Kaseya, a cloud-based MSP software provider, says the REvil attack breached the systems of about 60 of its direct customers, which used its VSA on-premises product. This resulted in over 1,500 downstream victims whose systems were encrypted during the attack, according to the company’s estimate.
“The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,” Kaseya said. “This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.”
However, Kaseya added there is no evidence that Kaseya’s VSA codebase has been modified by the REvil gang, hackers who conducted the attacks.
Kaseya offered its impacted customers network and endpoint indicators of compromise (IOCs), as well as Compromise Detection Tool that can detect system breaches.
According to Kaseya, it’s currently working on a fix that will allow affected users to avoid experiencing the zero-day privilege issue that was exploited by REvil attackers. The company said all on-premises versions of the VSA server should remain offline until the issue has been resolved:
“A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.”
REvil has exploited a zero-day vulnerability in the Kaseya VSA software to install ransomware on the systems of their clients. At the time, Kaseya was working on patching a zero-day vulnerability that was reported by researchers from the Dutch Institute for Security and Vulnerability Disclosure. But the REvil affiliate was first to exploit the zero-day vulnerability and launch a ransomware attack against Kaseya customers.
The gang claims to have encrypted over 1,000,000 systems. It is now asking for $50 million to issue a universal decryptor.
This is not the first time that ransomware groups have attacked the cloud-based platform of Kaseya.
REvil, GandCrab, and Ragnar Locker attacked Kaseya’s Remote Management tools in the past.