Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0124
Kaseya VSA Supply-Chain Ransomware Attack
5 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Kaseya VSA
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified
Unauthorised Access -- Unknown/Unspecified
Resolution: Mitigation
OVERVIEW
Kaseya have advised that their VSA product has been the victim of a
sophisticated cyberattack. [1]
Kaseya is used by multiple MSPs, the affected organisations are
being contacted by Kaseya directly. [1]
Multiple sources have reported that this is a supply chain attack
culminating in the deployment of REvil ransomware. Multiple
organisations worldwide appear to have been affected. [1] [4] [6]
[7] [8]
IMPACT
Kaseya report "Kaseya's VSA product has unfortunately been the
victim of a sophisticated cyberattack. Due to our teams fast
response, we believe that this has been localized to a very small
number of on-premises customers only.". [1]
ACSC have advised "At this time, the ACSC has not received any
reporting of this incident impacting Australian organisations. The
ACSC will update this alert as the situation changes, if
required."[2]
Huntress Labs report "We are tracking ~30 MSPs across the US, AUS,
EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000
businesses and are working in collaboration with many of them." [4]
CISA have advised that they are also investigating the attack. [3]
MITIGATION
Kaseya have advised to shutdown VSA servers immediately. [1]
Kaseya have released a new compromise detection tool, this can
downloaded and run to analyse systems for IoCs. [1][5]
Kaseya have been providing regular updates on this issue, please
refer to their advisory for the most up to date information. [1]
REFERENCES
[1] KASEYA VSA UPDATE
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
[2] Kaseya VSA Supply-Chain Ransomware Attack
https://www.cyber.gov.au/acsc/view-all-content/alerts/kaseya-vsa-supply-chain-ransomware-attack
[3] Kaseya VSA Supply-Chain Ransomware Attack
https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack
[4] Rapid Response: Mass MSP Ransomware Incident
https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
[5] VSA Detection Tools.zip
https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40
[6] Kaseya Supply-Chain Attack Hits Nearly 40 Service Providers With
REvil Ransomware
https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html
[7] Shutdown Kaseya VSA servers now amidst cascading REvil attack
against MSPs, clients
https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/
[8] Kaseya Ransomware Supply Chain Attack: What You Need To Know
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOJvvuNLKJtyKPYoAQghkxAAjJkTmvJTeNQ58CWX902nqhYqbS6WD77T
JmcWqG9DYOSMNe9LbUc8/6wCkS1IzAW2KSXeVMPyRKJUsCZsqW2t0rokyrLYAIVa
AP9/sc9LSKRzKOg1aONXCqx/2L84mBSZ+BgzlRFZ+Jw3csrAixLiT+i2i9B/bnp1
RzBWPDBMSl5daRp22ByFKP5aZRi6Qd8gy4TdJaPenMYjG0t8IQ3pq+WvH/pKzTRT
js1pmzDEpfHiO71QEfuxYUGVMqebmlRLYw9b3HejftIw3Y6+wyF4r2ULxHT0K3wg
oYkiMqFD8Ig2BhG4ckdc20VkKiDvOqeQX/LcLM7xk68eOZLiFz+YwLR+Jf42pT3K
3Uh5dWG0jNU8K/IczBz1tqB9tPTV+6A6935DgAYkBU8m4xGmHftmavWqQYvCm1/L
FKEnwnCy0huPjJUM1/xRWPenZConrWQw+e87bUyLShoiw0PFFn6ZDKVg2kOGVyx0
u56TuRioEFo7mkk5QH+2h/eskPjRmdw10NxDu+yQR5lJYZQZ+kZFCvLN/8UBujHu
LWUDcepuxRV+fGSED7TD/P3/KfpZhbPoPogM0C/g2h+O21UcCV1o4q0tQvSk7hng
0Qx/lSCPV3PGFQs32mdgPI/X4uL2pgt0ls1Un8r077CVtlW2doMmEY0CbibFBDZp
NJXZLXWOEK4=
=7Wyd
-----END PGP SIGNATURE-----