Kaseya, an IT solutions developer for MSPs and enterprise clients, fell victim to a supply chain ransomware attack over the weekend of July 2nd, 2021. The attackers exploited a vulnerability in Kaseya’s VSA software, using it against multiple MSPs and their customers.
CEO Fred Voccola has said less than 0.1% of Kaseya’s clients were affected. It is currently estimated that 800-1500 SMBs have experienced a ransomware compromise as a result of the attack. The FBI and CISA, along with other governing bodies, confirmed that Kaseya itself was not breached by the attack and that less than 60 on-premises VSA users were compromised by the attackers.
What We Know
Considering recent events involving the Kaseya security breach, we want to provide you with an update on the current situation and what we are doing to ensure the security of our customers. We can say with complete confidence that our organization and yours were not impacted by this event.
That said, there is quite a bit of misinformation spreading across the channel, so here is a quick rundown of what we know to be true:
- Fewer than (60) on-premises customers of Kaseya’s VSA product were affected as confirmed by the FBI, CISA, and other independent security experts
- Kaseya’s network was not breached and no RKON customer data was stolen
- As an extreme precaution, Kaseya shut down its cloud version of the Kaseya VSA product
- Even though Kaseya’s cloud VSA wasn’t affected, they are also adding additional security features to each VSA instance, which includes 24/7 independent third party monitoring, Content Delivery Network (CDN), and Web Application Firewall (WAF)
Impacts
Kaseya had said that its SaaS customers were never at risk, as this attack surrounded the VSA on-premises product. Originally, it was reported that fewer than 40 on-premises clients had been affected worldwide, but that has now been revised to 50.
However, it is also estimated that 800-1500 SMB entities have been affected down the supply chain. External security experts have estimated about 1,000 organizations have had servers/workstations encrypted, adding that it is possible “thousands of small businesses may have been impacted”.
Kaseya maintains that less than 0.1% of the company’s direct clients experienced a breach, meaning that out of their roughly 37,000 clients worldwide, 36,946 were not affected by this attack. It is important to note that the scope of this attack is still being analyzed, and the full impact may not be realized for some time.
What is RKON doing?
RKON uses the Kaseya SaaS VSA service which was not compromised during this attack; however, we are taking every precaution to ensure the safety of our clients. Our leadership teams have been in contact with senior Kaseya executives to better understand this sophisticated attack. Our engineers continue to closely monitor our systems and have taken the following security measures:
- We followed Kaseya’s published runbook of recommended actions to validate no signs of system being compromised prior to enabling endpoints which includes actions such as validating user accounts, policies, etc.
- Test endpoints were enabled, and system logs analyzed to ensure no unexpected behavior prior to enabling client endpoints
- Multi-Factor Authentication (MFA) is enforced for all user accounts and Kaseya VSA passwords forced to reset upon initial logon
- Monitoring is configured within RKON’s Security Information Event Management (SIEM) service to report if the ransomware is detected
- As Kaseya is now utilizing Web Application Firewall (WAF) services to strengthen security, RKON has worked with our clients to open the necessary ports to communicate to devices in our client offices
RKON wants to ensure you feel completely at ease with your service. You can learn more by listening to our Security Alert Podcast or if you have any additional questions, please contact RKON Support at 312 654-0300 or fill out our contact form today. Our team is happy to address any lingering questions you might have.