In a Kaseya supply-chain ransomware attack, multiple services providers and their clients have been affected by what seems to be a VSA-supply chain attack done through the Kaseya VSP MSP platform.
In an advisory issued at 4 PM, ETD on Friday, Kaseya updated its customers that they experienced a potential attack against the VSA, which according to them, has been “limited to a small number of on-premise customers”.
The company also instructed all customers to immediately shut down their VSA servers as the first thing an attacker would do is shut off administrator access to the server.
“CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shut down VSA servers,” Cybersecurity and Infrastructure Security Agency, USA, said in a statement.
The extent of damage
As reported by BleepingComputer, Huntress Labs’ John Hammond said that at least three Huntress partners were impacted with around 200 businesses encrypted. Kaseya also told BleepingComputer that they’ve shut down their SaaS servers and are investigating the issue.
However, in the notice issued on their helpdesk site, Kaseya reports fewer than 40 customers were affected worldwide.
The attack happened midday on Friday (ET), which could mean that the attackers likely timed the attack to coincide with the July 4 weekend in USA, when staff would have a shorter weekday before the holidays began.
The attack is expected to have spread through an auto-update mechanism. According to Hammond, the Kaseya VSA drops and agent.crt file to the C:/kworking folder, distributed as an update called ‘Kasyea VSA Agent hot-fix’.
This hot=fiix triggers a PowerShell command to decode the agent.crt file using Windows’ certutl.exe command and extracts and agent.exe file in the same folder. This file, signed by a ‘PBO3 Transport LTD’ certificate, had included an embedded ‘MsMpEng.exe’ file and an ‘mpsvc.dll’, the DLL file being the REvil encryptor.
Kaseya said they’ve found the exploited vulnerability and are working on a patch to be released as soon as possible. Until then, the company has instructed customers to keep their networks shut down until further instructions, and the subsequent patch is released.