Blog
← Back to Blog
July 05, 2021 cybersecurity

Kaseya Attack: 1,500 Businesses Hit Through One Software Vendor

IT management and supply chain attack

Over the Fourth of July weekend, the REvil ransomware gang exploited a vulnerability in Kaseya VSA, a remote management tool used by managed service providers, to deploy ransomware to approximately 1,500 businesses simultaneously. Swedish grocery chain Coop had to close 800 stores because their point-of-sale systems were encrypted.

This is exactly the MSP supply chain attack we warned about in August 2019. The scale is staggering.

How It Worked

  1. REvil discovered a zero-day vulnerability in Kaseya VSA's on-premise servers
  2. They exploited it to push a malicious "update" through the VSA management console
  3. The update deployed ransomware to every endpoint managed by the compromised VSA servers
  4. Approximately 60 MSPs were directly compromised
  5. Through those MSPs, up to 1,500 downstream businesses were hit
  6. REvil demanded $70 million for a universal decryption key

The attack was timed for the Fourth of July weekend when IT staff would be unavailable. Deliberate. Calculated. Devastating.

The Supply Chain Multiplication Effect

This attack perfectly demonstrates why MSP-targeted attacks are so efficient for attackers:

  • One vulnerability in one product
  • Compromised 60 MSPs
  • Which managed 1,500 businesses
  • Across multiple countries
  • In a single weekend

Traditional ransomware hits one business at a time. Supply chain ransomware hits thousands.

What Your Practice Should Do

If You Use Kaseya VSA

Your MSP should have already taken Kaseya VSA offline per Kaseya's emergency instructions. Verify this. Do not reconnect until Kaseya releases and your MSP applies the patch.

Regardless of What Tools You Use

  1. Ask your MSP what tools they use. Kaseya VSA, ConnectWise Automate, Datto RMM, NinjaRMM. Know what's managing your systems.
  2. Maintain independent backups. Your MSP-managed backup may be compromised in an MSP attack. Have at least one backup that's completely independent of your MSP's infrastructure.
  3. Review your MSP agreement. What is their liability if their systems are compromised and your data is lost? What is their incident response obligation?
  4. Ask about their security practices. How do they secure their management tools? Do they use 2FA? Do they segment client access? Do they monitor for anomalies?

We wrote about MSP supply chain attacks in 2019. We wrote about SolarWinds in 2020. Kaseya in 2021. The pattern is clear and accelerating. Your IT provider's security is your security. Verify it.