Pagoda Blog

Every time a global company falls victim to a cyberattack, it’s important to understand what went wrong, how the company reacted, and what we can learn from their experience. The Kaseya breach is especially relevant to our readers because although Pagoda doesn’t contract with Kaseya, many of their customers are Managed Service Providers, just like us. This attack is a sobering reminder that even the most trustworthy companies that deploy comprehensive, multi-layered security strategies aren’t entirely immune. Let’s take a look at the details of this large-scale data breach and what we can learn from it. 

 

Who is Kaseya and who do they serve? 

Kaseya provides IT solutions to clients across the globe, primarily serving enterprises and Managed Service Providers (MSPs). The MSPs who contract with Kaseya use the company’s software to provide IT services to their clients. Kaseya estimates that over 40,000 organizations worldwide use at least one Kaseya software solution either directly or through their MSP. One of these software solutions is VSA, “a unified remote-monitoring and management tool,” according to their website. 

 

It is important to note here again that Pagoda contracts with a different RMM (remote monitoring management) company called N-able to source our IT software and management tools. None of our clients, therefore, were affected by this breach. 

 

How did the breach occur? 

The Kaseya Breach occurred on July 2, over the long holiday weekend (when fewer employees were monitoring their company’s network), and targeted the VSA tool via “a small number of on-premise customers," according to Kaseya CEO Fred Voccola. 

 

The attack was perpetrated by REvil, a Russia-linked gang best known for its ransomware attack on the meat-processor JBS. That particular attack resulted in the infection of thousands of devices and the extortion of $11 million. (As a reminder, ransomware is a type of malware that encrypts your data and then requests a ransom to unlock your files. The hacker notifies the target of the encryption and then gives them a set of instructions for how to pay, and in return, receive the decryption key.) 

 

In the case of the Kaseya breach, REvil leveraged an authentication bypass vulnerability in the VSA web interface to install the ransomware, encrypting the data of over 1,000 businesses. According to security expert Kevin Beaumont, the REvil ransomware was installed through an automated, fake, and malicious software update. REvil set the ransom to $70 million in the cryptocurrency bitcoin in exchange for the decryption key. 

 

Who was impacted? 

While fewer than 40 on-prem Kaseya clients (meaning their VSA servers were on-site versus in the cloud) were confirmed affected by the breach, it is estimated that between 800-1500 small businesses downstream were impacted. This is because Kaseya provides services to MSPs who in turn use those services for their clients — small businesses with less than 30 employees  in a vast array of industries, from travel and leisure to financial services and the public sector.  

 

How has Kaseya addressed the breach? 

Kaseya first notified all of its customers via email, phone, and online notices asking them to  immediately shut down their VSA servers. Their cybersecurity team has been working around the clock to identify the vulnerability in their system, release a series of security patches to fix it, and obtain the decryption tool for those customers whose data was encrypted by the REvil ransomware. Kaseya has now confirmed that they did not pay the ransom in order to obtain the decryptor from a third party. 

 

As highlighted in this blog post by our RMM provider, N-able, Kaseya’s reaction to the breach has been quick, comprehensive, and transparent. N-able makes clear that they stand in solidarity with Kaseya and are using this event as an opportunity to hold themselves accountable “to even higher standards as an industry, and as technology providers.” 

 

What can we learn?

Kaseya is a reputable, global company with robust security practices. REvil was still able to find a vulnerability and gain access to some of their on-site servers through a sophisticated cyberattack. A data breach can happen to anyone, whether you’re a small mom and pop shop or a global enterprise. Even governments fall victim to cyberattacks. 

 

Regardless of your size, cyber liability insurance can help mitigate the long-term damage to your business in the case of a cyberattack. It’s also imperative to always download the latest security patches released by any softwares that you use. These patches need to be downloaded quickly in order to prevent a data breach in the first place or to mitigate the damage from an existing breach. It’s also critical that we all take responsibility for our business’s cybersecurity, which means investing in regular, ongoing training for your entire team. 

 

The Kaseya Breach also only affected businesses with on-site servers. Those using the SaaS (cloud-based) version of the VSA tool were not impacted. This may be an argument for moving more, if not all, of your business to the cloud, as long as you ensure that you’re employing best cybersecurity practices.

 

It’s always important to keep your business’s cybersecurity strategy up to date and to ask your MSP what third-party services they use so that you can verify their reliability. Of course, as we stated above, even the most reliable companies can fall victim to a cyberattack so you can’t ever ensure your absolute protection. There are plenty of preventive measures, however, that you can take to mitigate the risk and prepare your business for any potential attacks. 

 

Feature photo by fauxels from Pexels

Related reading: 

 

5 Ways a Data Breach Can Cause Long-Term Damage to Your Business

Not all Hackers Are Criminals: Ethical Hacking, Hacktivism, and White Hat Hackers

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

 

Want IT to serve you better?

 

 

 

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.