In what looks to be a July 4th weekend nightmare for Kaseya and numerous MSPs, the company reported a potential cyberattack Friday afternoon.

In a breaking alert, Kaseya said “we are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2 p.m. EDT today.”

“We are in the process of investigating the root cause of the incident with an abundance of caution,” it said. “But we recommend that you immediately shut down your VSA server until you receive further notice from us.”

It’s critical that customers do this immediately, Kaseya said. That’s because “one of the first things the attacker does is shut off administrative access to the VSA.”

Kaseya said it has notified all of its on-premises customers to immediately shut down their VSA servers. Moreover, it has shut down its SaaS servers.

“We have been further notified by a few security firms of the issue and we are working closely with them as well,” it said. “While we continue to investigate the incident, we will update our customers (and interested parties) as we have more information.”

REvil Behind Attack

According to Bleeping Computer, the REvil ransomware gang targeted about eight large MSPs, with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack.

Huntress tweeted: “Our team is tracking a critical #ransomware incident affecting MSPs and their customers, which appears to be a #KaseyaVSA supply chain attack.”

John Hammond is senior security researcher at Huntress.

Huntress’ John Hammond

“We’ve seen a ransom demand of $5 million, but that may differ for other victims,” he said. “The number of MSPs that we are aware of has grown to eight.”

Huntress doesn’t know how the hackers infiltrated Kaseya’s VSA, Hammond said.

“At the moment, no one does,” he said. “MSPs with over thousands of endpoints are being hit. We have seen that when an MSP is compromised, we’ve seen proof that it has spread through the VSA into all the MSP’s customers.”

Kaseya VSA Is Single Commonality

For now, across the compromised MSPs, the single commonality is Kaseya VSA, Hammond said.

Kaseya VSA is a cloud-based IT management and remote monitoring solution for businesses of all sizes across various industries. It provides a central console for managing IT operations. That includes handling complaints, ticketing, auditing, monitoring performance and reporting.

Rick Holland is CISO and vice president of strategy at Digital Shadows.

Digital Shadows’ Rick Holland

“Reports are still emerging, and Kaseya hasn’t confirmed that ransomware actors are responsible for the ‘potential attack’ against their VSA servers,” he said. “It shouldn’t surprise that extortionists would target critical IT software that could serve as the initial access into more victims’ networks. Extortionists are operating a business and want to generate as much revenue from as many victims as possible. MSPs leverage Kaseya’s software, making them an attractive target because extortionists can quickly increase potential targets.”

SMBs Vulnerable

In addition, companies that leverage MSPs are typically less mature SMBs that usually have less mature security programs, Holland said.

These victims are a desirable target, he said. That’s because they may not have the means to eradicate the adversary and restore their IT systems. In turn, they’ll be forced to pay a ransom.

“Targeting an MSP that serves vulnerable SMBs is a diabolical extortion tactic,” Holland said.

Jake Williams is co-founder and CTO at BreachQuest. He said it’s hard to explain how devastating this is for Kaseya VSA customers.

“Most of our customers who use Kaseya employ it as their single IT tool for systems management, software installation and visibility,” he said. “Now, during a ransomware event, they’re unable to use this tool they’ve invested in for remediation. Most Kaseya customers we’ve worked with have no contingency plan for this. Even worse, given the holiday weekend in the U.S., we’re unlikely to know the full impact of this until next week.”

Hackers previously launched an attack during a U.S. holiday weekend. The ransomware attack on JBS USA, part of the world’s largest meat supplier, launched over the Memorial Day weekend.