Kaseya VSA Supply Chain Attack
By Jeff Wehrman, Vigilant CISO
A Vigilant Threat Alerts Series
Vigilant wants to ensure that you are aware of an ongoing attack against Kaseya, specifically their VSA platform. Kaseya is a software vendor primarily providing remote monitoring and management software. A threat actor group is using Kaseya's platform to attack Kaseya customers and spread ransomware.
What Happened?
On the afternoon of Friday, July 2nd, Kaseya sent an announcement to customers at 2pm EDT stating that they were under attack, but that it was limited to a small number of on-premise customers (particularly MSPs – managed service providers).
Kaseya is in the process of investigating the root cause of the incident, with an abundance of caution, and have shut down their servers and are actively working on remediation. However, this situation appears to have evolved into a supply chain attack outbreak stemming from an update file tainted with a malicious backend.
The threat actors are using the compromised Kaseya agents/servers to deploy ransomware that encrypts endpoints and attempts to spread to other systems.
Based on the early forensic patterns and the ransomware notes (including the TOR URL), it appears that a REvil/Sodinokibi variant and a Ransomware-as-a-Service (RaaS) affiliate is involved in these intrusions.
What Immediate Action(s) Are We Recommending?
- If you are running Kaseya VSA, it is critical that you IMMEDIATELY shut down your VSA server until further notice from Kaseya. It is critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to VSA.
- https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- If you suspect that an endpoint has been affected by the REvil ransomware, isolate or disconnect it from the network, and power down the system(s) if needed.
- If you see something, please let us know by opening a ticket or reaching out to our team.
- Submit a ticket to us via the Customer Portal: https://vigilant.support
- Or call Toll Free:1-855-238-4445, Option 4
We are in the “trenches” and fighting together with you!
What is Vigilant Doing to Keep Your Organization Secure?
At this time, the situation is still developing and Vigilant will continue to monitor new developments and provide updates as more information becomes available and/or other impacts become known. Vigilant does not use the Kaseya VSA platform.
If we identified Kaseya running in your environment using CyberDNA or MEP, we have also called and sent your team a ticket with this information and instructions.
- If you subscribe to our Managed Endpoint Protection (MEP) service, Vigilant recommends the following actions:
- Follow the remediation recommendations above.
- Please make sure that the MEP agent is deployed to your endpoints running these services (e.g., Virtual Machine appliances).
- Please ensure that no other security agents or solutions are installed on these endpoints as they interfere with the operation and performance of our MEP service.
- If you only have MEP Level I – MEP Level I does not have file system inventory, so while MEP Level I can detect and block follow-on threat actor activity, without MEP Level II, we can’t proactively tell you if there are other artifacts or issues on these systems from attacker activity. If you would like us to scan and hunt on these systems with full visibility, please reach out to your Vigilant CRS agent and request a quote to be upgraded to MEP Level II on these systems. We can easily upgrade your MEP level I systems within minutes.
- If you subscribe to our CyberDNA service, Vigilant recommends the following actions:
- Follow the remediation recommendations above.
- If you do not subscribe to our MEP Level II service, our Hunt Team does not have deep visibility into your endpoints (only network traffic around them) so contact your Vigilant CRS agent if you would like a quote to add MEP Level II to your DNS servers.