Conversation

Notices

1. GeniusMusing (geniusmusing@nu.federati.net)'s status on Friday, 02-Jul-2021 20:34:02 EDT GeniusMusing
   Latest ransomware attack appears to hit hundreds of American businesses Hacking | The Guardian
   https://nu.federati.net/url/281748
   
   >Hundreds of American businesses have been hit by a ransomware attack ahead of the Fourth of July holiday weekend, according to the cybersecurity company Huntress Labs.
   >
   >Huntress Labs said on Friday that 200 American businesses were hit after an incident at the Miami-based IT firm Kaseya, potentially marking the latest in a line of hacks destabilizing US companies.
   >
   >“This is a colossal and devastating supply chain attack,” John Hammond, a senior security researcher with Huntress, said in an email, referring to an increasingly high profile hacker technique of hijacking one piece of software to compromise hundreds or thousands of users at a time.
   >
   >Hammond added that because Kaseya is plugged in to everything from large enterprises to small companies “it has the potential to spread to any size or scale business.”
   1. GeniusMusing (geniusmusing@nu.federati.net)'s status on Friday, 02-Jul-2021 21:18:26 EDT GeniusMusing

      in reply to
      Important Notice July 2nd, 2021 – Kaseya
      https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
      
      >We are experiencing a potential attack against the VSA that has been limited to a small
      >number of on-premise customers only as of 2:00 PM EDT today.
      >
      >We are in the process of investigating the root cause of the incident with an abundance
      >of caution but we recommend that you IMMEDIATELY shutdown your VSA server until
      >you receive further notice from us.
      >
      >Its critical that you do this immediately, because one of the first things the attacker does
      >is shutoff administrative access to the VSA.
      1. GeniusMusing (geniusmusing@nu.federati.net)'s status on Friday, 02-Jul-2021 22:40:17 EDT GeniusMusing

         in reply to
         REvil ransomware hits 200 companies in MSP supply-chain attack
         https://nu.federati.net/url/281750
         
         >A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack.
         >
         >Starting this afternoon, the REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack.
         >
         >At this time, there eight known large MSPs that have been hit as part of this supply-chain attack.
         >
         >Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.
         >
         >Huntress Labs' John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well.
         >
         >"We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted," Hammond told BleepingComputer.
         >...
         1. lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Friday, 02-Jul-2021 23:45:42 EDT lnxw48a1

            in reply to
            https://www.kaseya.com/ is the URL for Kaseya.
            
            This is the first that I've heard of these people.
      2. lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Saturday, 03-Jul-2021 00:52:58 EDT lnxw48a1

         in reply to
         While our investigation is ongoing, to date we believe that:
         
         Our SaaS customers were never at-risk. We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24-48 hours;
         Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.
         
         We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.
         
         -----
         
         I know they have to spin this in the most positive way possible, but I question how quickly they expect to be able to turn the SaaS services back on.
         
         It isn't always a quick process to find the attackers' tracks and to follow them in a way that does not damage evidence. And you need the evidence if you're ever going to positively identify an attacker and enable law enforcement to take them down.