Ransomware Groups Attack Barlow Respiratory Hospital And Missouri Delta Medical Center

Barlow Respiratory Hospital based in Los Angeles, CA has reported that it has encountered a ransomware attack last August 27, 2021. The Vice Society ransomware gang executed the attack and obtained access to its system as well as the electronic medical record system. Before deploying ransomware to encrypt records, the gang exfiltrated patient records, a number of which were shared on the ransomware gang’s dark web data leak page.

Barlow Respiratory Hospital explained while the attack affected a few IT systems, the medical center was able to proceed with operations following its emergency processes and patient care wasn’t cut off.

Upon recognition of the data breach, the authorities were alerted and a third-party cybersecurity agency was involved to help with the investigation and identify the magnitude of the data breach. The attack investigation is still ongoing.

Although a number of ransomware groups have stated they won’t target healthcare companies, Vice Society is not part of that group. The ransomware operation sprang up in June 2021 and already attacked several healthcare organizations, like Eskenazi Health based in Indianapolis. The ransomware gang has been taking advantage of new security issues, for example, the Windows PrintNightmare vulnerabilities.

A representative of Barlow Respiratory Hospital said they will go on to work with the authorities to support the investigation. Also, they are working hard, with the help of a cybersecurity agency, to examine what files may have been compromised in the incident. If needed, they will advise the people whose data may have been impacted, as per applicable guidelines and regulations, sooner or later.

Missouri Delta Medical Center Experiences Hive Ransomware Attack

The protected health information (PHI) of patients of Missouri Delta Medical Center located in Sikeston, MO was compromised in a ransomware attack executed by the Hive ransomware gang. At the beginning of this month, a part of the stolen information was loaded to the ransomware gang’s data leak website in order to force the medical center into shelling out the ransom payment. The Hive ransomware group has attacked a number of healthcare companies in the past couple of weeks, which include Memorial Health System.

Missouri Delta Medical Center involved the expert services of a prominent forensic security firm to look into the attack and find out the nature and extent of the breach. The provider was later on advised by a third party that a number of patient records were stolen and shared on the web. In accordance with the write-up on the Hive gang’s data leak webpage, the names, telephone numbers, addresses, birth dates, race/sex, Social Security numbers, next of kin information, diagnoses, and financial details of 95,000 persons was stolen during the attack. That data was enclosed in 400 GB of files that were copied before file encryption.

Missouri Delta Medical Center mentioned the attack did not affect its capacity to deliver health care for patients. The attack investigation is in progress nevertheless at this phase it seems that the attack didn’t impact its electronic medical record system.

Missouri Delta Medical Center apologizes for any trouble this event may have created and is doing something to improve security and minimize the risk of an identical incident taking place down the road. The center continues to be focused on keeping on assisting the community.

Higher Risk of BlackMatter Ransomware Attack on the Health and Public Health Sector

The Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services reported that there is an increased risk of ransomware attacks on the health and public health industry as perpetrated by affiliates of the BlackMatter ransomware-as-a-service (RaaS) operation.

The BlackMatter threat gang surfaced in July 2021 after the DarkSide ransomware group stopped its attacks while the Sodinokibli/REvil had taken offline its facilities. The Russian threat group is thought to come from Eastern Europe and has executed a lot of attacks in the last few months in Chile, Brazil, India, the United States, and Thailand. The group additionally began leaking stolen information on its data leak website on August 11, 2021.

The threat gang has mainly executed ransomware attacks on organizations in the food and beverage, real estate, architecture, IT, education, and financial services industries, and although the ransomware gang has publicly expressed it wouldn’t attack hospitals, critical infrastructure organizations, government, nonprofits, and defense providers, there is fear that attacks may continue to take place.

The threat group stated in its sales presentation for affiliates that its ransomware includes the best capabilities of the DarkSide, Sodinokibi/REvil and Lockbit 2.0 ransomware variants. A technical review of the ransomware showed a number of commonalities between Sodinokibi/REvil and DarkSide ransomware variants indicating that the group has connections with those campaigns.

BlackMatter stated its affiliates aren’t allowed to strike hospitals, and in case any hospital or nonprofit organization is attacked, they could communicate and ask for free decryption. The threat gang additionally mentioned they will not let their project be employed to encrypt critical infrastructure that will bring unnecessary attention to them. There is obviously no assurance that an attack won’t happen nor that a free decryptor will be made available. As HC3 said, this information is the remarks of BlackMatter, and might not be correct. Moreover, the Sodinokibi/REvil and DarkSide ransomware variants were both utilized in attacks on the health and public health industry.

The threat group is actively looking for initial access brokers (IABs) that could give access to company networks, and also affiliates to perform attacks. IABs frequently offer compromised VPN login credentials, RDP credentials, and web shells, which allow ransomware gangs to have access to perform attacks.

As per HC3, there were about 65 cases of threat actors vending network access to healthcare organizations on hacking sites last year. An evaluation of 1,000 forum posts that sell network access last year revealed that the United States was the worst affected, and 4% of breached organizations belong to the healthcare sector.

BlackMatter is employed in attacks on Linux and Windows systems, encrypts files utilizing Salsa20 and 1024-bit RSA, and tries to install and encrypt unmounted partitions. The BlackMatter ransomware encrypts files on removable media, stored locally, and on network shares, and removes shadow copies to prevent restoration if ransom is not paid. Files are additionally exfiltrated before encryption and stolen information was posted on the gang’s leak website to encourage ransom payment.

Even though free decryptors are given, the cost of resolving an attack is most likely to be substantial. It is consequently essential for the health and public health industry to do something to strengthen defenses to block BlackMatter and other ransomware attacks.

In the threat report, HC3 gives the following cybersecurity recommendations that ought to be followed to minimize the BlackMatter threat:

  • Maintain offline encrypted backups
  • Routinely test backups to make sure file restoration is possible
  • Create, maintain, and exercise a fundamental cyber incident response plan and communications strategy
  • Offset Internet-facing vulnerabilities and wrong configurations
  • Patch quickly
  • Do routine security awareness training for the employees
  • Enforce defenses like spam filters to fight social engineering attacks and email phishing

Cyber Actors Target Outpatient Facilities More Regularly Than Hospitals

A new evaluation of breach reports filed with the Department of Health and Human Services’ Office for Civil Rights has pointed out that outpatient facilities and specialty clinics were targeted by cyber threat actors with greater frequency than hospital systems in the first half of 2021.

Critical Insight Researchers revealed in their 2021 Healthcare Data Breach Report that cyber threat actors have modified their targets within the healthcare eco-system and are right now paying attention to outpatient facilities and business associates more regularly than hospitals and health insurance providers.

Though sizeable health systems are obviously interesting targets for cybercriminals, smaller healthcare institutions normally have weaker security protection and may be attacked with less effort and are quick targets for hackers. The probable earnings from the attacks could be smaller, nonetheless so too are the efforts to acquire access to their sites and sensitive records.

Hackers are expressing interest on electronic protected health information (ePHI) considering that it is worth much greater than a credit card number or social security number. Scammers can generate income from it in a multitude of ways, from offering it on the dark web to processing bogus insurance claims. It won’t help that numerous health companies employ devices that run on operating systems that are out-of-date, and lots of devices were not made with cybersecurity involved.

The researchers established that healthcare data breaches are these days taking place at nearly twofold the level of 2018, with data breaches ascribed to hacking and IT incidents transpiring at pretty much thrice the level of the first half of 2018. In the first 6 months of 2021, 70% of all healthcare data breaches with 500 or more records that were filed with the HHS’ Office for Civil Rights were hacking/IT cases.

There is actually a moderate decrease in the number of data breach reports from the last 6 months of 2020, nevertheless, that doesn’t show cyberattacks are decreasing, as in the last half of 2020 the breach reports sent to the HHS’ Office for Civil Rights involved a lot of breach notices submitted by institutions affected by the data breach that happened at business associate Blackbaud. The number of reported breaches in the initial half of 2021 is more than the first 6 months of last year, and it seems like the direction of escalating numbers of data breaches being reported each and every year will continue.

There has been a serious growth in the number of cyberattacks on business associates of HIPAA-covered entities, which currently equals 43% of all healthcare data breach reports. In the first half of 2021, there were 141 data breaches documented by business associates of HIPAA-covered entities. In comparison, there were merely 66 data breaches reported by business associates in the last 6 months of 2019. As these and other third-party breaches are being reported, it proves that attackers are paying more interest to this ecosystem of companies as an insecure link in the cybersecurity cycle.

Cybercriminals are less likely to cease attacking healthcare companies because the attacks are lucrative. It depends on healthcare institutions and their business associates to boost their defenses against cyber actors. The Critical Insight researchers have created various advice, which includes examining third party risk more precisely, consistently going over business associate agreements and making certain they clearly specify roles and obligations, carrying out more detailed protections against ransomware and phishing attacks, building up access controls, and doing basic security hygiene.

California DOJ Has to be Advised Concerning Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) calls for covered entities and business associates to issue reports to the HHS’ Office for Civil Rights (OCR) regarding data breaches and healthcare establishments are likewise instructed to adhere to state data breach notification regulations.

Lots of states have presented their own data privacy guidelines, which generally call for the giving of notifications to the right state Attorneys General when a data breach goes beyond a particular limit. States are authorized to issue civil actions against healthcare businesses that neglect to give breach notifications according to both HIPAA and state rules. In California, the limitation for reporting breaches is in keeping with HIPAA. When a data breach is suffered that has an effect on 500 or higher California locals, the California Department of Justice (DOJ) needs to be informed.

Not too long ago, there were a few cases where the California DOJ was not advised concerning ransomware attacks on California healthcare companies, even when the personal and protected health information (PHI) of California locals has most likely been compromised in the attack.

California Attorney General Rob Bonta has lately released a bulletin telling all entities that retain the private health-associated records of California citizens of their responsibilities to report data breaches under California law (Civil Code section 1798.82). Every time there is a breach of the health information of 500 and up California residents, it is necessary to submit a breach report to the Office of the Attorney General. And then, California DOJ posts the breach notification on its web portal to make sure the general population knows about the breach to enable victims to take proper action to secure themselves against identity theft and fraud. Personal announcements ought to likewise be sent to impacted persons.

Timely breach announcement helps impacted individuals minimize the probable losses that can happen due to the fake use of their personal details gotten from a breach of health information. For that reason, it is crucial for providers of medical care to be proactive and wary regarding minimizing their risk for ransomware attacks and to satisfy their health information breach notification duties to safeguard the public.

In the bulletin, Attorney General Bonta furthermore told healthcare companies to take proactive actions to safeguard patient records against ransomware attacks.

State and federal health data privacy frameworks, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Confidentiality of Medical Information Act (CMIA), mandate healthcare entities and organizations that manage health data files to make suitable operations to make certain the secrecy of health-related data, such as security measures that will help stop the introduction of malware, for example, ransomware, to secure consumers’ healthcare-related details from unauthorized use and disclosure.

Healthcare institutions are prompted to take these proactive measures:

  • Update operating systems and software storing health information
  • Implement security patches quickly
  • Install and update antivirus software
  • Give regular data security training to personnel, which include training concerning phishing attacks
  • Keep users from downloading, installing, and running unapproved application
  • Maintain and consistently evaluate the data backup and recovery strategy for all critical info

Heimdal Security Researchers Discover New ‘DeepBlueMagic’ Ransomware

Researchers at Heimdal Security detected a new ransomware strain that a threat group known as DeepBlueMagic is using. The ransomware differs significantly from all other earlier identified ransomware variants.

Heimdal Security researchers identified the new ransomware on August 11, 2021. The ransomware was utilized to target a device operating on Windows Server 2012 R2. The evaluation of the attack showed that DeepBlueMagic ransomware works entirely differently compared to other previous ransomware variants.

The researchers learned that DeepBlueMagic ransomware deactivates security tools set up on devices to avoid detection, then goes on to encrypt whole hard drives utilizing a third-party disk encryption tool instead of files. All the targeted server’s drives are encrypted except the system drive (“C:\” partition).

The ransomware utilizes Jetico’s BestCrypt Volume Encryption software program. During an attack, the D:\ drive was changed into a RAW partition instead of NTFS, which made it unavailable. Right after an attack, any effort to gain access to the encrypted drive will make the Windows OS interface prompt the user to format the disk because the drive is unreadable.

Additional investigation of the attack showed that the ransomware halted all the targeted device’s third-party Windows services, therefore turning off all security tools. Then, DeepBlueMagic ransomware removed the Volume Shadow Copy in Windows to make sure the drive cannot be repaired. An effort was additionally made to switch on Bitlocker on all the Active Directory’s endpoints.

In this ransomware attack, the disk encryption procedure began yet wasn’t finished; encryption was only done on the volume headers. Therefore, the encryption procedure can be continued, and also there is a rescue file generated by Jetico’s BestCrypt Volume Encryption, which may be utilized to recover the drive; nevertheless, the ransomware also encrypted the rescue file. To get the rescue file, a password is needed.

Heimdal Security explained that the ransomware is then self-deleted after the attack, therefore it cannot be restored and examined at this juncture. The researchers could not ascertain how the attacker installed the ransomware on the server. There were no failed sign-in attempts therefore it wasn’t installed through a brute force attack. There was only a Microsoft Dynamics AAX set up having a Microsoft SQL Server.

There was a ransomware note attached on the desktop, which told the victim to check through email to determine the ransom amount in exchange for the password for recovering the encrypted drives.

According to Heimdal Security researchers, since the encryption process was just partly done, it is possible to recover the drives without paying the ransom. They simulated the process of DeepBlueMagic and tried to utilize a number of decryption tools and successfully recovered the files on the encrypted partition utilizing CGSecurity.org’s free TestDisk tool.

The present ransomware issue is hot at this time with a large number of companies being impacted every day around the world. Financial losses amount to millions of dollars and there are serious social implications. This new ransomware variant just further stresses the cyber criminals’ inclination and capability to improve their business and continually increase their profit. DeepBlueMagic along with the other new cyber attackers will, definitely, continue targeting businesses worldwide, therefore it’s important for business owners to begin implementing prevention steps instead of mitigation. The battle between cyber crooks and cybersecurity organizations will likely intensify.

Data Breaches at NCH Corporation, TGH Urgent Care and Southwest Nebraska Public Health Department

NCH Corporation in Irving, TX, an international maintenance products marketer, sent a report involving a supposed ransomware attack. The organization observed suspicious network activity on March 5, 2021 when certain systems became inaccessible.

NCH had done what is required to block unauthorized access and get back the control of its systems. According to the investigation report, the attackers held access to some network areas from March 2 to March 5, 2021. In that time period, selected records on its file servers were accessed by an unauthorized person. NCH cannot determine which records were accessed, consequently all individuals who had their information potentially compromised received breach notifications. The audit of the files was done on June 29, 2021. The information found in the files were the names of some current and past employees along with their dependents, Social Security numbers and driver’s license numbers.

On July 29, 2021, the provider sent notification letters to the affected people and provided credit monitoring and identity theft protection services at no cost.

The data breach report submitted to the HHS’ Office for Civil Rights indicated that the attack affected about 11,427 individuals.

Insider Incident Impacts Patients of TGH Urgent Care Run by Fast Track

Synergic Healthcare Solutions has informed 558 people concerning the likely theft of their protected health information (PHI) by an ex-worker of Tampa General Urgent Care.

The breach took place on September 9, 2020 when a former Tampa General Urgent Care employee allegedly took pictures of patient data at the TGH Urgent Care’s facility located in Seminole, FL. The breach was discovered on November 6, 2020.

The ex-worker was accused of taking pictures of patients’ credit card information and driver’s licenses. Although the ex-worker is just believed to have taken pictures of the data of 3 individuals, it was decided that all 558 patients whose records were accessed by the worker will be notified.

All people possibly impacted were provided free credit monitoring services. Since the incident, TGH has re-trained employees with regards to privacy and security as well as the reporting of probable privacy violations.

Southwest Nebraska Public Health Department Reports Exposure of COVID-19 Vaccination Data

Southwest Nebraska Public Health Department (SNPHD) has informed 13,500 people regarding the exposure of COVID-19 vaccine data on the internet.

On May 18, 2021, SNPHD became aware that information was exposed on the website of SNPHD. The data available on the site included names, date of birth, addresses, county, vaccination date, vaccination type, gender, and race.

SNPHD got in touch with its web host provider which affirmed that just one person acquired access to the data. SNPHD stated that the person has worked with SNPHD and is convinced there is no need to be concerned with regards to the access of files; nevertheless, people impacted were informed as a safety precaution.

Because of the incident, SNPHD had to provide its employees with more training with regards to HIPAA, privacy, and confidentiality to make sure that an incident such as this doesn’t happen again.

Accidental PHI Exposure at LA Fire Department and Standard Modern Company

The Los Angeles Fire Department has learned that the COVID-19 vaccination information of 4,900 personnel was by mistake exposed on the web.

A listing that contained the full names of employees, birth dates, employee numbers, and COVID-19 vaccination data (vaccination doses, dates, or refused vaccine) had been shared on a webpage available to anyone. At that time that the site was active, it was possible to see the web page and do lookups of the database for names and worker numbers. The database was not secured by password and no details were inputted to authenticate users. In case a wildcard lookup was done, a table was made that showed the records of all 4,900 workers.

The website – covid.lacofdems.com – was registered privately and was connected to the Fire Department’s Emergency Medical Service’s department. The web page, which was not authorized, was developed on April 29, 2021 and was inactivated on July 15, 2021. The site was said to have been made to enable Department staff to access lost vaccination data.

Before the deactivation, a news reporter at the LA Times acquired the information from the data storage. An inquiry into the website owner confirmed that it was hosted by a unit staff and wasn’t protected utilizing a government software program or system.

After discovering the breach and compromise of vaccine status data, some firefighters utilized social media to complain about the privacy breach. The union of firefighters, Local 1014, has requested a complete investigation of the breach.

Mailing Vendor Error Resulted in Delivering Letters to Wrong MassHealth Members

Standard Modern Company, Inc. located in New Bedford, MA has alerted 2,707 patients regarding an accidental exposure of their personal data.

Standard Modern Company is the mailing services provider to the Massachusetts Executive Office of Health and Human Services. On May 24, 2021, Standard Modern Company was advised that a number of MassHealth members had obtained letters that comprised the details of other MassHealth members. All mailings were halted as the occurrence was reviewed, with the investigation verifying an internal program problem had taken place that impacted mailings from May 10, 2021 to May 18, 2021. The mistake resulted in the creation of wrong labels on some mailed notifications.

In every instance, a letter that contains a member’s name, ID number, date of birth, and last four numbers of their Social Security Number, was mailed to another MassHealth member.

Standard Modern Company has discontinued making use of the internal program that generated the mistake, and further safety measures were enforced to enhance its mailing methods and stop more mistakes.

Every one of the 2,707 affected persons only had minimal data exposed to one other person, and there were no documented incidents of improper use of any of the compromised details. A telephone line was set up for impacted people to know more concerning the breach and have their issues responded to, and free access to Triple Bureau Credit Monitoring and cyber monitoring services were given at no cost for two years.

The privacy and security law company in Buffalo, NY Beckage PLLC assisted Standard Modern Company when looking into and addressing the data breach.

PHI Compromised Due to UNC Health and Nebraska DHHS Phishing Attacks

The Nebraska Department of Health and Human Services has reported a security incident concerning the protected health information (PHI) of clients of Aging Partners, a division of the City of Lincoln.

The Lincoln Information Services Department uncovered the breach on May 25, 2021. Workers had clicked links in phishing email messages and shared information to their email accounts, which got over 46,000 email messages. A computer forensics firm assisted in confirming that an unauthorized person accessed the email account from May 18 to May 21.

An audit of the messages in the account affirmed that some included patient details like names, dates of birth, addresses, telephone numbers, Social Security numbers, type/amount of service, dates of service, and a few health information like diagnoses, care examination, and prescription medication listings. Emails additionally included bank account numbers or other financial data of some people. 6,600 of the emails enclosed the PHI of Aging Partners’ customers, though only 1,513 persons were affected. For most affected people, only names were contained in the email accounts.

All people impacted by the attack are currently being advised and credit monitoring and identity theft protection solutions are being given to persons who had their financial details enclosed in the breached email accounts.

UNC Health Phishing Attack

UNC Health has reported that an unauthorized individual accessed an email account including the PHI of patients of the University of North Carolina at Chapel Hill School of Medicine (SOM) and the University of North Carolina Hospitals (UNC Hospitals).

On May 20, 2021, UNC Health uncovered the compromise of the email of a SOM faculty member. That person offered medical services at UNC Hospitals. The email account was made secure promptly, and an investigation was started to ascertain the scope of the breach. With the assistance of a third-party cybersecurity agency, UNC Health established that the email account breach was only on April 20, 2021. The breach didn’t affect any other systems or email accounts.

An analysis of the account showed the possible breach of these types of data: Patients’ names, birth dates, diagnosis and treatment data, and/or details concerning a research study patients might have been associated with or were qualified for at UNC Hospitals/SOM. The email account had the medical insurance data of fewer than 30 patients and the Social Security numbers of less than 10 patients. There were no documented incidents of patient information misuse.

More email security steps are being enforced and employees are given more training to help them distinguish phishing email messages.

REvil Ransomware Websites Ceased to Exist Fueling Questions of Law Enforcement Takedown

The infamous REvil ransomware gang’s Internet and dark sites have unexpectedly vanished, days right after President Biden called Vladimir Putin to do something against ransomware groups and other cyber criminals executing attacks from inside Russia on U.S.A. businesses.

At about 1 a.m. on Tuesday, the web pages that the gang uses for leaking data files of ransomware victims, their command and control system, and their ransom negotiation chat server disappeared and have continued to be offline from that time on. For one of the group’s web pages, the server IP address cannot be resolved through DNS queries.

REvil has become one of the high-profile ransomware-as-a-service operations. The gang was associated with lots of ransomware attacks in the U.S.A. and around the world, such as the new attack on JBS Foods and the supply chain attack on Kaseya. Ransomware was employed in attacks on approximately 60 managed service providers (MSPs) and approximately 1,500 of their clients on July 2. A $70 million ransom demand was set to give the keys to decrypt the victims’ files, with the demand going down to $50 million right after.

Though it is not strange for ransomware operations to proceed quietly, or for systems to be momentarily taken out, the timing of the shutdown implies either the U.S. or Russian government has made a move. The FBI hasn’t said anything on the REvil servers shut down, and the press secretary of the president of the Russian Federation, Dmitry Peskov, advised TASS reporters that he didn’t know the rationale what happened to the servers. It is likely that the loss of the system is because of hardware breakdown or basically the gang making a decision to lay low, specifically after such a serious attack.

Ransomware gangs have encountered a good deal of scrutiny subsequent to the DarkSide ransomware group’s attack on the Colonial Pipelin. Soon after the attack, the White House reported that attempts to target ransomware groups and their infrastructure will be intensified. Subsequent to the attack, the DarkSide RaaS operation closed down, as a result of the law enforcement’s subtle takedown of their infrastructure.

At the Geneva summit, President Biden chatted with Vladamir Putin concerning cyberattacks done on U.S. businesses from cybercriminal groups working within Russia and told him to take action to break up the gangs, even if the attackers weren’t state-sponsored.

A few days ago, President Biden talked with Putin demanding action against ransomware gangs working outside of Russia. Biden stated to reporters right after the call that the U.S. is going to make a move to take down the ransomware gangs’ servers if Russia failed to.

A number of news outlets, like the BBC, have announced the shutdown was a result of action undertaken by the U.S.A. to cut off the group’s system. A BBC reporter chatted with one person, presumably an REvil affiliate, who mentioned the group had closed its infrastructure right after a partial takedown by federal authorities and growing pressure from the Kremlin.

Bitali Kremez of Advanced Intel stated that according to uncorroborated facts, REvil server infrastructure acquired a [Russian] government legal request pressuring REvil to fully get rid of server infrastructure and go away. Nonetheless, it isn’t confirmed.

It is very premature to tell what has occurred and if the shutdown will be short-lived or long-term. As is usually the case right after shutting down a Ransomware-as-a-Service operation, the gang may merely come back with another name, as REvil did before.

Kaseya Security Update Corrects Vulnerabilities Exploited in KSA Ransomware Attack

Kaseya has made an announcement of a security update issued for the Kaseya KSA remote management and monitoring software tool to correct the zero-day vulnerabilities, which the REvil ransomware gang lately exploited in attacks targeting its customers and their prospects.

The vulnerabilities exploited in the attack were part of a set of seven vulnerabilities that the Dutch Institute for Vulnerability Disclosure (DIVD) reported to Kaseya last April 2021. Kaseya had created patches to fix four of the seven vulnerabilities identified in its Virtual System Administrator program and launched these during its April and May security releases; nevertheless, before the release of the patches for the last three vulnerabilities, an REvil ransomware affiliate exploited at least one of them.

The attack impacted roughly 60 clients including managed service providers (MSPs) that used the Kaseya VSA on-premises. The REvil ransomware group acquired access to their servers, encrypted them, and transmitted their ransomware to roughly 1,500 business customers of those firms.

After the attack on July 2, 2021, Kaseya told its consumers to turn off their on-premises VSA servers until the exploited vulnerabilities were resolved and its SaaS servers were de-activated as the SaaS software also had vulnerabilities, though its cloud-based service wasn’t affected by the attack. Those servers are currently being restarted incrementally and the last three patches were launched in the VSA 9.5.7a (9.5.7.2994) update.

The three vulnerabilities resolved in the most recent security update are

CVE-2021-30116 – a business logic and credential leak vulnerability
CVE-2021-30119 – a cross-site scripting vulnerability
CVE-2021-30120 – a 2FA bypass vulnerability.

Kaseya states that a further three vulnerabilities in the software were likewise sorted out by the new update. These are a failure to utilize a secure flag for user portal session cookies, a vulnerability that permitted files to be uploaded to a VSA server, and an issue where a password hash was compromised, which caused weak passwords to become prone to brute force attacks.

Kaseya has proposed a procedure for using the update to reduce risk. This entails making sure the VSA server is separated and not linked online, looking for Indicators of Compromise (IoCs) to know if servers or endpoints had been breached, then implementing the update.

The complete method to update on-premises VSA servers and protecting them is pointed out in the Kaseya On Premises Startup Readiness Manual.