New Zealand ICT services giant Datacom has shut down its Kaseya servers after a global breach of the vendor's Kaseya VSA product by cyber criminals.
Datacom said it used Kaseya software but had been decommissioning it before the current attack.
"As soon as we were notified of the risk, we shut down our Kaseya servers immediately," the company said in a statement. "We are also actively monitoring customer environments and have not seen, nor been made aware of any qualified infections."
Kaseya VSA is used by managed service providers and others to deliver IT management services to customers, so the impact of the global breach is likely to be large.
"When an MSP is compromised, we‘ve seen proof that it has spread through the VSA into all the MSP’s customers," said senior security researcher John Hammond of cyber security firm Huntress. "MSPs with over thousands of endpoints are being hit."
The local fallout from the attack was building on Sunday with systems at multiple schools affected. St Peter's School in Cambridge was the only one initially named, but at least ten more were breached.
The identity of the managed service provider to the schools was also not known.
Cyber security agency CERT NZ is recommending any users of the software shut it down until a fix is available. The REvil ransomware gang, believed to be linked to Russia, has been named in relation to the outbreak.
In 2019, Kasaya CEO Fred Voccola said the company had a sizeable office in Auckland and would be substantially investing in R&D, sales, support, marketing and business development.
On Friday (US time) Voccola said he believed that Kaseya had identified the source of the vulnerability and was preparing a patch to mitigate it for on-premises customers.
"We will release that patch as quickly as possible to get our customers back up and running," he said.
Datacom said its cyber security defence operations centre was made aware of a major REvil campaign against several companies using a malicious update for Kaseya VSA software early on Saturday morning NZ time.
Kaseya VSA is a cloud-based platform that allows providers to perform patch management and client monitoring for their customers. The attack allowed the group to take over administrator rights at managed service providers and then move onto client systems.
Reports suggested over 200 geographically distributed business had been successfully attacked and their files encrypted, Datacom said.
Datacom said it had deployed known indicators of the breach to its managed security products and had been monitoring REvil's previous campaigns for some time.