Kaseya, an IT systems management solution provider, had disclosed that it suffered a sophisticated cyberattack affecting multiple managed service providers (MSPs) and their clients. The attack was attributed to REvil gang, an infamous cybercriminal group that is known to operate via Ransomware-as-a-Service, wherein the group compromised both providers and their clients’ system with their ransomware.
A. Nature of Attack
Description of the attack:
The group targeted Kesaya’s VSA product that allows providers to perform patch management and client monitoring for their customers. Once they gained a foothold on the company’s VSA infrastructure, they published malicious updates for VSA on premise servers to deploy ransomware on enterprise networks. This then allowed the group to take over administrator rights at managed service providers and then move onto client systems.
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- All On-Premises VSA Servers should continue to remain offline until further instructions from Kaseya.
- Use the Compromise Detection Tool published by the company to analyze a system (either VSA server or managed endpoint) and determine whether any indicators of compromise (IoC) are present. (https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40)
In conclusion, organizations and businesses, both private and public, that uses Kesaya’s solutions to closely coordinate the situation with Kesaya for a coordinated response and mitigation. Also, comply and adhere to the steps and procedure stated in the official security advisory published by the company until the situation has been resolved. Kindly see the published Security Advisory for more information: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021