Breaking News
Get Actionable Insights with InvestingPro+: Start 7 Day FREE Trial Register here
Investing Pro 0
Ad-Free Version. Upgrade your experience. Save up to 40% More details

Kaseya ransomware attack sets off race to hack service providers -researchers

Economy Aug 03, 2021 01:42PM ET
Saved. See Saved Items.
This article has already been saved in your Saved Items
© Reuters. FILE PHOTO: A smartphone with the words "Ransomware attack" and binary code is seen in front of the Kaseya logo in this illustration taken, July 6, 2021. REUTERS/Dado Ruvic/Illustration

By Joseph Menn

SAN FRANCISCO (Reuters) - A ransomware attack in July that paralyzed as many as 1,500 organizations by compromising tech-management software from a company called Kaseya has set off a race among criminals looking for similar vulnerabilities, cyber security experts said.

An affiliate of a top Russian-speaking ransomware gang known as REvil used two gaping flaws in software from Florida-based Kaseya to break into about 50 managed services providers (MSPs) that used its products, investigators said.

Now that criminals see how powerful MSP attacks can be, "they are already busy, they have already moved on and we don’t know where," said Victor Gevers, head of the non-profit Dutch Institute for Vulnerability Disclosure, which warned Kaseya of the weaknesses before the attack.

"This is going to happen again and again."

Gevers said his researchers had discovered similar vulnerabilities in more MSPs. He declined to name the firms because they have not yet fixed all the problems.

Managed service providers include companies such as IBM (NYSE:IBM) and Accenture (NYSE:ACN) offering cloud versions of popular software and specialist firms devoted to specific industries. They typically serve small and medium-sized firms that lack in-house technology capabilities and often boost security.

But MSPs also make an efficient vehicle for ransomware because they have wide access inside many of their customers' networks. Kaseya's software serves many MSPs, so the attacks multiplied before Kaseya could warn everyone, rapidly encrypting data and demanding ransoms of as much as $5 million per victim.

The business of MSPs has boomed during the coronavirus pandemic alongside the rapid increase in remote work.

"That's where you find the trusted access to customers' systems," said Chris Krebs, the first leader of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which has made ransomware a top priority. "It's a much more economical approach to launch a breakout attack. And it's hard for the customer to defend."

Bugcrowd Inc, one of several platforms where researchers can report vulnerabilities, has also seen security flaws as bad as Kaseya's, said Bugcrowd Chief Executive Ashish Gupta, perhaps because MSPs have been growing so fast.

"Time to market is such a high requirement, and sometimes speed becomes the enemy of security," Gupta said.

Service providers have been targeted before - most dramatically by suspected Chinese government hackers who went after big tech companies in a series of breaches known as Cloud Hopper.

REvil hit more than 20 Texas municipalities through a shared provider two years ago, but only demanded $2.5 million in total ransom, said Andy Bennett, then a state official managing the response.

With REvil extortionists asking for a record $70 million to reverse all the Kaseya damage, he said, "their aspirations are clearly bigger now, and their approach is more measured." It's unclear how much ransom was ultimately paid or how many businesses were affected.

An increase in ransomware attacks led U.S. President Joe Biden to warn Russian President Vladimir Putin that the United States would act on its own against the worst hacking gangs operating on Russian soil unless the authorities reined them in.

On July 22, Kaseya said a security firm had developed a universal decryption key without paying the criminals, prompting speculation that Putin had helped or that U.S. agencies had hacked REvil.

CISA is trying to get the word out both to MSPs and their customers of the risks and what to do about them, said Eric Goldstein, executive assistant director for cybersecurity.

Less than two weeks after the July 2 Kaseya attack, CISA issued guidelines for best practices on both sides of the equation. CISA also offers free risk assessments, penetration testing and analyses of network architecture.

"Organizations need to look into the security of their MSPs," Goldstein said. "The broader consideration here is the importance for organizations big and small to understand the trust relationships that they have with those entities that have connections into their environment."

Kaseya ransomware attack sets off race to hack service providers -researchers

Related Articles

Add a Comment

Comment Guidelines

We encourage you to use comments to engage with other users, share your perspective and ask questions of authors and each other. However, in order to maintain the high level of discourse we’ve all come to value and expect, please keep the following criteria in mind:  

  •            Enrich the conversation, don’t trash it.

  •           Stay focused and on track. Only post material that’s relevant to the topic being discussed. 

  •           Be respectful. Even negative opinions can be framed positively and diplomatically. Avoid profanity, slander or personal attacks directed at an author or another user. Racism, sexism and other forms of discrimination will not be tolerated.

  • Use standard writing style. Include punctuation and upper and lower cases. Comments that are written in all caps and contain excessive use of symbols will be removed.
  • NOTE: Spam and/or promotional messages and comments containing links will be removed. Phone numbers, email addresses, links to personal or business websites, Skype/Telegram/WhatsApp etc. addresses (including links to groups) will also be removed; self-promotional material or business-related solicitations or PR (ie, contact me for signals/advice etc.), and/or any other comment that contains personal contact specifcs or advertising will be removed as well. In addition, any of the above-mentioned violations may result in suspension of your account.
  • Doxxing. We do not allow any sharing of private or personal contact or other information about any individual or organization. This will result in immediate suspension of the commentor and his or her account.
  • Don’t monopolize the conversation. We appreciate passion and conviction, but we also strongly believe in giving everyone a chance to air their point of view. Therefore, in addition to civil interaction, we expect commenters to offer their opinions succinctly and thoughtfully, but not so repeatedly that others are annoyed or offended. If we receive complaints about individuals who take over a thread or forum, we reserve the right to ban them from the site, without recourse.
  • Only English comments will be allowed.

Perpetrators of spam or abuse will be deleted from the site and prohibited from future registration at’s discretion.

Write your thoughts here
Are you sure you want to delete this chart?
Post also to:
Replace the attached chart with a new chart ?
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Thanks for your comment. Please note that all comments are pending until approved by our moderators. It may therefore take some time before it appears on our website.
Are you sure you want to delete this chart?
Replace the attached chart with a new chart ?
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Add Chart to Comment
Confirm Block

Are you sure you want to block %USER_NAME%?

By doing so, you and %USER_NAME% will not be able to see any of each other's's posts.

%USER_NAME% was successfully added to your Block List

Since you’ve just unblocked this person, you must wait 48 hours before renewing the block.

Report this comment

I feel that this comment is:

Comment flagged

Thank You!

Your report has been sent to our moderators for review
Continue with Google
Sign up with Email