Kaseya VSA
Kaseya VSA distributed REvil ransomware
Attackers (REvil RaaS affiliate) exploited a chain of zero-day vulnerabilities (authentication bypass, arbitrary file upload, and code injection) in Kaseya VSA to distribute REvil ransomware. The attack delivered a malicious agent.crt which was decoded into agent.exe. This executable dropped a legitimate Windows Defender binary to sideload the malicious mpsvc.dll REvil encryptor, affecting approximately 30 MSPs and over 1,500 downstream businesses.
- Date
- 2021-07-02 to 2021-07-11
- Category
- Commercial
- Target Surface
- Build/CI
- Insertion Phase
- CI/CD
- Impact
- Ransomware
- Cause
- Exploit
What Was Affected
Package
Kaseya VSA
LanguageC#
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
kaseya.com
Compromised Versions
- 9.5.7.2994
Incident Context
- Motive
- Financial gain
- Attribution
- Cybercriminal Gang
- Transitive
- No
- User Impact
- 1500
- Observed Duration
- 9 days
Evidence
Compromised Artifacts
- update.kaseya.net/vsa/agent/hotfix
- vsaupdate.kaseya.net/vsa/agent.crt
- vsaupdate.kaseya.net/vsa/agent.exe
Current Artifacts and Analysis
- community.sophos.com/sophos-labs/b/blog/posts/inside-a-revil-ransomware-attack
- thehackernews.com/2021/07/how-kaseya-vsas-1-day-exploit-was.html
- virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
- github.com/curated-intel/Kaseya-Breach-Repository
- mandiant.com/resources/blog/kaseya-supply-chain-attack-what-we-know
- huntress.com/blog/kaseya-vsa-supply-chain-attack-what-we-know-so-far
- huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
Indicators and Changes
Hashes
sha256:d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1esha256:e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2sha256:8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759ddsha256:0496ca57e387b10dbc85000f66a0bc8d47b710f9be26d11cd69051219fb4c070
External References
Source Data
Source record: proprietary/kaseya/meta.yaml