Risk Advisory: Kaseya VSA ‘supply-chain attack’

Saturday, 3 July, 2021

A person with two laptops on their desk (Source: Unsplash/freestocks)

Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.

Organisations using the on-premises version of Kaseya VSA remote monitoring and management software shut down the application immediately.

What is the supply-chain problem with Kaseya?

IT management tools are an attractive target for cyber-criminals seeking to conduct ransomware attacks as they provide the mechanism - by design - to deploy and update software. They use the administrative permissions of these tools to disable security protections and deploy their malicious software.

There have been reports (BBC News) that the product of popular remote management and monitoring (RMM) software vendor, Kaseya, may have been used by cyber-criminals to launch tens, or hundreds, of ransomware attacks. The attackers are taking advantage of the Independence Day public holiday in the United States of America, when many IT and security teams will be at reduced capacity.

The reports are characterising events as a ‘supply-chain attack’ because Kaseya’s “VSA” software is used by many IT managed service providers to help manage their customer’s IT estates more efficiently. Around 60 of Kaseya’s customers have been affected, however that has given the cybercriminals access to approximately 1,500 further organisations.

What is the risk?

This manifests in two ways depending on the software deployment model:

For on-premises customers it appears to be the exploitation of a vulnerability in the software, which is used by cyber-criminals to deploy malware.

For cloud-based, or Software-as-a-Service (SaaS) deployments customers may be unable to manage or monitor their environments as the vendor has taken the precautionary measure of disabling their service.

On-premises Kaseya VSA deployment

Cyber-criminals are exploiting the software used by our IT team or provider to remotely monitor and manage our desktops, laptops and servers to install malicious software, disrupt our business and hold us to ransom.

Source:

  • Cyber-criminals
  • Compromised supplier

Risk events:

  • System intrusion
  • Malware / ransomware
  • Information breach / unauthorised access to information

Consequences:

  • Operational / business disruption
  • Financial / unplanned costs, theft/extortion of money
  • Compliance (potential, where linked to personal data breach or impact on regulated activities)

Cloud/SaaS Kaseya VSA deployment

A compromised supplier is concerned that their software may be used by cyber-criminals as part of a ransomware campaign and disables their service as a precautionary measure meaning that we are unable to manage and monitor our IT estate effectively and efficiently.

Source:

  • Compromised supplier

Risk events:

  • Supplier / service availability

Consequences:

  • Operations / business disruption
  • Financial / increased costs/inefficiency

Frequency factors

The frequency of these risk events increases around national public holidays. Attackers deliberately wait until teams are at reduced capacity and employees distracted by the prospect of time off to launch their attacks.

What action is required?

Immediate action is required for on-premises deployments of Kaseya VSA. Business leaders should consult with their IT teams, or out-sourced providers, and assess their situation:

  1. Is Kaseya VSA used to monitor or manage our IT estate? (if not there is no further action required)
  2. Is the software deployed on-premises or SaaS?
  3. For on-premises only: Have you disabled the Kaseya VSA software in our IT estate?
  4. How are you preparing to install the software update from Kaseya before restarting the software?
  5. For SaaS only: What is the likely disruption, and how are you preparing if Kaseya VSA remains inaccessible for more than 48 hours?

Further updates are being made available on the Kaseya support website.

Restoration guides

Kaseya has published ‘startup guides’ to help affected organisations restore their SaaS and on-prem Kaseya VSA instances safely:

## Updates

2021-07-11: Added details of the scale of the attack and included links to the runbooks to help customers restore their operations.

For further information or assistance in understanding or measuring this risk to your organisation please contact us for a session with one of our cyber risk consultants.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.