A CVE was assigned for the vulnerability used: CVE-2021–30116. It seems that Kaseya VSA servers were vulnerable to a SQL injection attack, allowing the threat actors to remotely exploit them. REvil says they have more than a million infected systems, but As of July 6th, roughly 60 of Kaseya’s direct customers appear to have been impacted according to reporting by Bleeping Computer, resulting in about 800 to 1,500 compromised businesses downstream. Their payment portal is live and they are actively negotiating with victims. REvil, one of the world’s most active ransomware gangs, have updated their blog claiming responsibility.
Multiple organizations throughout Europe and APAC have been forced to shut down their business entirely while they remediate. The blast radius of administrators or administrative servers is enormous. The blast radius of a single compromised user or endpoint is usually huge, as the average user typically has access to millions of files they don’t need. The attackers exploited vulnerable, internet-facing VSA servers commonly running upstream of many victims, in networks of MSPs, using them as backdoors, making it difficult or impossible for the victims to detect or prevent infection as the ransomware flowed “downstream.”Īlso, as the updates are typically distributed to many nodes, the recovery for infected organizations may be arduous.
WHAT IS KASEYA AGENT USED FOR UPDATE
Unlike the SolarWinds supply chain attack, where the update servers of SolarWinds were compromised, there is no indication that Kaseya’s infrastructure was compromised.
WHAT IS KASEYA AGENT USED FOR SOFTWARE
Network management software is a perfect place to hide a back door because these systems usually have broad access and perform a lot of tasks, making them difficult to monitor. Kaseya VSA is a popular piece of software for remote network management, used by many managed security providers, or MSPs, companies that provide IT services to other companies. This malicious hotfix contained a ransomware payload called Sodinokibi, known to be released by a notorious group called REvil, which resulted in the encryption of the server and shared folders.
On July 3 rd, at 10:00 AM EST, a malicious hotfix was released and pushed by Kaseya VSA servers that propagated to servers managed by Kaseya, resulting in the compromise and encryption of thousands of nodes at hundreds of different businesses. Featured Webinar DatAlert Master Class On Demand Watch Now.Get a Personalized Varonis Demo (In-Person or Online) Schedule Now.Data Classification Engine Sensitive Data Discovery.
Data Security Platform Product Suite Overview.See How you Rank Data Risk Assessment Non-intrusive, hassle-free.