Kaseya Details REvil Attack, Incident Response Plan
Kaseya, an IT service management (ITSM) tools provider employed by managed service providers (MSPs) and internal IT teams, announced it will keep the software-as-a-service (SaaS) edition of its platform offline until further notice after a ransomware attack impacted approximately 40 of its customers. Some of those customers are MSPs, which resulted in this attack impacting more than 200 organizations that are downstream customers of those MSPs.
The company revealed it may have already discovered the vulnerability being exploited to launch those attacks and is working on a patch. In the meantime, Kaseya has encouraged all its customers to shut down the on-premises edition of its Virtual System Administrator (VSA) remote monitoring and management (RMM) platform. The company has yet to reveal exactly when a patch will become available. This latest attack is being attributed to cybercriminals affiliated with REvil, a provider of a ransomware-as-a-service platform.
Thus far, organizations that use the SaaS edition of the Kaseya platform have not been impacted by the attack, but Kaseya took the platform offline as part of its overall response to the security incident. The company is advising customers to shut down VSA platforms in on-premises IT environments until a patch is made available.
Kaseya has yet to disclose the precise vulnerability that is being exploited, but ITSM providers employed widely by MSPs have been the targets of multiple attacks over the last few years. Cybercriminals are exploiting vulnerabilities in legacy ITSM platforms that are based on client/server architectures to launch those attacks, and then, in many cases exploiting the remote desktop protocol (RDP) to inject malware into MSP-managed IT environments.
MSPs, as a result, are being criticized for their inability to thwart attacks against the ITSM platforms provided by vendors such as Kaseya, ConnectWise and others. However, it’s not clear whether internal IT organizations that deploy their own ITSM tools would fare any better. The MSP-managed ITSM platforms are targeted simply because so many downstream customers are supported by MSPs. The ITSM platform used by those MSPs becomes a conduit for increasing the blast radius of a potential breach.
Each organization needs to weigh the degree to which they want to rely on an external service versus managing security themselves. MSPs tend to have an economic advantage because the cost of maintaining security is spread across multiple customers. At the same time, organizations are allocating greater funding to security. Organizations are struggling to hire and retain cybersecurity talent while most MSPs find themselves in a better financial position to hire that talent. In fact, the degree to which organizations can afford to maintain cybersecurity remains questionable, despite the increased number of attacks launched against MSPs.
In the meantime, organizations that continue to use on-premises editions of ITSM platforms might want to reconsider their options. While ITSM platforms are going to be vulnerable no matter where they run, in the event of a security incident most of the clean-up effort is handled by the SaaS provider rather than an internal IT team.