kras99 - stock.adobe.com
Kaseya said Monday that fewer than 60 of its customers and up to 1,500 of their clients were affected by last week's REvil ransomware attack.
The software company, which offers remote IT management products to managed service providers (MSPs), said in its most recent incident report that all Kaseya customers that were compromised were using the VSA on-premises product. Kaseya said it has found no evidence that any SaaS customers were affected by the supply chain attack, which unfolded July 2 when threat actors gained control of VSA servers and issued malicious updates to MSP customers.
"The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints," the incident report stated. "There is no evidence that Kaseya's VSA code base has been maliciously modified."
In a statement Tuesday, Kaseya said the REvil attacks had "limited impact." However, the company said it believes fewer than 1,500 "downstream businesses" or MSP clients were affected through those compromised Kaseya customers. It's unclear if these 1,500 organizations were merely breached or if their data was encrypted by ransomware.
Kaseya did not respond to requests for comment.
UPDATE 7/6: A Kaseya spokesperson said the estimated 800-1,500 downstream businesses were infected with REvil ransomware.
In a video statement to customers, Kaseya CEO Fred Voccola said his company moved quickly to address and contain the attack by working with the Department of Homeland Security, FBI and the White House, as well as private-sector partners. While the supply chain attack affected a relatively small number of Kaseya's 35,000 clients, he acknowledged the wide impact those breaches had on small and medium-sized businesses that relied on those MSPs for IT management and support.
"I hope this message doesn't sound like we're diminishing it by saying less than 0.01% of our customers were breached," Voccola said. "If I was you, I'd be very, very frustrated, and you should be."
He added that in response to the REvil attacks, Kaseya is taking a conservative approach to restoring all systems and services. The company said it developed a security patch for VSA on-premises customers, which it is currently testing and validating. The patch is expected to be released within 24 hours after SaaS servers are brought back online; Kaseya, which shut down its SaaS servers as a precautionary measure on July 2, estimated the servers will be restored sometime Tuesday.
Kaseya also released an updated version of its Compromise Detection Tool for VSA. The tool examines systems, including VSA servers or managed endpoints, for any indicators of compromise related to the REvil attacks. The latest version of the tool scans systems for any encrypted data or REvil ransom notes.
While Kaseya recommends all VSA customers deploy the tool to rule out compromises, the company said only 2,200 customers have downloaded the tool since Friday.