Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0124 Kaseya VSA Supply-Chain Ransomware Attack 5 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Kaseya VSA Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Unauthorised Access -- Unknown/Unspecified Resolution: Mitigation OVERVIEW Kaseya have advised that their VSA product has been the victim of a sophisticated cyberattack. [1] Kaseya is used by multiple MSPs, the affected organisations are being contacted by Kaseya directly. [1] Multiple sources have reported that this is a supply chain attack culminating in the deployment of REvil ransomware. Multiple organisations worldwide appear to have been affected. [1] [4] [6] [7] [8] IMPACT Kaseya report "Kaseya's VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams fast response, we believe that this has been localized to a very small number of on-premises customers only.". [1] ACSC have advised "At this time, the ACSC has not received any reporting of this incident impacting Australian organisations. The ACSC will update this alert as the situation changes, if required."[2] Huntress Labs report "We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them." [4] CISA have advised that they are also investigating the attack. [3] MITIGATION Kaseya have advised to shutdown VSA servers immediately. [1] Kaseya have released a new compromise detection tool, this can downloaded and run to analyse systems for IoCs. [1][5] Kaseya have been providing regular updates on this issue, please refer to their advisory for the most up to date information. [1] REFERENCES [1] KASEYA VSA UPDATE https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689 [2] Kaseya VSA Supply-Chain Ransomware Attack https://www.cyber.gov.au/acsc/view-all-content/alerts/kaseya-vsa-supply-chain-ransomware-attack [3] Kaseya VSA Supply-Chain Ransomware Attack https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack [4] Rapid Response: Mass MSP Ransomware Incident https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident [5] VSA Detection Tools.zip https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40 [6] Kaseya Supply-Chain Attack Hits Nearly 40 Service Providers With REvil Ransomware https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html [7] Shutdown Kaseya VSA servers now amidst cascading REvil attack against MSPs, clients https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/ [8] Kaseya Ransomware Supply Chain Attack: What You Need To Know https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYOJvvuNLKJtyKPYoAQghkxAAjJkTmvJTeNQ58CWX902nqhYqbS6WD77T JmcWqG9DYOSMNe9LbUc8/6wCkS1IzAW2KSXeVMPyRKJUsCZsqW2t0rokyrLYAIVa AP9/sc9LSKRzKOg1aONXCqx/2L84mBSZ+BgzlRFZ+Jw3csrAixLiT+i2i9B/bnp1 RzBWPDBMSl5daRp22ByFKP5aZRi6Qd8gy4TdJaPenMYjG0t8IQ3pq+WvH/pKzTRT js1pmzDEpfHiO71QEfuxYUGVMqebmlRLYw9b3HejftIw3Y6+wyF4r2ULxHT0K3wg oYkiMqFD8Ig2BhG4ckdc20VkKiDvOqeQX/LcLM7xk68eOZLiFz+YwLR+Jf42pT3K 3Uh5dWG0jNU8K/IczBz1tqB9tPTV+6A6935DgAYkBU8m4xGmHftmavWqQYvCm1/L FKEnwnCy0huPjJUM1/xRWPenZConrWQw+e87bUyLShoiw0PFFn6ZDKVg2kOGVyx0 u56TuRioEFo7mkk5QH+2h/eskPjRmdw10NxDu+yQR5lJYZQZ+kZFCvLN/8UBujHu LWUDcepuxRV+fGSED7TD/P3/KfpZhbPoPogM0C/g2h+O21UcCV1o4q0tQvSk7hng 0Qx/lSCPV3PGFQs32mdgPI/X4uL2pgt0ls1Un8r077CVtlW2doMmEY0CbibFBDZp NJXZLXWOEK4= =7Wyd -----END PGP SIGNATURE-----