This Threat Advisory acts as a follow-up to our previously released Advisories “0048-21” and “0049-21”. Kaseya has scheduled an urgent patch for July 6, 2021, between 4:00PM EDT – 7:00PM EDT. The Kaseya VSA vulnerabilities are still un-remediated at the time of publication and is it advised that any on-prem instances of the VSA software should remain powered down until further notice from Kaseya.
Technical Detail & Additional Information
WHAT IS THE THREAT?
On Friday July 2, 2021, the Kaseya VSA platform was exploited by a sophisticated supply chain attack targeting zero-day vulnerabilities which would distribute malicious code via the auto-update feature. The compromised version of the software would then allow the Cybercriminal group “REVil” to distribute ransomware against the infected network. After learning about the attack, Kaseya took their cloud VSA SaaS resources offline and distributed notifications to customers to shut down their on-premises VSA servers to prevent infection. Kaseya has since been working with the United States Federal Government and Mandiant to assess the severity and impact of the attack.
The latest update from Kaseya is that the company is working around the clock to develop and distribute a fix for their cloud VSA and on-premises VSA software. A patch is expected to be released July 6, 2021, between 4:00PM EDT and 7:00PM EDT. Kaseya has stated that they plan to apply the patches to their cloud SaaS servers initially to ensure the patch effectively remediates the issue. After the cloud servers have been brought back online and Kaseya has determined that the vulnerability is successfully patched, the update will be pushed to the on-prem customers roughly 24 hours after. These patch timelines are subject to change and are dependent on Kaseya’s R&D process.
Lastly, Kaseya is bringing enhanced security features online this afternoon such as a “24/7 independent SOC for every VSA with the ability to quarantine and isolate files and entire VSA servers”, “a complementary CDN with WAF for every VSA”, and “a new KB article on the SOC, CDN, and Whitelisting details”.
WHY IS IT NOTEWORTHY?
The Kaseya VSA platform is a widely used software across Managed Service Providers (MSPs), thus creating a large attack surface. Kaseya has reported that less than 60 of their customers and roughly 1,500 downstream businesses were directly compromised by this attack resulting. According to Kaseya, all compromised customers were utilizing on-prem software. The attack against the VAS software has effectively taken the VSA services offline for 4 days and counting and has infected roughly 1,500 businesses with ransomware. The REVil group has reportedly set a ransom of $70 Million in bitcoin in exchange for decryption keys.
WHAT IS THE EXPOSURE OR RISK?
Any MSP or customer of Kaseya utilizing an on-premises VSA application is potentially vulnerable to this attack. Customers utilizing the cloud SaaS VSA software should not be affected since Kaseya has taken their VSA cloud service offline Friday afternoon.
SKOUT Cybersecurity does not utilize Kaseya products and was not affected by this attack.
WHAT ARE THE RECOMMENDATIONS?
Kaseya has released a detection tool which effectively detects indicators of compromise on both VSA servers and managed endpoints. Customers should take the following remediation actions.
- All on-premises instances of Kaseya VSA software should remain powered down until a patch is released by Kaseya.
- Utilize the Kaseya VSA detection tool to ensure that systems have not exhibited signs of compromise
- Implement blocking actions against IOCs released by Kaseya
For more in-depth information about the recommendations, please visit the following links:
- Kaseya VSA Detection Tool: https://kaseya.app.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict
If you have any questions, please contact our Security Operations Center.