We have identified the exploit code used by the threat actor to compromise the Internet-facing VSA servers. Overview of the attack VSA Server Zero-Day
The script delivered the REvil ransomware and encrypted the systems. The vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server, therefore reaching all the end clients. The threat actor, an affiliate of the REvil ransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server. Without separation between client environments, this creates a dependency: is the VSA server is compromised, all client environments managed from this server can be compromised too.Īdditionally, if the VSA server is exposed to Internet, any potential vulnerability could be leveraged over the Internet to breach the server. The VSA server is used to manage large fleets of computers, and is normally used by MSPs to manage all their clients. Kaseya customers using the on-prem VSA server were affected by this attack. So far, we don’t see any substantial discrepancy between the results of our investigation and the publicly available IOCs that have been shared. We are thankful for all information that other security researchers and response teams have been sharing, such as Huntress and Kevin Beaumont. We have been investigating this issue and our CSIRT team have been working around the clock to help affected organizations. EDIT 17:40 CET: Added redacted screenshots of exploit traffic EDIT 23.10 CET: Added additional details and attack overview EDIT 19.40 CET: Added methods to identify compromised systems EDIT 17.14 CET: Added link to script to identify infected systems EDIT 14.45 CET: Further clarified the identified steps of the exploit
0 kommentar(er)
