Kaseya Spreading Ransomware

Forums › IT Pro and developers › Kaseya Spreading Ransomware

1 | 2 | 3 | 4

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2738736 4-Jul-2021 19:15

Dynamic: Bugger.

To that MSP, feel free to reach out to us for extra manpower at no cost. It could potentially have been any of us.

Yup offer is open here as well.

sampler

445 posts

Ultimate Geek

ID Verified

Trusted

Lifetime subscriber

#2738793 4-Jul-2021 20:15

networkn:
Dynamic: Bugger.

To that MSP, feel free to reach out to us for extra manpower at no cost. It could potentially have been any of us.

Yup offer is open here as well.

And 8 of the team here can help too
Hamilton to Whangarei for anything onsite.

mobiusnz

457 posts

Ultimate Geek

#2738980 4-Jul-2021 22:46

This kind of thing has been on my minds every since the solar winds hack. The minute you have software that gets updates without your interaction from an external vendor you are at risk of that vendors systems being compromised.

There was a massive similar hack some time back in the Ukraine with an accounting system where hackers got into the update servers at the software vendor and pushed encryption malware out to their customers.

Its a scary world with so much money available to hackers

I long for the old days where a virus did something innoculous like posting a message "You PC is now stoned. Legalise marijuana"

Matt Beechey Mobius Network Solutions

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2738989 5-Jul-2021 07:22

Thanks @sampler, @networkn, @Dynamic and any other person/organisation (here on Geekzone or not) helping out.

nztim

3812 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2739013 5-Jul-2021 09:15

If anyone needs boots on the ground in Wellington please let me know

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2739115 5-Jul-2021 12:34

Feel terrible for the MSP. I can't imagine what this would be like.

I'm also happy to take some volunteer days from work and help out where I can (Kapiti / Wellington region) if anyone here is affected free of charge. I can also get others in my workplace to take volunteer days to assist if additional manpower is required.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Sideface

9350 posts

Uber Geek

Trusted

Lifetime subscriber

#2739180 5-Jul-2021 13:04

BleepingComputer - REvil ransomware hits 1,000+ companies in MSP supply-chain attack

Ransomware gang demands a $5 million ransom

A sample of the REvil ransomware used in one of these attacks has been shared with BleepingComputer.

However, it is unknown if this is the sample used for every victim or if each MSP received its own ransom demand.

The ransomware gang is demanding a $5,000,000 ransom to receive a decryptor from one of the samples.

a screen capture of the ransom demand :

I hope that I never get to see one of these. 😶

Sideface

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

ResponseMediaNZ

518 posts

Ultimate Geek

ID Verified

Trusted

#2739202 5-Jul-2021 14:20

Happy to help out as well, Based in Auckland but have staff in Christchurch and spare gear

Also an update from Kaseya
https://www.kaseya.com/potential-attack-on-kaseya-vsa/

Updates Regarding VSA Security Incident

July 4, 2021 - 5:30 PM EDT

Next Update will be published July 4th in the very late evening EDT. Checking this link is the fastest way to ensure that you have the latest information from Kaseya.

Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.

Our security, support R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service.

This update provides further detail on the July 4, 2021 10:00AM EDT and earlier updates.

Our efforts have shifted from root cause analysis and mitigating the vulnerability to beginning the execution of our service recovery plan. This plan will consist of the following stages:

Communication of our phased recovery plan with SaaS customers first followed by on-premises customers.
- In the spirit of responsible disclosure, Kaseya will be publishing a summary of the attack and what we have done to mitigate it.
- Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.
- There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities.
- We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.

SaaS Restoration Timeline Updates
- Our executive committee will meet on July 5th at 5:00 AM UTC (12:00 AM EDT) to make a readiness decision on restarting SaaS within the following time windows:
  - EU, UK, & APAC Data Centers: July 5 – 9:00 AM UTC – 1:00 PM UTC (4:00 AM EDT – 8:00 AM EDT)
  - North American Data Centers: July 5 – 5:00 PM EDT – 10:00 PM EDT
- These times/dates are subject to change and a status update will be posted on the website by 1:00 AM UTC as to whether we are adhering to the above schedule or not. If not, we will publish a revised schedule at that time.

For our SaaS Users:
- We will bring our SaaS data centers back online on a one-by-one basis starting with our EU, UK and APAC data centers followed by our North American data centers.
- We will be adding an additional layer of security to our SaaS infrastructure which will change the underlying IP addresses of our VSA servers.

For our On-Premises Users
- We are currently building our on-premises release to make available to customers. We will begin the communication of the on-premises release process on July 5
- We are working on a program to enable us to extend our new security measures to our on-premises customers. Most details for this will be available prior to the release of the on-premises patch.

Continued Advisory

All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase security posture.
We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized.
The new Compromise Detection Tool can be download at the following link: VSA Detection Tools.zip | Powered by Box This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.

sampler

445 posts

Ultimate Geek

ID Verified

Trusted

Lifetime subscriber

#2739205 5-Jul-2021 14:50

michaelmurfy:

Feel terrible for the MSP. I can't imagine what this would be like.

While I would expect an even smaller number in nz, I could be interesting to know if any of those MSP's (and their customers) now affected had already jumped ship from solar winds with their breach that when public earlier this year. Sometimes it can be more prudent to stay with a platform after such events as they have usually completed more in depth audits and found/fixed all sorts of things.

Having said that, off the top if my head im not aware of any MSP tool set vendors who have provided confirmation of code or system auditing publicly. Maybe this point should be stressed to vendors ?

billgates

4705 posts

Uber Geek

Trusted

#2739224 5-Jul-2021 16:08

@sampler @Dynamic @networkn @nztim @michaelmurfy can you please make contact on below email address as there is an MSP that is looking for help. Thanks!

Do whatever you want to do man.

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2739225 5-Jul-2021 16:13

I'd not spotted that @billgates. Email sent.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2739226 5-Jul-2021 16:14

On it.

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2739227 5-Jul-2021 16:15

Damn, they are good! Huntress responded already advising their partner has enough help for now. (Others, perhaps email your offer anyway just in case something comes up.)

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2739229 5-Jul-2021 16:20

Huntress are one of the good guys. The CEO is a total badass as well.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2739232 5-Jul-2021 16:27

Thanks @billgates - have fired them an email. We also did attempt to get in contact with the MSP via Cert offering manpower. It is great to see everyone getting together and offering assistance despite this MSP being a competitor in many cases.

Edit: Just had a reply back saying they're blown away by the amount of responses they've gotten and said they don't have any unfulfilled requests.

1 | 2 | 3 | 4