As you may have heard in the news over the 4th of July weekend, a very widely used tool by Managed Service Providers, including us, called Kaseya VSA was the focus of a ransomware attack on MSP's clients.
Similar to the recent Solarwinds and NinjaRMM attacks in which tools used by IT professionals are used to target the victims, but fortunately the scale here is much smaller and less impactful.
It has been reported less than 60 customers using Kaseya’s VSA were impacted out of their nearly 40,000 customers. That said, the impact is multiplied by the fact the hackers targeted larger customers with a lot of endpoint and/or clients. Total actual client victims are estimated to be around 1000.
We have taken the steps Kaseya has recommended and shutdown the VSA servers and tools, until further notice from them.
We have no indications of any incidents with any of our clients, and we do not anticipate our clients are affected in anyway by this.
In particular we were less likely to be affected than others, due to the fact our Kaseya VSA instance is behind a WAF (Web Access Firewall), which according to many security sources would likely have prevented the SQL Injection technique that was used to gain access to the systems.
At this time impact to our services are minimal and revolve around diminished remote access and monitoring of client systems until Kaseya VSA is back online. Kaseya is still working on patches to resolve the security issues but anticipates most partners will be able to be back up and running as normal by tomorrow 7/7/2021.
Kloud9 has ran the compromise detection tools given to us by Kaseya, and our VSA instances are clear, as such no Kloud9 clients or services are affected, nor will be affected by this particular incident.
We will continue to update this blog with updates when we have more information from Kaseya.
Some informative links on the event are at:
Kaseya: Important Notice July 6th, 2021 – Kaseya
Reddit: Crticial Ransomware Incident in Progress