Initial reports suggested that the REvil hackers might have gained access to Kaseya's backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, but later news emerged that the attackers used a previously unknown vulnerability (CVE-2021-30116) in the software to deploy ransomware on Kaseya's customers networks.
“The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified,” the company said.
Kaseya estimates that nearly 1,500 businesses have been affected by the recent ransomware attack.
“To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found any evidence that any of our SaaS customers were compromised,” the company said.
The software vendor has released a Compromise Detection Tool that helps owners of on-premises VSA server identify if their server has been compromised during the ransomware attacks, and also shared indicators of compromise (IoCs) related to the ransomware campaign.
CISA and the Federal Bureau of Investigation (FBI) published a guidance for managed service providers (MSPs) and their customers impacted by the REvil supply chain ransomware attack.