REvil ransomware pushers exploit zero-day flaw in Kaseya VSA to infect MSPs and their customers.
Over 1,000 businesses from around the world have reportedly been impacted in a supply-chain attack where hackers exploited a vulnerability in a remote computer management tool called Kaseya VSA to deploy the REvil ransomware. Kaseya shut down its cloud-based service and urged all users with on-premises deployments, which includes many managed services providers (MSPs), to immediately shut down their vulnerable servers until a patch is released.
This is not the first time cybercriminals and ransomware gangs have targeted MSPs as an easy way to gain access into corporate networks. Defending against this attack vector is not easy for many organizations since outsourcing IT administration means giving MSPs highly privileged access into their networks and systems.
The Kaseya VSA attack impact
The attack targeting Kaseya VSA servers started around midday on Friday in the US. It’s possible this was timed intentionally ahead of a major holiday weekend because attackers hoped security teams would be slower to respond.
“Only a very small percentage of our customers were affected—currently estimated at fewer than 40 worldwide,” Kaseya said in an advisory. “We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.”
The company also shut down the SaaS version of VSA but noted customers of its cloud-hosted service were never at risk. Kaseya VSA is an IT remote monitoring and management (RMM) solution that’s used by IT and network administrators to automate patching on endpoints and servers, manage backups and antivirus deployments, automate other IT processes and remotely resolve and troubleshoot IT issues. To be able to perform all these tasks, the Kaseya VSA software operates with administrator-level access.
According to Kaseya, its RMM solution has over 36,000 users, so fewer than 40 impacted customers might sound like a small number. However, according to third-party reports, many of those affected customers were MSPs which use Kaseya VSA to manage the systems and networks of hundreds of businesses.
“We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them,” John Hammond, a senior security researcher at managed threat detection and response vendor Huntress said in a blog post. “All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited a SQLi vulnerability and have high confidence an authentication bypass was used to gain access into these servers.”