{"id":41602,"date":"2021-07-02T22:33:00","date_gmt":"2021-07-02T22:33:00","guid":{"rendered":"http:\/\/a0e544d1-d815-4c9d-a892-001f96ca8c71"},"modified":"2021-07-02T22:33:00","modified_gmt":"2021-07-02T22:33:00","slug":"kaseya-urges-customers-to-immediately-shut-down-vsa-servers-after-ransomware-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/kaseya-urges-customers-to-immediately-shut-down-vsa-servers-after-ransomware-attack\/","title":{"rendered":"Kaseya urges customers to immediately shut down VSA servers after ransomware attack"},"content":{"rendered":"

UPDATE: In a statement late Friday evening, Kaseya CEO Fred Voccola confirmed that the company’s Incident Response team caught wind of the attack mid-day and immediately shut down their SaaS servers\u202fas a precautionary measure,\u202fdespite not having received any reports\u202fof compromise from any SaaS or hosted customers.<\/p>\n

“[We] immediately notified our\u202fon-premises\u202fcustomers via email, in-product notices, and phone to shut down their VSA servers to prevent them from being compromised. We then followed our established incident response process to determine the scope of the incident and the extent that our customers were affected,” Voccola said. <\/p>\n

“We engaged our internal incident response team and leading industry experts in forensic investigations to help us determine the root cause of the issue. We notified\u202flaw enforcement and government cybersecurity agencies, including the FBI and CISA. While our early indicators suggested that\u202fonly\u202fa very small number of\u202fon-premises\u202fcustomers were affected, we\u202ftook\u202fa conservative approach\u202fin shutting down the SaaS servers\u202fto ensure we protected our more than 36,000 customers to the best of our ability.”\u202f\u202f <\/p>\n

So far, the company said they believe their SaaS customers “were never at-risk” and expects to\u202frestore\u202fservice\u202fto them in the next 24 hours once it is confirmed to be safe.<\/p>\n

According to Voccola, about 40 customers worldwide were affected and the company is preparing a patch to mitigate the vulnerability for any on-premises victims. <\/p>\n

“We’ve heard from\u202fthe vast majority\u202fof our customers that they experienced no issues at all, and I am grateful to our internal teams, outside experts, and industry partners who worked alongside of us to quickly bring this to a successful outcome,” Voccola added. <\/p>\n

Comment sections on Reddit<\/a> are now inundated with responses from customers trying to respond to the attack and restore systems. <\/p>\n

<\/section>\n

PREVIOUSLY: Kaseya has announced<\/a> that it is dealing with a massive ransomware attack that now may be affecting at least eight MSPs and hundreds of organizations.<\/p>\n

In a message posted to its website, the remote management solutions provider said it is “experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.” <\/p>\n

“We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us,” the company said. <\/p>\n

“It’s critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.”<\/p>\n

Kaseya has taken down all SaaS instances of its VSA remote monitoring and management tool in light of the attack. <\/p>\n

John Hammond, senior security researcher at Huntress, told ZDNet<\/em> that they were first notified of the attack at 12:35 ET and said it “has been an all-hands-on-deck evolution to respond and make the community aware.” <\/p>\n

Hammond attributed the attack to the prolific REvil\/Sodinikibi ransomware group and Bleeping Computer<\/a>, The Record<\/a> and NBC News<\/a> all also reported that REvil or an affiliate was the culprit. Through an update to VSA software, REvil is allegedly spreading the ransomware widely. <\/p>\n

“We cannot emphasize enough that we do not know how this is infiltrated in Kaseya’s VSA. At the moment, no one does. We are aware of four MSPs where all of the clients are affected — 3 in the US and one abroad. MSPs with over thousands of endpoints are being hit,” Hammond said before Huntress updated its total to 8. <\/p>\n

“We have seen that when an MSP is compromised, we’ve seen proof that it has spread through the VSA into all the MSP’s customers. Kaseya’s VSA could be either on prem or cloud hosted. They currently have all of their cloud servers offline for emergency maintenance.” <\/p>\n

Hammond added that three of Huntress’ partners have been impacted, with “roughly 200 businesses encrypted.” <\/p>\n

He explained that agent.crt is dropped by the Kaseya VSA and is then decoded with certutil to carve out agent.exe, and inside agent.exe it has embedded `MsMpEng.exe` and `mpsvc.dll`. <\/p>\n

\"analysis.png\"<\/span>