On Friday, 2 July, CTA members became aware of a ransomware campaign targeting Kaseya’s VSA product. VSA is used by Managed Service Providers (MSPs) to monitor and manage information technology for their clients, provide automation, and assist with software patch management. In this incident, an affiliate of REvil leveraged a zero-day vulnerability in VSA to bypass authentication and run arbitrary command execution, deploying ransomware to endpoints via a malicious update.
CTA members note that they are treating this as two separate events: 1) a zero-day attack against MSPs using Kaseya’s VSA product and 2) a service supply chain attack that leverages Kaseya’s VSA platform to get access to the ransomware victims. As of yet, there is no evidence that Kaseya’s systems have been compromised or that the actors used Kaseya to send the malicious updates to the affected MSPs.
CTA members are supporting customers in their response to these ransomware incidents. CTA members are sharing information and analysis on this incident via our Early Sharing program and through analyst-to-analyst discussions, ensuring that response efforts are aligned with the most up-to-date understanding of this incident. CTA will be collating relevant threat reports, blog posts, and advice around protections and mitigations from our members in order to support other organizations in responding to this incident. As new materials and insights are released, we will add them to this blog post.
Alien Labs
Anomali
Avast
Check Point
- “Kaseya Attack”: Over 1000 organizations globally attacked on Fourth of July weekend, biggest supply chain attack since Sunburst
- Kaseya, what this ransomware attack fallout means
- The case of Kaseya’s $70 million ransom – Get The Latest Info
- The global ransomware supply chain attack that you need to know about
- How One IT Firm Successfully Beat Kaseya Ransomware
Cisco Talos
- Everything you need to know abou the Kaseya situation – Talos Takes Ep #60
- REvil ransomware actors attack Kaseya in supply chain attack
Telefónica ElevenPaths
Fortinet
- DLL Side-Loading Technique used in the recent Kayseya Ransomware Attack
- New Supply Chain Ransomware Attack Targets Kaseya Platform
McAfee
Morphisec
- Real-time Prevention of the Kaseya VSA Supply Chain REVIL Ransomware Attack
- Security News In Review: REvil Launches Supply Chaing Ransomware Attack
Palo Alto Networks
- Diagnosing the Ransomware Deployment Protocol
- Understanding REvil: The Ransomware Gang Behind the Kaseya Attack
- Threat Brief: Kaseya VSA Ransomware Attacks
- When Should You Protect Against Ransomware? Now, Before it Hits You.
Panda Security
- The biggest ransomware attack ever paralyzed thousands of businesses
- A new wave of ransomware attack hits up to 1,500 businesses worldwide
Rapid7
SecurityScorecard
Sophos
- Kaseya breach, and more Podcast
- Independence Day: REvil uses supply chain exploit to attack hundreds of businesses
- Kaseya ransomware attackers say: “Pay $70 million and we’ll set everyone free”
- Kaseya VSA supply chain ransomware attack
- What to expect when you’ve been hit with REvil ransomware
Symantec Broadcom