Community Advisory: Kaseya Supply-Chain Ransomware Attacks

Hundreds of companies have been hit with a supply-chain ransomware attack after criminals reportedly exploited a vulnerability in the popular remote access software, Kaseya. This tool is used by MSPs and IT teams to remotely manage computers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency notice urging all organizations to review the Kaseya advisory and shutdown any VSA servers.

Currently, at least 8 MSPs and 200 organizations have been hit with ransomware as a result of the Kaseya exploit, and that number is expected to climb.  Ransom demands range from $50,000 to $5M depending on the size of the victim organization.

An attacker could potentially leverage a flaw in Kaseya to:

• Gain full remote access to servers and workstations
• Steal data and other sensitive information
• Install additional malware, add accounts or place other backdoors in your network
• Detonate ransomware and hold your organization hostage.

What You Need to Do

LMG urges all organizations to immediately check and determine whether your organization or an MSP or other third-party technology provider uses the Kaseya remote access tool. If your organization is running Kaseya, take the following actions:

• Immediately disconnect all Kaseya VSA appliances from your network
• Ensure that your backups are working properly and cannot be overwritten, in case ransomware hits. Make sure to backup server configuration files in addition to data repositories.
• Initiate immediate proactive threat hunting on your network
• Configure your endpoint detection and IDS/IPS systems to detect suspicious activity
• Forensically triage any Kaseya servers, by acquiring a full disk image. If that is not possible, capture (at least) memory, event logs, system web logs, the registry, and filesystem metadata.
• Perform an immediate search for indicators of unauthorized access or data exfiltration

Stay Up-to-Date

The LMG Security Incident Response team is actively tracking further developments resulting from this announcement and has prepared a response framework for any potentially compromised networks. Stay tuned for more details from Kaseya, as well as Indicators of Compromise (IoCs) that can be searched for within your internal network to determine if an unauthorized adversary has accessed your network. This is a developing case and we anticipate additional information will be released in the coming days.

Please reach out with any questions or if you need assistance.