Exploited by REvil Ransomware
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
CVEs: CVE-2021-30116
Kaseya's international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform.
The firm's software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain.
This report focusses on the Kaseya vulnerability itself -- A separate (dedicated) report is available for the REvil ransomware which exploits this vulnerability. Kaseya VSA product is the victim of a sophisticated cyberattack causing many of its customers to be infected with ransomware. On July 2, the SaaS version was temporarily shutdown, and Kaseya warned all its customers to immediately stop using the on-premise version until a patch is available. Nearly 40 of its MSP customers were reported hacked, who themselves manage hundreds or thousands of businesses underneath.
https://www.nbcnews.com/tech/security/ransomware-attack-software-manager-hits-200-companies-rcna1338
What is ransomware?
Ransomware is a type of malware that specializes in the encryption of files and drives.
In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations.
Once a victim's system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work).
Today's ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they 'subscribe' to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid.
If they refuse to pay up, they may then face the prospect of their data being sold or published online.
Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside.
Background
The US- Cert is published at:
Latest Development
Kaseya has released patches for their VSA server. Kaseya has released a Compromise Detection Tool, which can be downloaded at the following link:
Announced Kaseya publishes a detailed timeline of the incident at:
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
https://kaseya.app.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict
More incident details have been provided at:
https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961
VSA On premise runbook is provided at -
https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993
VSA SaaS runbook is provided at -
https://helpdesk.kaseya.com/hc/en-gb/articles/4403709476369
July 11: Kaseya released final patch for VSA on-premise deployments, and started upgrading SaaS instances.
For this our any other cybersecurity concerns please feel to reach out to us at Get Started!