Kaseya, a Florida-based software provider that provides remote management monitoring for Managed Service Providers (MSP), warned of its Virtual System Administrator (VSA) software being abused to deploy ransomware on end users’ systems, occurred on July 2, 2021.[1][2]
The ransomware attack [CVE-2021-30116] has been attributed to the REvil ransomware group, which has claimed to have encrypted over one million systems. The ransomware group seems to have taken advantage of a vulnerability chain[3], including an authentication bypass, arbitrary file upload, and remote code execution, in Kaseya VSA software, allowing the group to deploy a malicious agent on every endpoint managed by a compromised Kaseya deployment.[4] They appear to have scanned the Internet for vulnerable Kaseya VSA deployments and exploited the vulnerability on a large number of systems (not yet determined).
This is not the first time that the REvil group has targeted Kaseya VSA. They have successfully exploited flaws in Kaseya VSA at least two times in the past (in 2019) in order to plant ransomware on victims that were using it.[5][6]
Visit the Kaseya Resource Center.
References
- The Record by Recorded Future, “Kaseya zero-day involved in ransomware attack, patches coming”
- The Record by Recorded Future, “Kaseya: More than 1,500 downstream businesses impacted by ransomware attack”
- Huntress, “D RESPONSE: MASS MSP RANSOMWARE INCIDENT”
- The Record by Recorded Future, “REvil gang asks for $70 million to decrypt systems locked in Kaseya attack”
- ZDNET, “GandCrab ransomware gang infects customers of remote IT support firms”
- ZDNET, “Ransomware gang hacks MSPs to deploy ransomware on customer systems”