Over the Fourth of July weekend, the remote monitoring company Kaseya in Florida was breached. The hacking group Resevil is claiming responsibility and the company has revealed more than 1500 different customers have been affected.
Kaseya’s software is designed for Managed Service Providers (MSPs) and is considered a crucial part of a supply chain regarding information technology, with more than 40,000 organizations using some form of their software. Kayesa is a software that provides a single framework for maintaining IT Polices and helping manage endpoints. MSPs can monitors systems, provide patches as well as monitor and control endpoint systems remotely. By attacking this software for MSP, hackers were able to access 40,000 companies while only hacking 1500. MSPs are a frequent target due to the scalability of the attack
The hacker group Resevil was able to exploit an unknown vulnerability in their authentication software. “Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with "high confidence" that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to this cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process.” [1]
This global attack has affected directly or indirectly 40,000 organizations. Two of the biggest were in Sweden and New Zealand. In Sweden, Coop Sweden, a supermarket chain was forced shut down half of its 800 stores because their point of sales tills and their self-service checkouts were offline. [2]This was because one of their software providers used Kaseya and it was forced to go offline. In New Zealand, Whanu Manaaki, a Free Kindergarten Association, said 100 of their schools on their North Island were affected and forced to go to pad and paper. In addition, Macleans college was also affected, but quick intervention kept the damage from spreading.[3]
The FBI and the CIA are currently coordinating with Kaseya to discover the damage that had been done to them. In addition, Kaseya has already developed a patch that patches this vulnerability and is expected to launch it within the next couple of days. However, these attacks have shown how vulnerable systems are to a disruption. Given the recent attacks on Solarwinfs, Microsoft exchange and the Colonial Pipeline, hackers are exploiting vulnerabilities in our key infrastructure. According to Mike Smith, President and CEO “gone are the days of hacking a single firewall. It is too much work. Hackers are continually looking for ways to exploit mass amounts of people with a single hack, The most common attacks happen because of phishing attacks against employees of companies.
[1] https://www.zdnet.com/article/kaseya-ransomware-supply-chain-attack-what-you-need-to-know/
[2] https://www.bbc.com/news/technology-57707530
[3] https://www.rnz.co.nz/news/national/446225/kaseya-ransomware-attack-hits-new-zealand-kindergartens
