Attackers carried out a supply chain ransomware attack by leveraging a zero-day vulnerability in Kaseya's VSA software on Friday July 2, 2021. A compromised Kaseya update reached VSA on-premises servers from where, using the system’s internal scripting engine, the ransomware was deployed to all connected client systems.
For official ongoing updates and instructions from Kaseya, visit https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689.
Webroot has been closely monitoring this situation since first encountering the associated malicious payloads at 16:46 GMT. After quickly determining these payloads to be malicious, all endpoints began detecting and blocking the supply chain attack in real time for our customers.
For Webroot Customers Running Kaseya
Any Webroot customers running Kaseya would have been notified of a block of the following threats:
“W32.Ransom.Sodinokibi”
C:\Windows\mpsvc.dll
MD5: A47CF00AEDF769D60D58BFE00C0B5421
“W32.Ransom.Sodinokibi”
C:\kworking\agent.exe
MD5: 561CFFBABA71A6E8CC1CDCEDA990EAD4
The following IP addresses were seen associated with the attack and are blocked by our BrightCloud
Threat Intelligence database:
35.226.94.113
161.35.239.148
162.253.124.162
18.223.199.234
193.204.114.232
131.107.255.255
Please note that these IPs will likely be secured or reassigned in the near future and will be re-evaluated then
If you use Kaseya in your environment please shut down the VSA server immediately and follow the updates directly from Kaseya as they are providing instructions on when servers will be back online.
Official Kaseya Update
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
Other Links
https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack
