Enterprises running Kaseya VSA remote monitoring and management tools should shut down servers running the service immediately, Fred Voccola, CEO of IT company Kaseya said in a warning posted on Friday. Attackers behind the ransomware attack are disabling administrative access to VSA once they have access to the victim network, complicating efforts to contain and remove the ransomware.
We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers.
R&D has replicated the attack vector and is working on mitigating it. We have begun the process of remediating the code and will include regular status updates on our progress starting tomorrow morning.
Our team has been in contact with the Kaseya security team since July 2 at approximately 2:00pm ET. They immediately started taking response actions and feedback from our team as we both learned about the unfolding situation.
Many partners are asking “What do you do if your RMM is compromised?“. This is not the first time hackers have made MSPs supply chain targets, and we previously recorded a video guide to Surviving a Coordinated Ransomware Attack after 100+ MSPs were compromised in 2019. This is a good resource to start with, and you can also watch our most recent webinar about recovering from a a mass ransomware attack here.
As reports began to surface of the Kaseya attack, there was initial speculation that the ransomware gang might have gained access to the company’s backend software development pipeline, including their build infrastructure. With such access, the attackers could then inject malicious code into the VSA software running on-premises in support of Kaseya business and MSP clients. In other words, the expectation was that the bad actors might have exploited Kaseya in the same way Solarwinds was exploited.
The team at Huntress will be doing a tradecraft Tuesday to review the massive MSP ransomware incident.