Last Friday — the Friday before the Fourth of July weekend, because attackers have impeccable timing — the REvil ransomware group launched what may be the most impactful supply chain attack we’ve seen yet. By exploiting vulnerabilities in Kaseya’s VSA remote monitoring and management platform, they managed to push ransomware to an estimated 1,500 businesses across at least 17 countries. The ransom demand? $70 million in Bitcoin for a universal decryptor.
If the SolarWinds attack was a precision strike aimed at high-value espionage targets, Kaseya is a carpet bombing — hitting as many victims as possible through a single point of leverage. And the leverage point they chose reveals a deeply uncomfortable truth about how managed service providers operate.
The Attack Vector#
Kaseya VSA is a remote monitoring and management (RMM) tool used primarily by managed service providers (MSPs) — companies that handle IT infrastructure for small and medium businesses that don’t have their own IT departments. An MSP might manage hundreds of client organizations through a single VSA instance.
The attackers exploited zero-day vulnerabilities in the VSA server software — specifically, an authentication bypass and subsequent code execution chain. Because VSA is designed to push software updates and patches to managed endpoints, the ransomware was delivered through the exact mechanism that’s supposed to keep those endpoints secure. The irony is painful.
The attack chain was elegant in its simplicity: compromise the VSA server, use its legitimate update distribution mechanism to push the REvil ransomware payload to all managed endpoints, and watch as hundreds of businesses per MSP instance go dark simultaneously. Kaseya estimates that around 60 of their MSP customers were directly compromised, but each of those MSPs manages dozens to hundreds of downstream organizations.
Why MSPs Are the Perfect Target#
I’ve been warning about the MSP supply chain risk for years, and this attack validates those concerns in the worst possible way.
MSPs occupy a uniquely privileged position in the security landscape. They have administrative access to their clients’ networks, the ability to deploy software across all managed endpoints, and — critically — they’re often trusted implicitly by their clients’ security tools. Antivirus exclusions for the RMM agent are standard practice. Firewall rules allowing RMM traffic are standard practice. The MSP’s toolchain operates with the kind of deep, persistent access that would be a red flag in any other context.
This isn’t a flaw in the MSP model per se — it’s inherent to how remote management works. But it means that compromising an MSP gives an attacker the same access that the MSP has: administrative control over every client environment. The force multiplication is staggering.
What makes this attack especially concerning is that many of the affected businesses are small operations — dental offices, accounting firms, small retailers — that don’t have the technical sophistication to even understand what happened, let alone recover from it. They hired an MSP precisely because they couldn’t manage IT themselves. Now their trust in that outsourcing model has been weaponized against them.
The Patch That Almost Was#
Here’s a detail that makes this story even more frustrating: Kaseya was in the process of patching these vulnerabilities when the attack occurred. The Dutch Institute for Vulnerability Disclosure (DIVD) had discovered the flaws and was working with Kaseya on a responsible disclosure and remediation timeline. REvil apparently discovered the same vulnerabilities independently — or through other means — and exploited them before the patches could be deployed.
This highlights a tension in vulnerability disclosure that the security community has debated for decades. Responsible disclosure gives vendors time to fix issues, but that window is also a window of exposure. If multiple parties can find the same vulnerability, the assumption that attackers don’t know about it until the CVE is published is dangerously naive.
For VSA on-premises customers, Kaseya’s immediate guidance was to shut down VSA servers entirely until a patch was available. As I write this, those servers have been offline for nearly a week, meaning the MSPs that depend on them have been managing client infrastructure manually — or not at all — for days. The operational impact extends well beyond the ransomware itself.
What This Means for Software Supply Chains#
The Kaseya attack, combined with SolarWinds, the Codecov breach, and the various npm supply chain attacks we’ve seen, establishes a clear pattern: attackers are systematically targeting the tools and platforms that have privileged access to many downstream environments.
This has concrete implications for how we evaluate and deploy management tools:
Assume your management plane is a target: Any tool with administrative access across multiple environments needs to be treated as critical infrastructure. That means aggressive patching, network segmentation, monitoring for anomalous behavior, and — where possible — zero-trust principles applied to the management plane itself.
Evaluate MSP security posture: If you’re using an MSP, you need to understand their security practices in detail. What tools do they use? How are those tools patched? What’s their incident response plan? The uncomfortable truth is that most MSP contracts don’t include meaningful security guarantees or audit rights.
Defense in depth for managed endpoints: Endpoints shouldn’t rely solely on the management tool chain for security. Independent endpoint detection and response (EDR), network-level monitoring that’s not controlled by the MSP, and offline backup strategies that can’t be reached through the management plane are all essential.
Software bill of materials: Understanding what software is running in your environment — and what access it has — is no longer optional. The push for SBOM standards and supply chain transparency that accelerated after SolarWinds just got another powerful argument in its favor.
My Take#
Every few months, we get another supply chain attack that’s described as a “wake-up call.” SolarWinds was a wake-up call. The Codecov breach was a wake-up call. At some point, we have to acknowledge that we’ve been hitting snooze.
The fundamental problem isn’t that Kaseya had vulnerabilities — all software has vulnerabilities. The problem is that our industry has built architectures where a single vulnerability in a single management tool can cascade to 1,500 businesses simultaneously. We’ve optimized for efficiency and convenience in ways that create catastrophic blast radiuses.
I don’t have a clean answer for the small dental office in Sweden that just lost access to all their patient records. The technical solutions — better segmentation, independent monitoring, tested backups — are things they hired an MSP specifically to handle. The MSP model needs to evolve to address these risks, but that evolution costs money, and the MSP market is brutally competitive on price.
What I do know is that every organization, regardless of size, needs to ask a simple question: “If the tool we use to manage our infrastructure is compromised, what happens?” If the answer is “everything is destroyed,” your architecture has a problem that no single vendor’s patch can fix.
The Fourth of July weekend is over. The cleanup is just beginning. And somewhere, the next supply chain target is running unpatched.