On Friday, 2 July, CTA members became aware of a ransomware campaign targeting Kaseya’s VSA product. VSA is used by Managed Service Providers (MSPs) to monitor and manage information technology for their clients, provide automation, and assist with software patch management. In this incident, an affiliate of REvil leveraged a zero-day vulnerability in VSA to bypass authentication and run arbitrary command execution, deploying ransomware to endpoints via a malicious update.

CTA members note that they are treating this as two separate events: 1) a zero-day attack against MSPs using Kaseya’s VSA product and 2) a service supply chain attack that leverages Kaseya’s VSA platform to get access to the ransomware victims. As of yet, there is no evidence that Kaseya’s systems have been compromised or that the actors used Kaseya to send the malicious updates to the affected MSPs.

CTA members are supporting customers in their response to these ransomware incidents. CTA members are sharing information and analysis on this incident via our Early Sharing program and through analyst-to-analyst discussions, ensuring that response efforts are aligned with the most up-to-date understanding of this incident. CTA will be collating relevant threat reports, blog posts, and advice around protections and mitigations from our members in order to support other organizations in responding to this incident. As new materials and insights are released, we will add them to this blog post.

Alien Labs

Anomali

Avast

Check Point

Cisco Talos

Telefónica ElevenPaths 

Fortinet

McAfee

Morphisec

Palo Alto Networks

Panda Security

Rapid7

SecurityScorecard

Sophos

Symantec Broadcom

Back to News