Kaseya supply chain attack delivers mass ransomware event to US companies

Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers.

Four hours ago, an apparent auto update in the product has delivered REvil ransomware.

By design, it has administrator rights down to client systems — which means that Managed Service Providers who are infected then infect their client’s systems.

Infected systems look like this:

How this first unfolded

Initial entry was using a zero day vulnerability in Kaseya VSA. This was CVE-2021–30116 (details have not been entered into CVE database, however it has been allocated for this). More CVEs may be issued.

So even if the latest version is used, at time of attack, attackers could remotely execute commands on the VSA appliance. Technical details of how to exploit the vulnerability are not being provided until the patch is available.

It is not a great sign that a ransomware gang has a zero day in product used widely by Managed Service Providers, and shows the continued escalation of ransomware gangs — which I’ve written about before.

Kaseya are preparing an software update to fix the vulnerability, which will be available in the coming days — until then, they advise all customers to leave their VSA switched off.

Delivery of ransomware is via an automated, fake, software update using Kaseya VSA. The attacker immediately stops administrator access to the VSA, and then adds a task called “Kaseya VSA Agent Hot-fix”. This fake update is then deployed across the estate — including on MSP client customers’ systems — as it a fake management agent update. This management agent update is actually REvil ransomware. To be clear, this means organisations that are not Kaseya’s customers were still encrypted.

These files are dropped on client systems: