Enterprise cybersecurity technology research that connects the dots.

The Kaseya ransomware attack is believed to have been down to an authentication bypass. Yes, ransomware needs to be on your radar -- but good authentication practices are also imperative.

Don Tait, Senior Analyst, Omdia

July 8, 2021

2 Min Read

Last Friday, just before the extended American Independence Day holiday, it was announced that Kaseya, an American software company, was hacked. The malicious actors were able to distribute ransomware by exploiting several vulnerabilities in Kaseya's Vector Signal Analysis (VSA) software, which gave the attackers the ability to infect multiple organizations via what is known as a supply chain attack.

From Omdia's perspective, supply chain cybersecurity is hugely complex, and many organizations have not paid it sufficient attention. Organizations can have hundreds or even thousands of suppliers digitally connected, and the risks are rarely quantified, and even when they are, it is frequently a manual process.

The attack is suspected to be the work of REvil (Ransomware Evil; also known as Sodinokibi), a ransomware gang with relative impunity operating out of Russia, where authorities frequently turn a blind eye to such gangs. REvil has demanded $70 million in Bitcoin in return for a universal decryptor that it claims will unlock the files of all victims. It is believed that REvil used an authentication bypass in the Web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection.

The attack highlights growing concern in the cybersecurity world about supply chain attacks; there are hundreds or thousands of potential victims by attacking a single supplier. The number of companies affected by this attack is unclear and will likely increase. For example, security company Huntress, which was one of the earliest sources to detect the attack, estimates "30 MSPs across the US, AUS, EU, and LATAM" have been breached and that over 1,000 organizations have been infected with ransomware as a result. Moreover, as a result of this attack, around 500 Coop stores in Sweden were also forced to shut.

Rest assured, this isn't the last of the supply chain attacks we will see this year, or perhaps even this month. Recommendations from the USA's Cybersecurity and Infrastructure Security Agency (CISA) for mitigating this particular attack include getting VSA servers offline, enforce multifactor authentication (MFA) as soon as possible, ensure that backups are in order and stored in air-gapped systems, and that remote monitoring and management tools be limited to communication among known IP address pairs.

Organizations must be less trusting of their supply chains and increase focus on understanding and reducing the associated risks.

About the Author(s)

Don Tait

Senior Analyst, Omdia

Don Tait supports and specializes in Omdia's identity, authentication and access intelligence service. Previous research areas where he has published reports includes: blockchain, fintech, Identity and Access Management (IAM), fraud protection in payments, smart cards, payment and banking cards, mobile transactions and proximity payments, SIM/eSIM, mPOS, NFC, HCE, and Chip-to-Cloud Security. Don brings well over a twenty years of market research experience to this role.

Before joining Omdia, he served as a Telecoms Research Analyst with Frost & Sullivan and was responsible for the firm's broadband services subscription. Previously, Don was a Marketing Consultant with Marketing Research for Industry Ltd., for which he wrote industrial, healthcare and telecommunication reports. Don Holds a BA (Hons) in Business Studies from Edinburgh Napier University. He is based in the company's Wellingborough office in the UK.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights