“It is absolutely the biggest non-nation state supply-chain cyberattack that we’ve ever seen,” Allan Liska, a researcher with the cybersecurity firm Recorded Future, told the Washington Post. “And it’s probably the biggest ransomware attack we’ve seen, at least the biggest since WannaCry.”
While Kaseya says that only 40 direct customers had been affected, one cybersecurity company identified eight managed service providers (MSPs) with more than 200 clients whose networks were partially or completely shut down.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, told NPR that the attack was likely timed to coincide with the 4th of July holiday when IT staffs are typically thin. “There’s zero doubt in my mind that the timing here was intentional,” he said.
Ransomware attacks increased significantly in frequency and severity during 2020. A report from a task force of more than 60 experts said nearly 2,400 governments, health-care systems and schools in the country were hit by ransomware in 2020. Organizations paid attackers more than $412 million in ransom payments last year, according to analysis firm Chainalysis.
After a May attack on Colonial Pipeline — which spurred panicked lines at gas pumps and empty fuel stations — the U.S. government increased its emphasis on addressing cybersecurity issues, and urged corporate America to strengthen its computer security.
It’s unclear how the hackers gained access originally to Kaseya’s systems but the company has been a frequent target of criminal gangs because it represents an access point for tens of thousands of companies.
The assault came just weeks after President Biden met with Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow accountable for cyber attacks that emanate from Russia. Many cybersecurity threat analysts believe that REvil operates largely out of Russia. The recent spate shows underscores the challenge facing the Biden administration in deterring ransomware attacks conducted by criminals given safe harbor in countries like Russia.
Why should Putin cease and desist? First of all, he’s profiting personally from at least some of the hacker gangs who are kicking back protection money. Second, there is absolutely no downside to attacking U.S industries or the government. There is probably some pushback from Cyber Command, but right now, the U.S. is in the position of reacting to attacks.
There is danger in escalation, but so far, the hackers have not crossed any red lines that would force the U.S. to up the ante.
It’s a perilous balance that’s being maintained and could easily be tipped as a result of a miscalculation. That’s why this situation will not remain static and could get much worse before too long.