Updated: July 13, 2021
Note: Kaseya has released a patch for this critical vulnerability which is described here. If you use the Kaseya VSA product, please follow these directions before turning the server back on.
Netsurion’s EventTracker SOC recommends that you validate and ensure that the mitigation steps are followed in case Kaseya VSA components are part of your organization.
Ransomware Attack Through Kaseya VSA
A.N. Ananth, president and chief strategy officer, breaks down what exactly happened with the Kaseya VSA ransomware attack, how it compares to the SolarWinds supply chain attack, what the ramifications are for you and future attacks, and lessons learned for managed service providers (MSPs) and in-house cybersecurity teams.
Kaseya announced a notification about an attack against Remote Monitoring and Management tool VSA for on-premises customers.
- Attacker turns off administrative access to the VSA
- Ransomware-based threat actors are actively exploiting Kaseya VSA
- The Kaseya team is in the process of investigating the root cause of the incident with an abundance of caution
- Kaseya recommends to IMMEDIATELY shut down your VSA server until you receive further notice from Kaseya
- To validate the existence of known malicious files, on-premises VSA customers can Extract and Run Kaseya’s self-assessment PowerShell script on both the VSA server and associated endpoints
- KaseyaVSADetectionTool.ps1 – This script will help to validate the existence of potentially malicious files on the Kaseya VSA server
- KaseyaEndpointDetectionTool.ps1 – This script will help to validate the existence of potentially malicious files on your endpoint Workstation/Servers
As the screenshots below indicate, this malicious behavior was prevented for EventTracker Endpoint Security customers. So, those customers have time to shut down their VSA servers when ready. However, if you do not have EventTracker Endpoint Security coverage, you must act now to shut down your VSA servers, as you are not protected.
As an additional point of validation, Netsurion highly recommends reviewing and removing any exclusions which have been put in place surrounding Kaseya directories, including the common working directory of C:\kworking which is recommended by Kaseya to be excluded from anti-virus (AV) vendors.
We are continuing to monitor attack patterns related to the Kaseya VSA supply chain attack and will resume IOC updates in the EventTracker Threat Center.
Indicators of Compromise (IOCs)
|Process Command Lines||C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul|
|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y|
|C:\Windows\cert.exe & echo %RANDOM%|
|C:\Windows\cert.exe & C:\Windows\cert.exe -decode C:\kworking\agent.crt|
|C:\kworking\agent.exe & del /q /f|
|C:\Windows\cert.exe & c:\kworking\agent.exe|
- What is VSA?
Virtual System Administrator (VSA) is the Remote Monitoring and Management (RMM) tool from Kaseya used to automate software patch management and vulnerability management.
- How do I know if I have it?
Refer to your organization’s asset inventory and validate whether you are using the on-premises Kaseya VSA tool for Remote Monitoring and Management.
- How to identify the malicious file?
If you are using the on-premises Kaseya VSA component, Extract and Run the self-assessment PowerShell script on both the VSA server and associated endpoints.
- How to run the self-assessment tool?
Watch the installation walk through on Run and follow the instructions from Instructions.pdf.
- How to shut down Kaseya?
Follow the steps listed on https://helpdesk.kaseya.com.
- Kaseya Install Guide