Kaseya Ransomware Attack July 2021

Atlantic.Net is providing this security advisory as a news item. We want to reassure our customers that Atlantic.Net does not use any of these exploited products internally or in any of our service offerings.

On July 2nd, 2021, during the run-up to Independence Day, we started getting reports of a major ransomware attack affecting Florida-based Kaseya. Kaseya is a technology company that sells software designed to simplify the management of your computer infrastructure. Their target clientele is small businesses with minimal in-house tech teams or managed service providers (MSPs) that manage IT for businesses.

The ransomware is reported to have affected the Kaseya VSA product only. Kaseya VSA is an all-in-one suite created to allow businesses the end-to-end management of not only their IT systems, point of sale systems, servers, laptops, patch management, monitoring, but also DR backups, antivirus, SaaS backups, and so on.

The attack, called a supply chain attack, was undertaken by the REvil Ransomware Group, a Russian-based criminal group. In a supply chain attack, a provider is targeted and the victim’s customers become the target. This is a trend that appears to be on the rise, as we saw it in December 2020 with the notorious SolarWinds Orion supply chain attack.

The attack vectors are strikingly similar to the SolarWinds breach. Experts originally suspected Kaseya VSA trusted distribution network or the mechanism used to deliver software updates to customers was breached, but we now know that the breach was a result of a zero-day exploit CVE-2021-30116.  The exploit allowed the hackers to bypass authentication and execute remote commands down the supply chain.

On July 2nd, Kaseya requested that all customers with the on-premise version of Kaseya are shut down, later followed by the shutdown of the SaaS offering.  Dutch security team DIVD CSIRT reported that the number of active Kaseya VSA instances dropped from 2200 to less than 140 in the space of 24 hours.

VSA has remained down for 8 days now and is still down at the time of writing (10th July). CEO Fred Voccola stating that services were expected to resume on Sunday 11th July at 4 pm EST.

The impact of this breach is still being understood. Kaseya performs a mission-critical operation to its customers, and an estimated 1500 businesses have been directly or indirectly impacted by the breach. The ransom has been set at $70 million.

The impact was felt in 17 countries according to Futurum Research and included a Swedish Supermarket chain that had to close 800 stores. Over 100 kindergartens in New Zealand were impacted, and it is thought that 70% of the impacted customers were Managed Service Providers, each in turn with a countless number of clients. So far, the only MSPs to acknowledge the impact are Dutch MSPs VelzArt and Hoppenbrouwer Techniek.

Kaseya has been refreshingly transparent about the attack and published a lot of information on their website. Their CTO and CEO have published video content online explaining to customers what has happened and the plans for the business to resolve the issue and get the service back online.

What Can You Do to Protect Yourself?

The US Government was quick to react to the Kaseya attack, and Kaseya’s CEO has reported working directly with Homeland Security and the FBI. This approach reinforces that the US Government is starting to give ransomware attacks the same priority as terrorist activities.

The best line of defense is to team up with a Managed Service Provider like Atlantic.Net that has the manpower to overcome and patch these attacks. We do not use any Kaseya products in our solutions, instead opting for proprietary solutions that are built, maintained, and operated in-house and within the USA.

Atlantic.Net has 30 years of experience in providing security-defined, hardened, and robust managed services for our customers. Leveraging our Cloud services will protect you from ransomware infection and ensure that your infrastructure and network are in a healthy state to give the best possible protection.

Let us manage your server infrastructure; we will take care of all your security patching requirements on top of the day-to-day upkeep we perform on our cloud platform.

When impacted by ransomware, the quickest resolution is nearly always to restore from backup. Regular offsite backups should be completed at least on a daily, weekly, and monthly rotation to reduce the likelihood of the backups also being infected.

Hackers gain access to systems when they are inadequately protected, and the best way to find if you are vulnerable is by performing vulnerability scanning. This technique tests the external and internal computer infrastructure against all known vulnerabilities. Atlantic.Net systems are tested for weakness often, and our team can recommend some of our trusted partners to test your systems directly with penetration testing.  In a situation like this, it is best to ensure that you are taking advantage of all best-known security practices to minimize any exposure to zero-day exploits like this Kaseya incident.

If your business is concerned about cybersecurity please feel welcome to reach out to Atlantic.Net. We are specialists in Managed Services, Cloud Hosting, and HIPAA compliance. Security of our infrastructure is of paramount importance, and we work hard to ensure we have the best security processes in place.  Atlantic.Net has a full suite of Managed Security Services to help us and our customers be proactive and prepare in advance for any security issues. Get in touch today.

HIPAA Compliant Hosting with Atlantic.Net

Contracting with Atlantic.Net for HIPAA-compliant web hosting gives you peace of mind that your provider knows what they’re doing. Atlantic.Net is SOC 2, SOC 3, HIPAA audited, and PCI ready, providing clients with the hardened, secure, and compliant infrastructure they need.