Kaseya Ransomware: a Software Supply Chain Attack or Not?

Following the 4th of July weekend, our industry finds itself digesting the details of yet another large-scale and high-profile ransomware attack. This time its the exploitation of Kaseya’s network monitoring and remote management software. First surfacing on Friday afternoon July 2nd, 2021, this story quickly spread over the weekend in mainstream media and hacker news sites.

With most Americans now returning from their holiday, we’re beginning to gain more perspective on what actually transpired. We’re also seeing an interesting, and admittedly nuanced, debate emerge on whether the Kaseya attack actually qualifies as a “software supply chain” attack.

NOTE: Kaseya’s customer base includes individual companies, as well as a large number of Managed Service Providers (MSPs). These MSPs in turn provide IT outsourcing services to hundreds, and possibly thousands, of downstream business customers that are typically small and medium size organizations with limited or non-existent IT departments (think doctors, dentists, accountants, lawyers, etc.).

What Happened?

As reports began to surface of the Kaseya attack, there was initial speculation that the ransomware gang might have gained access to the company’s backend software development pipeline, including their build infrastructure. With such access, the attackers could then inject malicious code into the VSA software running on-premises in support of Kaseya business and MSP clients. In other words, the expectation was that the bad actors might have exploited Kaseya in the same way SolarWinds was exploited.

However, we now know that Kaseya was not the same as SolarWinds. Instead, the Kaseya attackers exploited a never-before-seen, or zero-day, security vulnerability (CVE-2021-30116) in the Kaseya software. The newly discovered vulnerability, initially known only to the attackers, allowed them to exploit the on premise version of the Kaseya software, and ultimately conduct the ransomware attack. And, because so many of Kaseya’s customers are MSPs, the attackers were (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Matt Howard. Read the original post at:

Avatar photo

Matt Howard

Matt Howard is CMO and SVP of Sonatype, the inventors of software supply chain automation. He is a proven executive and entrepreneur with over 20 years experience developing high-growth software companies. Prior to Sonatype, Mr. Howard co-founded, developed and successfully sold two software companies.

matt-howard has 13 posts and counting.See all posts by matt-howard