Kaseya REvil configuration dump () Digital signatures for signing Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA. We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. It deliberately targets backup systems, to hinder restoration.
The deployment also attempted to tamper with products for other vendors, such as Sophos. Powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Tampering with other security products
#Kaseya agent update#
This management agent update is actually REvil ransomware. This fake update is then deployed across the estate - including on MSP client customers’ systems - as it a fake management agent update. The attacker immediately stops administrator access to the VSA, and then adds a task called “Kaseya VSA Agent Hot-fix”.
#Kaseya agent software#
Kaseya are preparing an software update to fix the vulnerability, which will be available in the coming days - until then, they advise all customers to leave their VSA switched off.ĭelivery of ransomware is via an automated, fake, software update using Kaseya VSA. It is not a great sign that a ransomware gang has a zero day in product used widely by Managed Service Providers, and shows the continued escalation of ransomware gangs - which I’ve written about before.
#Kaseya agent how to#
Technical details of how to exploit the vulnerability are not being provided until the patch is available. So even if the latest version is used, at time of attack, attackers could remotely execute commands on the VSA appliance.
This was CVE-2021–30116 (details have not been entered into CVE database, however it has been allocated for this). Initial entry was using a zero day vulnerability in Kaseya VSA.