Kaseya Spreading Ransomware

Forums › IT Pro and developers › Kaseya Spreading Ransomware

4n6expert

10 posts

Wannabe Geek
+1 received by user: 18

ID Verified

#288483 3-Jul-2021 07:56

Kaseya is the target of a supply chain attack that is resulting in customers being infected with ransomware.

Official advice from Kaseya is to turn it off NOW.

More info:

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b

1 | 2 | 3 | 4

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2738286 3-Jul-2021 10:16

Came here to report this.

If you, as a customer, know your IT provider uses Kaseya, shut down every computer in your building and call your IT Provider immediately and alert them if they aren't already aware.

It might seem dramatic, but believe me when I tell you, it's not.

This is actively being exploited.

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#2738294 3-Jul-2021 10:46

Ouch!

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2738296 3-Jul-2021 10:51

This is my worst nightmare. This could happen with any RMM provider. For many who are exploited in this manner, it's an extinction level event.

I feel sick for VSA Customers and their customers right now.

If you are an IT Provider using a remote tool capable of delivering commands to your clients, drop what you are doing and go and ensure *every single login* has MFA enabled.

Disable or delete any accounts no longer active in those tools

Don't have your RMM on your domain if you house your own.

IP restrict your systems as tight as you possibly can.

None of these things would help today for this type of exploit.

gzt

18672 posts

Uber Geek
+1 received by user: 7809

Lifetime subscriber

#2738301 3-Jul-2021 11:07

Official advisory:

https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

Tldr; Shutdown VSA server immediately.

Sideface

9649 posts

Uber Geek
+1 received by user: 15596

Trusted

Lifetime subscriber

#2738412 3-Jul-2021 14:15

BBC News - US companies hit by 'colossal' cyber-attack

breaking

About 200 US businesses have been hit by a "colossal" ransomware attack, according to a cyber-security firm.

Huntress Labs said the hack targeted Florida-based IT company Kaseya before spreading through corporate networks that use its software.

Kaseya said in a statement on its own website that it was investigating a "potential attack".

Huntress Labs said it believed the Russia-linked REvil ransomware gang was responsible.

The Washington Post - Widespread ransomware attack is affecting hundreds of businesses

breaking

Researchers said cybercriminals were demanding $50,000 from smaller companies and $5 million from larger ones ...

Sideface

rscole86

4999 posts

Uber Geek
+1 received by user: 462

Moderator

Trusted

Lifetime subscriber

#2738529 3-Jul-2021 19:56

I've heard that the Bolton hotel, Wellington, has lost their central heating in the communal areas due to a cyberattack. Individual rooms are unaffected.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2738534 3-Jul-2021 20:39

rscole86: I've heard that the Bolton hotel, Wellington, has lost their central heating in the communal areas due to a cyberattack. Individual rooms are unaffected.

Considering the very poor security on many BMS systems (port forwards with no IP whitelisting as a classic example) it's hardly surprising these sorts of things happen.

Handle9

11923 posts

Uber Geek
+1 received by user: 9674

Trusted

Lifetime subscriber

#2738585 4-Jul-2021 06:48

sbiddle:
rscole86: I've heard that the Bolton hotel, Wellington, has lost their central heating in the communal areas due to a cyberattack. Individual rooms are unaffected.

Considering the very poor security on many BMS systems (port forwards with no IP whitelisting as a classic example) it's hardly surprising these sorts of things happen.

The number of BMS systems that are totally unmaintained and running on obsolete operating systems is frightening.

Batman

Mad Scientist
30012 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#2738587 4-Jul-2021 07:39

how do you know if your company is on kaseya?

Sideface

9649 posts

Uber Geek
+1 received by user: 15596

Trusted

Lifetime subscriber

#2738603 4-Jul-2021 08:33

Batman: how do you know if your company is on kaseya?

Kaseya has previously publicised its links to New Zealand-based CodeBlue and other Australasian IT companies, including BigAir, Datacom, eNerds, Leap Consulting, Surety IT and Ricoh Australia.

BBC News - Swedish Coop supermarkets shut due to US ransomware cyber-attack

breaking

Some 500 Coop supermarket stores in Sweden have been forced to close due to an ongoing "colossal" cyber-attack affecting organisations around the world. ...

Cyber-security firm Huntress Labs said the hack targeted Florida-based IT company Kaseya before spreading through corporate networks that use its software. ...

Kaseya's website says it has a presence in more than 10 countries and over 10,000 customers. ...

EDIT: The Washington Post - Widespread ransomware attack likely hit ‘thousands’ of companies on eve of long weekend

EDIT: President Joe Biden says he has directed US intelligence agencies to investigate who was behind a sophisticated ransomware attack that hit hundreds of American businesses and led to suspicions of Russian gang involvement.

Sideface

martyyn

1971 posts

Uber Geek
+1 received by user: 772

ID Verified

#2738642 4-Jul-2021 13:15

A local business called me on Friday to say the NZ Police had forwarded an email from German Interpol warning they were at risk of a ransomware attack.

The Interpol email just listed their business name, email address and physical address and mentioned they had received a csv with their details. NZP couldn't tell them anything more.

He told me they have a Wordpress website with 2fa logins, O365 email, Xero and an online CRM and that's it.

I wasn't really sure what to tell them to be honest.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2738643 4-Jul-2021 13:17

martyyn:

A local business called me on Friday to say the NZ Police had forwarded an email from German Interpol warning they were at risk of a ransomware attack.

The Interpol email just listed their business name, email address and physical address and mentioned they had received a csv with their details. NZP couldn't tell them anything more.

He told me they have a Wordpress website with 2fa logins, O365 email, Xero and an online CRM and that's it.

I wasn't really sure what to tell them to be honest.

Get them to check they have no accounts without 2FA, that their data is backed up, and make sure their computers are all up to date etc.

In that instance, I'd probably take yet another backup, and store it cold.

martyyn

1971 posts

Uber Geek
+1 received by user: 772

ID Verified

#2738649 4-Jul-2021 13:51

networkn:

Get them to check they have no accounts without 2FA, that their data is backed up, and make sure their computers are all up to date etc.

In that instance, I'd probably take yet another backup, and store it cold.

Exactly what I told them to do :)