Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Kaseya Releases Security Patch as Companies Continue to Recover

Estimates indicate the number of affected companies could grow, while Kaseya faces renewed scrutiny as former employees reportedly criticize its lack of focus on security.

Kaseya, provider of remote management and monitoring software, released a patch on July 11 to fix a vulnerability in its server that the Russia-linked REvil group exploited nine days earlier to launch a ransomware attack against managed service providers and their clients.

While 95% of its cloud-based customers have been returned to service, the attack continues to affect Kaseya customers and clients. Some companies continue to struggle as others have begun returning to some semblance of normal business.

La Plata, Maryland-based JustTech, which provides technology services to more than 3,000 customers in six states and Washington DC, had about 100 customers go "completely down" on July 2, says founder and president Joshua Justice. The town offices of two JustTech clients, in North Beach and Leonardtown, Maryland, have acknowledged they were affected in the attack. While the company had clean backups from the morning of the attack, it had no way to easily transfer backups to clients.

Related Content:

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Special Report: Building the SOC of the Future

New From The Edge: The NSA's 'New' Mission: Get More Public With the Private Sector

So Justice rallied his non-technical employees to ferry hard drives from the company's data centers to those clients' offices. He estimates the work will be done today.

"We had plans to bring clients back and fully recover from situations such as this, but never envisioned we would need to do everyone at once," he says. "As client data is transferred from our secure data centers to hard drives, non-IT JustTech team members have been runners of clients' data and taken the hard drives to a client's location to meet a JustTech IT team member for reinstallation."

JustTech is a single customer of Kaseya and accounts for 100 affected organizations. This suggests if 30 to 70 Kaseya customers were affected, as current estimates indicate, the number of downstream businesses could easily exceed the 1,500 to 2,000 total organizations estimated to be affected. Danish managed service provider VelzArt, for example, reportedly had 200 to 300 clients affected by the attack. Kaseya reportedly estimated about 70% of its affected customers were managed service providers, a fact that could have a significant multiplicative affect on the total number of businesses impacted. 

The remaining 30% are Kaseya users such as Virginia Tech, which ran an on-premise version of the vulnerable Virtual Server Administrator (VSA) server. The university does not have downstream clients, but the attack did result in about 600 systems being encrypted with ransomware, according to a local news account

Dutch technology service provider Hoppenbrouwers Techniek also revealed that about 1,500 to 2,000 systems had likely been impacted. The company required employees to bring their system into the office to have technicians reinstall the operating system and restore data. It's unclear whether the itss business clients were also affected. 

Kaseya released a patch for the standalone servers on Sunday then worked throughout the day and night to patch its cloud service, which has more than 30,000 customers.

"As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target," the company stated in a 3 AM ET post on Monday, July 12. "The restoration of services is progressing, with 95% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours."

The company faced renewed scrutiny this weekend following reports that employees had previously brought significant security issues to the attention of executives. In 2019, an employee provided Kaseya with a 40-page memo outlining security concerns, Bloomberg reported on July 10. The employee was subsequently fired, the report stated.

Kaseya also reportedly moved a significant amount of development to Belarus, a country with close ties to Russia and recently the focus of an outcry after it diverted a Ryanair flight to arrest a journalist.

The ransomware attack has divided victims into two camps: Those organizations with good backup procedures and those without. Swedish grocery store chain Coop reopened its stores last week after the attack took down stores' payment systems. The company quickly scaled up its own payment system from a pilot to more than 300 stores. 

"Coop has made large IT and security investments in recent years, but we can state that we need to do more," officials said in a statement (translated via Google). "This is an attack on society at large, and not just Swedish society, and also rare in its kind in its size."

Not all businesses had complete backups of their systems, Danish MSP VelzArt reported. The service provider stated on July 8 that all servers, server-connected workstations, and companies with backups have recovered their data, but that many remote workers did not have backups and will not be able to recover their data.

The only hope, the company wrote in its blog (translated via Google) is for the keys to be recovered.

"Previous large-scale ransomware attacks have shown that in some cases there is eventually a key that can undo the encryption — it is not clear at the moment whether this key will be released and when," the company reported. "Given the fact that many companies in a country such as America have been affected, we hope for this, but perhaps against the better. We don't know about this either, unfortunately."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
7/12/2021 | 11:55:39 AM
The Kaseya hack really highlights the need for companies to prioritize how they would react to a ransomware attack affecting their network!
User Rank: Author
7/12/2021 | 11:56:44 AM
More information coming out everyday
Very interesting to see the effects of this attack unfold on so many different scales and affecting companies of various sizes and industries. 
User Rank: Ninja
7/15/2021 | 1:36:19 PM
Kaseya says they want to do the right thing but now the truth comes out
The company faced renewed scrutiny this weekend following reports that employees had previously brought significant security issues to the attention of executives. In 2019, an employee provided Kaseya with a 40-page memo outlining security concerns, Bloomberg reported on July 10. The employee was subsequently fired, the report stated.

This says it all, instead of supporting the employee for finding issues in their application, he/she was fired for bringing this obvious gaping hole to their attention and now others are paying for their oversight. Where is GDPR or FTC when you need it? Are we going to get a free credit reporting or monitoring session for a year, there should be something said about this and the company should pay for the money lost, where is the accountability?

Kaseya Hack

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file