Kaseya VSA Attack

Updated: Aug 16, 2021

Exploited by REvil Ransomware


https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

CVEs: CVE-2021-30116

Kaseya's international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform.

The firm's software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain.

This report focusses on the Kaseya vulnerability itself -- A separate (dedicated) report is available for the REvil ransomware which exploits this vulnerability. Kaseya VSA product is the victim of a sophisticated cyberattack causing many of its customers to be infected with ransomware. On July 2, the SaaS version was temporarily shutdown, and Kaseya warned all its customers to immediately stop using the on-premise version until a patch is available. Nearly 40 of its MSP customers were reported hacked, who themselves manage hundreds or thousands of businesses underneath.

https://www.nbcnews.com/tech/security/ransomware-attack-software-manager-hits-200-companies-rcna1338


What is ransomware?


Ransomware is a type of malware that specializes in the encryption of files and drives.

In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations.

Once a victim's system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work).


Today's ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they 'subscribe' to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid.

If they refuse to pay up, they may then face the prospect of their data being sold or published online.


Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside.


Background

The US- Cert is published at:

https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa


Latest Development

Kaseya has released patches for their VSA server. Kaseya has released a Compromise Detection Tool, which can be downloaded at the following link:

Announced Kaseya publishes a detailed timeline of the incident at:


https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689


https://kaseya.app.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict

More incident details have been provided at:

https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961

VSA On premise runbook is provided at -

https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993

VSA SaaS runbook is provided at -

https://helpdesk.kaseya.com/hc/en-gb/articles/4403709476369


July 11: Kaseya released final patch for VSA on-premise deployments, and started upgrading SaaS instances.


For this our any other cybersecurity concerns please feel to reach out to us at Get Started!

10 views0 comments

Recent Posts

See All

Cybersecurity attacks are on the rise, especially since the onset of the COVID-19 pandemic. Cybercriminals are attacking all businesses, including critical infrastructure and members of the global sup

Microsoft warns about the recently patched Windows MSHTML remote code execution vulnerability tracked (CVE-2021-40444) that has been under active exploitation by multiple threat actors including ranso

The fourth industrial revolution, dubbed Industry 4.0, introduces the use of Cyber Physical Systems (CPSs) in production processes, where the industrial internet of things (IIoT), machine learning, an