Sticky

Kaseya VSA Zero-Day Supply Chain Ransomware Attack

  • 7 July 2021
  • 2 replies
  • 568 views
Kaseya VSA Zero-Day Supply Chain Ransomware Attack
Userlevel 6
Badge +14
  • Sr. Security Analyst & Community Manager
  • 142 replies

Attackers carried out a supply chain ransomware attack by leveraging a zero-day vulnerability in Kaseya's VSA software on Friday July 2, 2021. A compromised Kaseya update reached VSA on-premises servers from where, using the system’s internal scripting engine, the ransomware was deployed to all connected client systems.

For official ongoing updates and instructions from Kaseya, visit https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689.

Webroot has been closely monitoring this situation since first encountering the associated malicious payloads at 16:46 GMT. After quickly determining these payloads to be malicious, all endpoints began detecting and blocking the supply chain attack in real time for our customers.

 

For Webroot Customers Running Kaseya  

 

Any Webroot customers running Kaseya would have been notified of a block of the following threats: 

“W32.Ransom.Sodinokibi” 

C:\Windows\mpsvc.dll  

MD5: A47CF00AEDF769D60D58BFE00C0B5421 

“W32.Ransom.Sodinokibi” 

C:\kworking\agent.exe 

MD5: 561CFFBABA71A6E8CC1CDCEDA990EAD4 

 

The following IP addresses were seen associated with the attack and are blocked by our BrightCloud®️  Threat Intelligence database: 

35.226.94.113 

161.35.239.148 

162.253.124.162 

18.223.199.234  

193.204.114.232 

131.107.255.255 

Please note that these IPs will likely be secured or reassigned in the near future and will be re-evaluated then

If you use Kaseya in your environment please shut down the VSA server immediately and follow the updates directly from Kaseya as they are providing instructions on when servers will be back online.  

Official Kaseya Update 

https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689 

Other Links 

https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa 

https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack 

https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/ 


2 replies

Userlevel 7
Badge +63

Thanks Tyler!

Thank you so much

Reply