Skip to content

Kaseya VSA supply-chain attacked by REvil ransomware gang

In a Kaseya supply-chain ransomware attack, multiple services providers and their clients have been affected by what seems to be a VSA-supply chain attack done through the Kaseya VSP MSP platform.

In an advisory issued at 4 PM, ETD on Friday, Kaseya updated its customers that they experienced a potential attack against the VSA, which according to them, has been “limited to a small number of on-premise customers”.

The company also instructed all customers to immediately shut down their VSA servers as the first thing an attacker would do is shut off administrator access to the server. 

“CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shut down VSA servers,” Cybersecurity and Infrastructure Security Agency, USA, said in a statement.

In the News: FBI, NSA and partners warn of global Russian Brute Force cyber attack


The extent of damage

As reported by BleepingComputer, Huntress Labs’ John Hammond said that at least three Huntress partners were impacted with around 200 businesses encrypted. Kaseya also told BleepingComputer that they’ve shut down their SaaS servers and are investigating the issue.

However, in the notice issued on their helpdesk site, Kaseya reports fewer than 40 customers were affected worldwide. 

The attack happened midday on Friday (ET), which could mean that the attackers likely timed the attack to coincide with the July 4 weekend in USA, when staff would have a shorter weekday before the holidays began.

The attack is expected to have spread through an auto-update mechanism. According to Hammond, the Kaseya VSA drops and agent.crt file to the C:/kworking folder, distributed as an update called ‘Kasyea VSA Agent hot-fix’.

This hot=fiix triggers a PowerShell command to decode the agent.crt file using Windows’ certutl.exe command and extracts and agent.exe file in the same folder. This file, signed by a ‘PBO3 Transport LTD’ certificate, had included an embedded ‘MsMpEng.exe’ file and an ‘mpsvc.dll’,  the DLL file being the REvil encryptor. 

Kaseya said they’ve found the exploited vulnerability and are working on a patch to be released as soon as possible. Until then, the company has instructed customers to keep their networks shut down until further instructions, and the subsequent patch is released. 

In the News: Windows PrintNightmare vulnerability is being actively exploited

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix








>