Urgent warning for NZ businesses over ransomware vulnerability
Sunday, 4 July 2021
Businesses have been urged to stop using a tool supplied by California-founded software company Kaseya, after it was manipulated to carry out a large number of ransomware attacks.
Kaseya’s software is used by 40,000 organisations around the world and the incident is causing growing concern.
The company reported that some customers using its VSA remote management tool had their devices compromised by REvil ransomware after it fell victim to a “sophisticated cyberattack”.
Kaseya’s software is used to deploy patches that keep software up-to-date and secure.
But cyber-security agency Cert NZ said it had instead been used to deploy ransomware.
**READ MORE:
* Potentially hundreds affected in Waikato DHB data dump on dark web
* Ransomware attack: Waikato DHB supporting patients after documents dumped online
* Prime Minister Jacinda Ardern says global effort needed to confront cyber attacks
**
Huntress Labs, a security specialist based in Maryland in the US, said it was aware of more than 1000 organisations having their data encrypted, including in Australia, Europe and South America.
The Coop supermarket chain in Sweden was one victim and was forced to close most of its 800 stores.
Cert NZ principal adviser Michael Shearer on Sunday refused to say whether any New Zealand companies had reported being compromised as a result of the vulnerability.
But Cert NZ advised all Kaseya VSA users “to shut down their VSA instances until further notice”.
There are reports of victims being extorted with ransomware demands of tens of thousands of dollars.
The Washington Post predicted the development could ratchet up tensions between the United States and Russia, coming shortly after President Joe Biden warned Russian president Vladimir Putin that the United States would hold Moscow accountable for cyberattacks emanating from Russia.
The REvil ransomware gang is believed to have operated out of Russia, though that does not prove it is state-backed.
The BBC, quoting Huntress Labs, described the Kaseya incident as “colossal”.
The nature of ransomware attacks means companies’ computers can be infiltrated days or weeks before they become aware they have been attacked.
Kaseya has had an office in Auckland since 2010 and is currently advertising several job vacancies here.
Datacom, one of New Zealand's largest IT services firm, agreed in 2014 to use Kaseya to replace many of the tools it used to support customers.
But Datacom spokesman Paul Brislen said that while it did still use the software, it had been decommissioning it prior to the attack in favour of other tools.
“As soon as we were notified of the risk, we shut down our Kaseya servers immediately,” Brislen said.
“We are also actively monitoring customer environments and have not seen, nor been made aware of any qualified infections.”
CodeBlue is another IT services firm that has partnered with Kaseya to support customers.
CodeBlue NZ general manager Daniel McIvor said it was also in the clear.
“We are completing a thorough investigation of our network and all of our customers, and we haven’t been affected by this.
“Our initial investigations are showing that advanced detection response tools that we have in place have stopped this affecting either CodeBlue or our customers,” he said.
Security company Sophos has listed some ways organisations can check if they have been impacted by the Kaseya incident, with Cert NZ linking to that in its advisory.
The New Zealand government last week came under pressure from National to step up spending on cybersecurity in the wake of a crippling ransomware attack on the DHB in May.
National’s association health spokesman Simon Watts said he had been advised it could take up to two years for the DHB to get all its information back on to computers.