Beginning on Friday, July 2nd, 2021, reports started to come in of a large-scale attack on the software used by 1000’s of Managed Service Providers and IT Teams.
Kaseya is used by these teams to provide remote assistance to desktops, laptops, servers, and other endpoints. Kaseya VSA on-premise appears to be the sole product affected by the attack and at this time, it is believed that Kaseya has contacted all of its clients and had no further reports of infected customers since Saturday, 3rd July; with their current estimation that 60 Clients were effected and approximately 1500 “downstream” clients of the Service Providers being compromised too.
The restoration process is still ongoing. As a first step, Kaseya released a tool designed to test an environment for compromise. That was released on Saturday, July 3rd and updated on Monday, July 5th with further capabilities of detection. It is highly recommended by Kaseya to re-run this tool with the updated version if Kaseya VSA was in use within your Environment.
A patch to correct the zero-day vulnerability that was exploited in this attack has now been developed and is undergoing testing. Kaseya has tentatively scheduled their cloud service to be restored on July 6th, 2021. A set of instructions on best practises is likely to be released to on-premise clients soon after, then the corresponding patch.
NOTE – This appears to be a single attack vector ransomware. The attackers REvil have stated that the only attack is the encryption of systems and the demand for a ransom. They claim to have not taken a copy of the data for further attacks (either further ransom threats to prevent leaking the data or the sale of that data). At this time Kaseya has no comment on the demand of $70 million ransom to provide decryption to all Kaseya Clients and their Clients respectively.
How to Protect Yourself:
At this time, your IT Team and Managed Service Provider should have been informed by Kaseya if they were at risk. Regardless of that message, if any Kaseya products are in use within the environment we would recommend using the detection tool to ensure no ‘Indicators of Compromise’ are found within the Servers and Endpoints.
IT Teams should proactively follow the Kaseya website here to understand when the next updates will take place:
They should carefully follow any instructions regarding the hardening steps to be released by Kaseya, the FBI, and CISA in the next 24 hours (to be published on the same link as above)
Kaseya systems should not be restored before the Kaseya timeline.
Further technical information about the attack can be found here:
Further third-party news can be followed here: