Kaseya MSP software hit by a zero-day ransomware attack

Ransomware Attack

Kaseya VSA Exploit proof of concept

Huntress Labs have released a video that shows a proof of concept exploiting the Kaseya VSA zero-day with Authentication Bypass, Arbitrary File Upload, and Command Injection.

Kaseya VSA attack was coordinated to occur Jul 2 2021 16:30 across all victims

The Kaseya VSA hackers carefully coordinated the attack by calculating the time difference for each victim so that the attack deployed at exactly Jul 2 2021 16:30 UTC. This move made it difficult to contain the damage once the attack was executed, with all systems being exploited simultaneously.

REvil gang demands $70 million

The ransomware gang, REvil, is claiming to have infected over a million systems with their malware. They are now asking for $70 million in BTC to publicly publish the decryptor so that everyone will be able to recover from the attack in less than an hour.

Darkweb REvil leak site
Demand notice posted to REvil's darkweb leak page

Cyberattack confirmed to be zero-day

The Kaseya VSA cyber attack has now been confirmed to be a zero-day vulnerability attack. Cybersecurity researcher John Hammond confirmed this from Huntress Labs, who posted a breakdown of the suspected attack vectors to Reddit. This information corrects previous theories that the cyberattack may have been due to a supply chain attack.

Hammond goes on to say that he has “high confidence that the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection.”

Huntress Labs have also zeroed in on a specific IP address originating from an Amazon AWS host as the attack source. This information has been passed on to law enforcement agencies for the ongoing investigation. However, it is more likely that this host is a compromised web server.

FBI statement on Kaseya Ransomware Attack

The FBI is investigating the Kaseya ransomware incident and working closely with CISA and other interagency partners to understand the scope of the threat. If you believe your systems have been compromised, we encourage you to employ all recommended mitigations, follow Kaseya’s guidance to shut down your VSA servers immediately and report to the FBI at ic3.gov.

Although the scale of this incident may make it so that we are unable to respond to each victim individually, all information we receive will be useful in countering this threat. As always, we are committed to working with impacted victims and our partners toward an impactful resolution.

Several schools in New Zealand hit by cyberattack

Up to 11 schools in New Zealand have been affected by the Kaseya cyberattack. St Peter’s College in Cambridge posted on Facebook that its network had been hit by the cyberattack. The school has advised that their IT systems will be down for at least 48 hours while support staff work to restore their data.

It is also possible that some businesses will not know that they have been affected until arriving at work first thing Monday morning.

ESET Research telemetry

ESET Research telemetry shows where the majority of compromised servers are located. UK and Canada seem to be the hardest hit, but there are many reports coming in from around the world.

Update from Kaseya

Feedback from IT service providers and comments shared in online forums indicate that the cyberattack may be impacting thousands of small businesses.

Kaseya have provided a new update and they continue to recommend all on-premise customers keep their VSA servers offline until further notice. SAAS and Hosted VSA servers will become operational once Kaseya has determined that they can safely restore operations.

Kaseya are also making available a tool that customers will be able to use to determine if their server has been compromised.

Live webinar to help businesses affected by the cyberattack

Cybersecurity researcher, John Hammond will be providing a live webinar to discuss the attack and offer advice to anyone who is dealing with ongoing issues related to the attack.

A Managed Services Provider (MSP) software product, Kaseya, has been infiltrated with ransomware ahead of the July holiday weekend. Late on Friday, Kaseya sent out an urgent warning to customers of a potential attack on its VSA tools, which tens of thousands of IT support companies around the world use.

Kaseya has advised companies to shut down their services running the VSA software. “Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA,” the company posted in their warning message.

It is unclear how many organizations will be affected by this ransomware attack. Still, given the number of IT support companies using Kaseya’s VSA tools, the worst-case scenario presents a bleak picture.

Some companies have already begun receiving ransom demands, ranging anywhere from $50,000 to $5 million, depending on the company’s size.

Cybersecurity researcher John Hammond of Huntress Labs is aware of at least 200 companies that have already had their data encrypted by cybercriminal gang REvil. However, Hammond believes this number will increase quickly as more MSPs become aware of the cyberattack.

“Based on everything we are seeing right now, we strongly believe this REvil/Sodinikbi,” Hammond says. The cybercriminal gang, REvil was also behind the SolarWinds attack in 2020.

The timing of the attack raises questions about whether cybercriminals are deliberately scheduling their attacks around long weekends and public holidays when there is less likely to be IT support staff around to assist with mitigating the attack. 

At this stage, it is unclear how the cybercriminals have been able to gain a foothold into the supply chain of the Kaseya software. As a result, Kaseya has opted to shut down its VSA servers to prevent ransomware from spreading to any more of its clients.

Scroll to Top