Kaseya VSA app may be under active attack, as company tells customers to shutdown

  • It’s unclear at this time which specific managed service providers (and which of their server rooms) has been affected by what appears to be an attack on Kaseya’s VSA unified remote monitoring & management software. (server room as photographed by Acirmandello/CC BY-SA 4.0)

    The remote IT management and monitoring application VSA may be under active attack by a ransomware group that has hit multiple managed service providers today. Vendor Kaseya recommends customers “IMMEDIATELY shutdown” VSA servers until further notice.

    “We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today,” the company wrote on its webpage. We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.”

    “It’s critical that you do this immediately because one of the first things the attacker does is shutoff administrative access to the VSA,” said Keyasa, who declined to provide further comment at this time.

    Huntress Labs official account has been live-blogging its experience with the attacks on a Reddit thread. By around 3:15 pm, Huntress said in their posts it was aware of 200 businesses being encrypted over eight MSPs.

    Huntress says they have seen a ransom demand of $5 million in one case, though the company cautions that may not be consistent across victims. Huntress and Sophos have both reported that the hackers are a REvil affiliate group.

    “It has been an all-hands-on-deck evolution to respond and make the community aware,” Huntress researcher John Hammond said an emailed statement to SC Media.

    He added that, while it is not definite that Keseya VSA is the initial attack vector, it is a commonality between the affected MSPs. Hammond said he is currently aware of four MSPs where all customers attacks have been encrypted.

    Huntress was first made aware of the ransomware at 12:35 PM and has been working with Keyasa, which Hammond says has been responsive.

    Hammond described the path of the attack as such: “gent.crt is dropped by the Kaseya VSA. It is then decoded with certutil to carve out agent.exe, and inside agent.exe it has embedded MsMpEng.exe and mpsvc.dll. The legitimate Windows Defender executable was used to side-load a malicious DLL.”

    “It is the same exact binary for all victims,” he added.

    Sophos has posted indicators of compromise on its blog.

    This is a developing story. Check back for updates.