MSPs on alert after Kaseya VSA supply chain ransomware attack

Following the Colonial Pipeline and JBS Meatworks ransomware attacks, a new attack is using a vulnerability in Kaseya VSA software globally to deploy ransomware.

Security software solutions provider Huntress Labs said it is tracking ~30 MSPs across Australia, the US, Europe and Latin America “where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them”. All of these VSA servers are on-premises, and Huntress “has confirmed that cybercriminals have exploited a SQLi vulnerability and have high confidence an authentication bypass was used to gain access into these servers”.

The Australian Cyber Security Centre on Saturday said, “At this time, the ACSC has not received any reporting of this incident impacting Australian organisations. The ACSC will update this alert as the situation changes, if required.”

In its last update, Kaseya said it believes that this has been localised to a very small number of on-premises customers only, and that the company’s efforts have shifted from “root cause analysis and mitigating the vulnerability to beginning the execution of our service recovery plan”.

The company advised all on-premises VSA servers to remain offline until further instructions about when it is safe to restore operations. Kaseya earlier released a new Compromise Detection Tool that analyses a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present. The tool can be download at the following link: VSA Detection Tools.zip | Powered by Box.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working with Kaseya and coordinating to conduct outreach to impacted victims, said the US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger.

CISA and the FBI recommended affected MSP customers take following actions: ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organisational network; revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available; implement multi-factor authentication, and principle of least privilege on key network resources admin accounts.

Image credit: ©stock.adobe.com/au/tippapatt