Mitigates ongoing risk to organisations of compromise through this activity.
The Australian Cyber Security Centre (ACSC) has issued a “high alert” to organisations to patch their Kaseya VSA platform, which has just become available.
In early July 2021, the Cybersecurity Infrastructure Security Agency (CISA) of the United States and the Federal Bureau of Investigation (FBI) have stated both agencies have responded to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. The statement was issued after Kaseya announced its VSA product has unfortunately been the victim of a sophisticated cyberattack.
According to Kaseya the attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution.
This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified.
Mandiant was quickly engaged to investigate the incident. We have been actively engaged with Mandiant to assess the manner and impact of the attack. We are also cooperating with federal law enforcement to ensure that they have the information they need to investigate this attack. Below, we provide some of the technical details that we have been able to confirm in the course of the investigation.
About 60 of Kasya’s customers were affected at the time, many of these customers provide IT services to multiple other companies. Kasyea reported that the total impact was at the time, fewer than 1,500 downstream businesses.
On the 21st of July Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” stated the vendor. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”
Kaseya has confirmed, “in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor”.
Once users install the patch, they need to download and run the validation tool located here. This tool will validate whether the latest patch was properly applied and report the results. The report should indicate that the patch was successfully applied.
Also, if they have already installed the patch, and subsequently performed a re-installation, please run the validation tool located here.
If the tool does not report a successful patch, be sure to follow the steps below and immediately perform an additional patch installation.
Note that once the 9.5.7a patch has been installed, if there is any need to perform a re-installation, it is important that you pay attention to the following five steps when running the installer.