theDocumentId => 1341514 Kaseya Releases Security Patch as Companies ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/12/2021
11:35 AM
50%
50%

Kaseya Releases Security Patch as Companies Continue to Recover

Estimates indicate the number of affected companies could grow, while Kaseya faces renewed scrutiny as former employees reportedly criticize its lack of focus on security.

Kaseya, provider of remote management and monitoring software, released a patch on July 11 to fix a vulnerability in its server that the Russia-linked REvil group exploited nine days earlier to launch a ransomware attack against managed service providers and their clients.

While 95% of its cloud-based customers have been returned to service, the attack continues to affect Kaseya customers and clients. Some companies continue to struggle as others have begun returning to some semblance of normal business.

La Plata, Maryland-based JustTech, which provides technology services to more than 3,000 customers in six states and Washington DC, had about 100 customers go "completely down" on July 2, says founder and president Joshua Justice. The town offices of two JustTech clients, in North Beach and Leonardtown, Maryland, have acknowledged they were affected in the attack. While the company had clean backups from the morning of the attack, it had no way to easily transfer backups to clients.

Related Content:

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Special Report: Building the SOC of the Future

New From The Edge: The NSA's 'New' Mission: Get More Public With the Private Sector

So Justice rallied his non-technical employees to ferry hard drives from the company's data centers to those clients' offices. He estimates the work will be done today.

"We had plans to bring clients back and fully recover from situations such as this, but never envisioned we would need to do everyone at once," he says. "As client data is transferred from our secure data centers to hard drives, non-IT JustTech team members have been runners of clients' data and taken the hard drives to a client's location to meet a JustTech IT team member for reinstallation."

JustTech is a single customer of Kaseya and accounts for 100 affected organizations. This suggests if 30 to 70 Kaseya customers were affected, as current estimates indicate, the number of downstream businesses could easily exceed the 1,500 to 2,000 total organizations estimated to be affected. Danish managed service provider VelzArt, for example, reportedly had 200 to 300 clients affected by the attack. Kaseya reportedly estimated about 70% of its affected customers were managed service providers, a fact that could have a significant multiplicative affect on the total number of businesses impacted. 

The remaining 30% are Kaseya users such as Virginia Tech, which ran an on-premise version of the vulnerable Virtual Server Administrator (VSA) server. The university does not have downstream clients, but the attack did result in about 600 systems being encrypted with ransomware, according to a local news account

Dutch technology service provider Hoppenbrouwers Techniek also revealed that about 1,500 to 2,000 systems had likely been impacted. The company required employees to bring their system into the office to have technicians reinstall the operating system and restore data. It's unclear whether the itss business clients were also affected. 

Kaseya released a patch for the standalone servers on Sunday then worked throughout the day and night to patch its cloud service, which has more than 30,000 customers.

"As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target," the company stated in a 3 AM ET post on Monday, July 12. "The restoration of services is progressing, with 95% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours."

The company faced renewed scrutiny this weekend following reports that employees had previously brought significant security issues to the attention of executives. In 2019, an employee provided Kaseya with a 40-page memo outlining security concerns, Bloomberg reported on July 10. The employee was subsequently fired, the report stated.

Kaseya also reportedly moved a significant amount of development to Belarus, a country with close ties to Russia and recently the focus of an outcry after it diverted a Ryanair flight to arrest a journalist.

The ransomware attack has divided victims into two camps: Those organizations with good backup procedures and those without. Swedish grocery store chain Coop reopened its stores last week after the attack took down stores' payment systems. The company quickly scaled up its own payment system from a pilot to more than 300 stores. 

"Coop has made large IT and security investments in recent years, but we can state that we need to do more," officials said in a statement (translated via Google). "This is an attack on society at large, and not just Swedish society, and also rare in its kind in its size."

Not all businesses had complete backups of their systems, Danish MSP VelzArt reported. The service provider stated on July 8 that all servers, server-connected workstations, and companies with backups have recovered their data, but that many remote workers did not have backups and will not be able to recover their data.

The only hope, the company wrote in its blog (translated via Google) is for the keys to be recovered.

"Previous large-scale ransomware attacks have shown that in some cases there is eventually a key that can undo the encryption — it is not clear at the moment whether this key will be released and when," the company reported. "Given the fact that many companies in a country such as America have been affected, we hope for this, but perhaps against the better. We don't know about this either, unfortunately."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/15/2021 | 1:36:19 PM
Kaseya says they want to do the right thing but now the truth comes out
The company faced renewed scrutiny this weekend following reports that employees had previously brought significant security issues to the attention of executives. In 2019, an employee provided Kaseya with a 40-page memo outlining security concerns, Bloomberg reported on July 10. The employee was subsequently fired, the report stated.

This says it all, instead of supporting the employee for finding issues in their application, he/she was fired for bringing this obvious gaping hole to their attention and now others are paying for their oversight. Where is GDPR or FTC when you need it? Are we going to get a free credit reporting or monitoring session for a year, there should be something said about this and the company should pay for the money lost, where is the accountability?

Kaseya Hack

Todd
dembosmd
100%
0%
dembosmd,
User Rank: Author
7/12/2021 | 11:56:44 AM
More information coming out everyday
Very interesting to see the effects of this attack unfold on so many different scales and affecting companies of various sizes and industries. 
AlexParella
50%
50%
AlexParella,
User Rank: Apprentice
7/12/2021 | 11:55:39 AM
Comments
The Kaseya hack really highlights the need for companies to prioritize how they would react to a ransomware attack affecting their network!
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37443
PUBLISHED: 2021-07-25
NCH IVM Attendant v5.12 and earlier allows path traversal via the logdeleteselected check0 parameter for file deletion.
CVE-2021-37444
PUBLISHED: 2021-07-25
NCH IVM Attendant v5.12 and earlier suffers from a directory traversal weakness upon uploading plugins in a ZIP archive. This can lead to code execution if a ZIP element's pathname is set to a Windows startup folder, a file for the inbuilt Out-Going Message function, or a file for the the inbuilt Au...
CVE-2021-37445
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via logprop?file=/.. for file reading.
CVE-2021-37446
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentprop?file=/.. for file reading.
CVE-2021-37447
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentdelete?file=/.. for file deletion.