Customer Advisory Kaseya VSA Ransomware Incident

Mitiga Research Team
Jul 7, 2021

Customer Advisory – Kaseya VSA Ransomware Incident Overview

Background

On Friday July 2, 2021, Kaseya, an IT management software provider, notified its customers of a possible security breach in the Kaseya Virtual System Administrator Product. This has been covered extensively (BleepingComputer, CNET, IT World Canada).  

Kaseya has indicated that the number of victims is in the low 1000’s, even though the number may increase, at least 36,000 Kaseya customers took their servers offline. The attack appears to have the biggest impact in the UK, South Africa, and Canada, but organizations from countries around the world have been compromised.  

Following are details we understand (as of the publish date of this article) and recommendations actions to take.

Impacted Organizations

Group 1: MSPs managing client endpoints using VSA

Group 2: Customers of those MSPs & Group 3: Organizations using VSA to manage their own endpoints

Timeline

  1. Kaseya VSA management servers, hosted on premise by MSPs, were attacked (using a code injection vulnerability)
  1. Attackers retrieved a list of endpoint agents managed by the compromise server (those agents were scattered among numerous independent businesses served by the MSP)
  1. A malicious binary was distributed to endpoints in an encrypted file named agent.crt. The file was added to TempPath (which resolves to c:\kworking by default). The file was then distributed to client systems as an update called “Kaseya VSA Agent Hot-fix”
  1. The malicious binary was decrypted and executed disabling Key system security features and services
  1. The Encryption begins

Actions to Take

Group 1 & Group 3:

  1. Follow Kaseya instructions regarding shutting down VSA on-premises servers
  1. Inventory clients’ endpoints that have ever run VSA agent on them including time of deployment and agent version
  1. Notify potential victims and recommend they backup critical data

Group 2 & Group 3:  

  1. Activate preventative measure to prevent security software from being disabled on endpoints. For Windows Defender, the following Microsoft-issued documentation can be consulted Protect security settings with tamper protection | Microsoft Docs
  1. Initiate Incident Response driven by the following 3 vectors
  1. Actively block the IOCs and TTP enablers related to the attack; Disable VSA agents
  1. Ensure backup of sensitive data and rotate credentials (Including resetting the password of krbtgt user account in Windows Domain Environments)
  1. Initiate a compromise assessment activity to determine whether a covert breach has happened and validate no lateral movement was conducted to other environments and/or cloud environments

Known IOCs (from Huntress on Reddit ):

Endpoint Indicators of Compromise

Server Indicators of Compromise (Those are relevant for Group 1 & 3 victims)

Copyright ©️ Mitiga, Ltd. All rights reserved | Terms of Use | Privacy Policy