06 July 21, 16:47
Quote:The worldwide July 2 attacks on the Kaseya Virtual System/Server Administrator (VSA) platform by the REvil ransomware gang turn out to be the result of exploits for at least one zero-day security vulnerability, and the company is swinging into full mitigation mode, with patches for the on-premise version coming soon, likely Wednesday or Thursday, it said.
The VSA software is used by Kaseya customers to remotely monitor and manage software and network infrastructure. It’s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.
The attacks on the VSA (details on the multiple zero-day bugs believed used are below) are now estimated to have led to the encryption of files for around 60 Kaseya customers using the on-premises version of the platform – many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses.
That MSP connection allowed REvil access to those customers-of-customers, and there are around 1,500 downstream businesses now affected, Kaseya said in an updated rolling advisory. It’s estimated that more than a million individual systems are locked up, and Kaspersky on Monday said that it had seen more than 5,000 attack attempts in 22 countries at that point.
“The VSA server is used to manage large fleets of computers, and is normally used by MSPs to manage all their clients,” explained researchers at TruSec, in a post on Sunday. “Without separation between client environments, this creates a dependency: If the VSA server is compromised, all client environments managed from this server can be compromised too.”
It added, “Additionally, if the VSA server is exposed to internet, any potential vulnerability could be leveraged over the internet to breach the server. This is what happened in this case. The threat actor, an affiliate of the REvil ransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server. The vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server, therefore reaching all the end clients. The script delivered the REvil ransomware and encrypted the systems.”
Read more: Kaseya Patches Imminent After Zero-Day Exploits | Threatpost