Another supply chain vulnerability was successfully exploited by malicious hackers in order to target thousands of businesses through the initial infected host. Today, the entry point was the Managed Service Provider (MSP) Kaseya VSA, a cloud-based platform that allows its customers to perform patch management and client monitoring.

Just like the notorious SolarWinds supply chain hack from earlier this year, the attackers used the initial breach into the service provider in order to then hack as many of its customers as possible. The Kaseya hack resulted in the infection of hundreds of businesses with Revil Ransomware by the Sodinokibi Gang.

What Happened in the Kaseya VSA Supply Chain Attack?

Kaseya offers its customers a patch management solution, VSA. The Sidinokibi attackers breached Kaseya and then infected their customers through a VSA agent.crt file dropped to the c:\kworking folder, which is still being distributed as an update called ‘Kaseya VSA Agent Hot-fix.’

Part of Kaseya’s cutomer portfolio included another eight well-known Managed Service Providers (MSPs) that were breached along with their customers. “We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted,” John Hammond told BleepingComputer.

There is no definitive number know of the total number of companies who got encrypted with Revil ransomware via this Kaseya VSA supply chain attack, but we estimate there are close to a thousand. We will keep you updated as the situation develops.

How Can You Prevent This from Happening to You

Supply chains have tremendous advantages but can also pose a liability, as these notorious supply chain attacks have proven. To minimize your risk to become breached via a supply chain, you need to make sure that you sever all network connections to your supplier as soon as you get wind that they are no longer safe.

Evidence shows that it can happen to the best of us. We work with the highest standard security technology and continuosly research ways to improve it, but we believe it is every security provider’s responsibility to provide a course of action for its customers in order to cover even the most improbable and dire scenario.

Should you ever need to sever your connections to Heimdal™ until we let you know that everything is officially safe again, simply follow these steps from your local Firewall.

Meawhile, don’t forget that even if a ransomware strain does make its way into your system, it is powerless to act if you have an encryptor blocker installed. Heimdal™’s Ransomware Encryption Protection is a powerful solution that protects your endpoints from any unauthorized encryption attempt.

New REvil Ransomware Version Automatically Logs Windows into Safe Mode

Leave a Reply

Your email address will not be published. Required fields are marked *