Maryland cyber company Huntress is aiding in the Kaseya ransomware attack response. Here’s what the team learned

As many companies were beginning to shut down for the Fourth of July weekend, cyber attackers appear to have turned up efforts to find vulnerabilities.

The result was the latest major ransomware attack in the U.S. This time, it exploited vulnerabilities in software made by Kaseya. The Miami-based company makes software for IT management and cybersecurity, so the attack spread to small and medium-sized firms it serves, and even a pair of Maryland towns by the Chesapeake Bay.

Supplying details on the perpetrator (Russia-linked gang REvil) and scope of the attack (now up to more than 1,500 businesses) in a number of news reports was Huntress Labs, a cybersecurity firm out of Ellicott City. Seeing a familiar local name on national news, Technical.ly sent a few questions over to Huntress’ senior security researcher, John Hammond, to learn more about the company’s role in the response.

The connection comes by way of what’s known in the IT world as “the channel.” Small and medium-sized businesses often bring on other firms to run their IT and cyber operations. They’re known as managed service providers, or MSPs. These managed service providers, in turn, work with others to bring in tools that can help. The market for these vendors is known as the MSP channel, and it’s a place where both Huntress and Kaseya work.

As it happens, some of Huntress’s partners also use the exploited Kaseya software, known as Kaseya VSA, as a remote monitoring and management solution.

“As fellow security professionals in the industry, Huntress has been working closely with Kaseya in incident response, end-user awareness, and disaster recovery,” Hammond said.

As we reported following the closing of its $40 million Series B in March, Huntress also provides its tools primarily for small and medium-sized businesses.

The Huntress team. (Courtesy photo)

“We’re doing everything we can to support businesses that need help right now,” he said. “The MSP community is an incredibly supportive network and we’re actively engaged with many members and organizations. We’ve taken steps within our platform to help partners reduce some of the risk of being affected by this attack. This is not the first time hackers have made MSPs supply chain targets, and it won’t be the last.”

As response grew over the last week, Huntress is now tracking about 30 MSPs in the U.S., Australia, the EU, and Latin America where Kaseya VSA was used to encrypt well over 1,500 businesses. Hammond adds that the company is working in collaboration with many of them. Here’s the latest update:

“All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers,” Hammond said. “On Sunday, 11 July, Kaseya released a patch and remediation steps for affected organizations. We have validated the patch on our own testing VSA server and cannot replicate the attack chain with our previous proof-of-concept exploit.”

In other words: “So far, the patch seems to be effective.”

This isn’t the only ransomware attack we’ve heard about recently. The attacks, in which the culprits encrypt data and demand a payment, aka ransom, in return, are of growing concern in the cyber community. Just in the last couple of months, there were the attacks against a major oil pipeline and meat supplier, respectively. And local governments, including Baltimore city, have faced a spate of attacks in recent years. So how does this one measure up?

“This is a devastating supply chain attack as it trickles down from VSA, to MSP, to [small and medium-sized businesses] and other businesses,” Hammond said. “Unfortunately, this is not surprising to us as we continue to see cyber crime groups target MSPs for a ‘one to many’ opportunity.”

But for the general public, there’s at least one bit of news to ease worries.

“Interestingly enough, though, we have not yet seen any indicators of data being exfiltrated or shared publicly,” Hammond said.