Attackers carried out a supply chain ransomware attack by leveraging a zero-day vulnerability in Kaseya's VSA software on Friday July 2, 2021. A compromised Kaseya update reached VSA on-premises servers from where, using the system’s internal scripting engine, the ransomware was deployed to all connected client systems.
For official ongoing updates and instructions from Kaseya, visit https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689.
Webroot has been closely monitoring this situation since first encountering the associated malicious payloads at 16:46 GMT. After quickly determining these payloads to be malicious, all endpoints began detecting and blocking the supply chain attack in real time for our customers.
For Webroot Customers Running Kaseya
Any Webroot customers running Kaseya would have been notified of a block of the following threats:
The following IP addresses were seen associated with the attack and are blocked by our BrightCloud Threat Intelligence database:
Please note that these IPs will likely be secured or reassigned in the near future and will be re-evaluated then
If you use Kaseya in your environment please shut down the VSA server immediately and follow the updates directly from Kaseya as they are providing instructions on when servers will be back online.