Kaseya Resource Center

On July 2, 2021, a ransomware attack was deployed on the Kaseya Virtual System Administrator (VSA) software.

On July 11, 2021, Kaseya released patch 9.5.7a to address the vulnerabilities exploited in the attack. At the time of reading, version 9.5.7a might already be outdated or the advisory may have changed. Refer to official guidance from Kaseya to make sure Kaseya VSA is up to date. If you use Kaseya VSA directly (you are an MSP) or indirectly (you contract with an MSP that manages your IT systems) and have not patched your instance of the software, then you are at risk of ransomware and/or data leak. 

Resources

• Bitsight Academy:
  • “Overview: Kaseya Ransomware Attack”
  • “How To: Locate Kaseya Vulnerabilities”
  • “Initiate Vendor Access”
• Bitsight Blog:
  • “What You Need To Know About The Kaseya Ransomware Attack; And Why You Shouldn’t Be Surprised”
• External:
  • CISA, "Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers"

Frequently Asked Questions

• Who discovered the vulnerabilities?
• Is the vulnerability resolved?
• What does Bitsight see?

Who discovered the vulnerabilities?

The Dutch Institute for Vulnerability Disclosure (DIVD) is a non-profit volunteer organization of security researchers. They claim to have reported the vulnerabilities to Kaseya weeks before the attacks. See the Kaseya Case Update.

It is unclear whether REvil found the same vulnerabilities independently, through some sort of leak/attack on another organization, or Kaseya themselves.

Is the vulnerability resolved?

Yes. On July 11, 2021, Kaseya released patch 9.5.7a to address the vulnerabilities exploited in the attack. At the time of reading, version 9.5.7a might already be outdated or the advisory may have changed. Refer to Kaseya’s website to find out which version you should install.

What does Bitsight see?

• By request, historical data that shows the number of Kaseya VSA deployments that were exposed before July 2, 2021.
• The IP addresses of deployments that were exposed.
• Kaseya VSA deployments that are still exposed to the Internet as of July 5, 2021.
• Installed version information and when new versions (that fix the current vulnerabilities) are rolled out.
• Security Incidents associated with the Kaseya VSA attack.