Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Kaseya Releases Security Patch as Companies Continue to Recover

Estimates indicate the number of affected companies could grow, while Kaseya faces renewed scrutiny as former employees reportedly criticize its lack of focus on security.

Kaseya, provider of remote management and monitoring software, released a patch on July 11 to fix a vulnerability in its server that the Russia-linked REvil group exploited nine days earlier to launch a ransomware attack against managed service providers and their clients.

While 95% of its cloud-based customers have been returned to service, the attack continues to affect Kaseya customers and clients. Some companies continue to struggle as others have begun returning to some semblance of normal business.

La Plata, Maryland-based JustTech, which provides technology services to more than 3,000 customers in six states and Washington DC, had about 100 customers go "completely down" on July 2, says founder and president Joshua Justice. The town offices of two JustTech clients, in North Beach and Leonardtown, Maryland, have acknowledged they were affected in the attack. While the company had clean backups from the morning of the attack, it had no way to easily transfer backups to clients.

Related Content:

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Special Report: Building the SOC of the Future

New From The Edge: The NSA's 'New' Mission: Get More Public With the Private Sector

So Justice rallied his non-technical employees to ferry hard drives from the company's data centers to those clients' offices. He estimates the work will be done today.

"We had plans to bring clients back and fully recover from situations such as this, but never envisioned we would need to do everyone at once," he says. "As client data is transferred from our secure data centers to hard drives, non-IT JustTech team members have been runners of clients' data and taken the hard drives to a client's location to meet a JustTech IT team member for reinstallation."

JustTech is a single customer of Kaseya and accounts for 100 affected organizations. This suggests if 30 to 70 Kaseya customers were affected, as current estimates indicate, the number of downstream businesses could easily exceed the 1,500 to 2,000 total organizations estimated to be affected. Danish managed service provider VelzArt, for example, reportedly had 200 to 300 clients affected by the attack. Kaseya reportedly estimated about 70% of its affected customers were managed service providers, a fact that could have a significant multiplicative affect on the total number of businesses impacted. 

The remaining 30% are Kaseya users such as Virginia Tech, which ran an on-premise version of the vulnerable Virtual Server Administrator (VSA) server. The university does not have downstream clients, but the attack did result in about 600 systems being encrypted with ransomware, according to a local news account

Dutch technology service provider Hoppenbrouwers Techniek also revealed that about 1,500 to 2,000 systems had likely been impacted. The company required employees to bring their system into the office to have technicians reinstall the operating system and restore data. It's unclear whether the itss business clients were also affected. 

Kaseya released a patch for the standalone servers on Sunday then worked throughout the day and night to patch its cloud service, which has more than 30,000 customers.

"As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target," the company stated in a 3 AM ET post on Monday, July 12. "The restoration of services is progressing, with 95% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours."

The company faced renewed scrutiny this weekend following reports that employees had previously brought significant security issues to the attention of executives. In 2019, an employee provided Kaseya with a 40-page memo outlining security concerns, Bloomberg reported on July 10. The employee was subsequently fired, the report stated.

Kaseya also reportedly moved a significant amount of development to Belarus, a country with close ties to Russia and recently the focus of an outcry after it diverted a Ryanair flight to arrest a journalist.

The ransomware attack has divided victims into two camps: Those organizations with good backup procedures and those without. Swedish grocery store chain Coop reopened its stores last week after the attack took down stores' payment systems. The company quickly scaled up its own payment system from a pilot to more than 300 stores. 

"Coop has made large IT and security investments in recent years, but we can state that we need to do more," officials said in a statement (translated via Google). "This is an attack on society at large, and not just Swedish society, and also rare in its kind in its size."

Not all businesses had complete backups of their systems, Danish MSP VelzArt reported. The service provider stated on July 8 that all servers, server-connected workstations, and companies with backups have recovered their data, but that many remote workers did not have backups and will not be able to recover their data.

The only hope, the company wrote in its blog (translated via Google) is for the keys to be recovered.

"Previous large-scale ransomware attacks have shown that in some cases there is eventually a key that can undo the encryption — it is not clear at the moment whether this key will be released and when," the company reported. "Given the fact that many companies in a country such as America have been affected, we hope for this, but perhaps against the better. We don't know about this either, unfortunately."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/15/2021 | 1:36:19 PM
Kaseya says they want to do the right thing but now the truth comes out
The company faced renewed scrutiny this weekend following reports that employees had previously brought significant security issues to the attention of executives. In 2019, an employee provided Kaseya with a 40-page memo outlining security concerns, Bloomberg reported on July 10. The employee was subsequently fired, the report stated.

This says it all, instead of supporting the employee for finding issues in their application, he/she was fired for bringing this obvious gaping hole to their attention and now others are paying for their oversight. Where is GDPR or FTC when you need it? Are we going to get a free credit reporting or monitoring session for a year, there should be something said about this and the company should pay for the money lost, where is the accountability?

Kaseya Hack

User Rank: Author
7/12/2021 | 11:56:44 AM
More information coming out everyday
Very interesting to see the effects of this attack unfold on so many different scales and affecting companies of various sizes and industries. 
User Rank: Apprentice
7/12/2021 | 11:55:39 AM
The Kaseya hack really highlights the need for companies to prioritize how they would react to a ransomware attack affecting their network!
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-08-15
Use After Free in GitHub repository vim/vim prior to 9.0.0212.
PUBLISHED: 2022-08-15
Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php.
PUBLISHED: 2022-08-15
Improper neutralization of input during web page generation leaves the Eyes of Network web application vulnerable to cross-site scripting attacks at /module/admin_notifiers/rules.php and /module/report_event/indext.php via the parameters rule_notification, rule_name, and rule_name_old, and at /modul...
PUBLISHED: 2022-08-15
Cross-site request forgery attacks can be carried out against the Eyes of Network web application, due to an absence of adequate protections. An attacker can, for instance, delete the admin user by directing an authenticated user to the URL https://<target-address>/module/admin_user/index.php?...
PUBLISHED: 2022-08-15
The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.