Kaseya Ltd. warned Friday afternoon that a key software tool used by companies to manage technology at other businesses may have been the target of a cyberattack.
Kaseya advised customers to shut their copies of its VSA platform immediately. VSA is used to monitor networks and automate technology maintenance tasks, such as patching and backing up information.
At least three technology service providers that use Kaseya’s VSA tool are compromised, with around 200 of their business customers subsequently encrypted by ransomware, according to incident response company Huntress Ltd.
The tool is widely used by managed service providers, which typically handle technology for dozens of smaller companies that may not have resources to staff in-house technology teams. Corporate and government tech groups also use the tool.
Deactivating VSA is critical, Kaseya warned in a notice on its support website, “because one of the first things the attacker does is shut off administrative access to the VSA,” the company said.
The Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security, said in an alert late Friday that it was “taking action to understand and address” the attack on Kaseya’s VSA platform. A spokesman for the agency didn’t immediately respond to a request for comment.
A spokeswoman said Kaseya wasn’t the victim of a ransomware attack and that it was investigating “potential attacks on our VSA customers who have the software on-premise.” The company, based in Dublin, has shut down its cloud services out of caution, she said.
Incident response companies, including Huntress, said they were working with multiple service providers that had been affected by the attack in the U.S. and abroad.
John Hammond, a senior security researcher at Huntress, has seen proof that once a service provider is infected via VSA, ransomware then spreads to client systems. Mr. Hammond said he has seen ransom demands of up to $5 million.
Ransomware gangs often launch attacks on Friday afternoons and before holidays, when staff are likely to be out of the office and security teams minimally staffed, according to security experts.
They have long expressed concern that hacks of managed services providers or their supply chains could have a cascade effect, allowing hackers to infect dozens or more companies through a breach of one provider.
A hack in December of a file transfer tool of tech provider Accellion Inc. rippled to organizations in several countries, including New Zealand’s central bank, conglomerate
Singapore Telecommunications Ltd.
and U.S. law firm Jones Day.
Customers of software provider
SolarWinds Inc.
began unknowingly installing malware in Spring 2020 through seemingly routine updates to a network-management tool. U.S. officials blame Russian hackers for the attack that has reached into dozens of businesses and government agencies. Russia has denied involvement.
Corrections & Amplifications
An earlier version of this article misspelled the company’s name as Kasaya in the third paragraph. (Corrected on July 2.)
Write to James Rundle at james.rundle@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
