Just as the long Independence Day holiday weekend began in the U.S., hackers launched a massive attack on users of Kaseya VSA, popular remote monitoring and management software used by nearly 40,000 companies. Kaseya took the remarkable step of advising its customers to disable their software immediately.
The attack comes less than two weeks after security researchers found a critical vulnerability in VMware’s software, which is widely used to create and run multiple virtual servers or computers on limited hardware.
Both of these tools are designed to consolidate and simplify the otherwise sprawling administrative and management requirements of servers, computers, and networks, and are vital to a fast-growing specific technology sector: managed service providers, or MSPs.
What is an MSP?
Managed service providers evolved from application service providers (ASPs), which proliferated in the 1990s. Once ASPs proved that the software needs of businesses could be met remotely, over the internet, MSPs emerged to handle every aspect of a company’s information technology.
IT outsourcing is a common practice today, as businesses of all sizes often find it preferable to retaining in-house staff, facilities and equipment. Advantages include reliable access to expertise and state-of-the-art technology while lowering costs through economies of scale. Even a small dental practice can run its software and host its data the same way a Fortune 500 company does.
Why are MSPs being targeted by hackers?
An MSP is an attractive target to hackers in the same way a bank is attractive to robbers.
It is generally safer to keep cash in a bank, which has a huge steel-reinforced safe and tight security protocols, than under your mattress. But robbers go after banks instead of mattresses because banks hold the cash of hundreds or thousands of customers.
Similarly, companies outsource their IT because it’s easier than managing everything themselves. But managed service providers consolidate the hardware, software, networking and data storage of multiple clients in one place. A hacker that can break into an MSP can access the data or other assets of hundreds or thousands of companies.
How bad is this latest incident?
The Kaseya VSA attacks have been called a “ransomware tsunami.” Eight MSPs have been identified as victims so far, and just three of them account for the malicious encryption of data for over 200 companies.
The attack could prove to be one of the biggest in history, according to the Washington Post, due to the number of companies potentially affected.
“Because we’re going into a holiday weekend, we won’t even know how many victims are out there until Tuesday or Wednesday of next week,” Jake Williams, chief technology officer of BreachQuest, told Wired magazine. “But it’s monumental.”
Kaseya has been posting updates to its website, beginning with the recommendation that customers disable their VSA software.
“We recommend that you IMMEDIATELY shut down your VSA server until you receive further notice from us,” the company wrote. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA.”
Cybersecurity experts have identified the hacking group REvil as the source of the attack, which had previously gone after MSPs in 2019. The group is believed to be operating out of Russia, and this time is demanding ransom payments of $50,000 from smaller companies and $5 million from larger ones.
How can these attacks be prevented?
Companies that outsource IT to MSPs are, in many ways, at the mercy of the MSPs and their security measures and practices.
At a security conference just last month, expert Bruce McCully said that he found that as many as 80% of MSPs have “cybersecurity gaps” ranging from broken alerts, unsupported software, and overprivileged users.
Rather than focusing on technology tools, McCully emphasized employee education and fostering a “security culture.”
This is where Paubox can help. Paubox Email Suite Plus blocks incoming phishing emails and other threats without requiring customers to change or adjust their workflows. With our HITRUST CSF certified solution, all outbound emails are encrypted and sent directly from an existing email platform (such as Microsoft 365 or Google Workspace).
Of course, Paubox also sends HIPAA compliant email by default.