Disable Kaseya VSA: possible ransomware attack via supply chain underway
Kaseya, supplier of IT management software, has announced it is currently investigating a potential ransomware incident. Cybersecurityfirm Huntress Labs poses that Kaseya has been the victim of a supply-chain attack, which results in customers using the VSA product potentially being targeted with the REvil-ransomware. VSA is a remote management tool that is broadly used by IT management providers and managed service providers. Customers have a so called 'VSA-agent' installed on their systems.
Huntress Labs have identified eight Managed Service Providers (MSPs) dealing with ransomware incidents. [3] These parties all use the product VSA, though it has not yet been confirmed that VSA is the source of this attack. Nonetheless, Kaseya recommends strongly to disable all VSA server instances, to be sure. [4] Kaseya has followed up on this recommendation themselves for all instances of VSA on their SaaS-platform [5].
Perspective for action
NCSC-NL advises administrators of the Kaseya VSA-servers to follow the advice given by Kaseya [4] and disable all instances of the Kaseya VSA server, at least until more information becomes available.
NCSC-NL advises customers using VSA-agents, to contact their IT management organization for further instructions.
Sources
- [1] https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
- [2] https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/
- [3] https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
- [4] https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
- [5] https://status.kaseya.net/pages/maintenance/5a317d8a2e604604d65c1c76/60df588ba49d1e05371e9d8b