The Kaseya VMA ransomware incident

The Kaseya VMA ransomware incident

Kaseya announced on 7/2/21 that customers utilizing the Kaseya VSA solution on premise were targeted by this attack. It impacts consumers utilizing the VSA solution on premise. None of the SaaS consumers using the VSA solution are impacted. Kaseya VSA is a unified remote monitoring and management solution primarily used by MSSP and companies with larger infrastructures.

The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.

• Indicators of compromise have been published from Kaseya and can be seen here.
• A tool to identify indicators of compromise is located here.

1. Turn off your Kaseya instance. Stay tuned to the Kaseya incident page for updates on what steps to take next. All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.

1. Kaseya is currently working on a software patch that must be installed prior to the restoration of the impacted Kaseya solution.

If you would like to speak with HALOCK concerning this zero-day vulnerability, need assistance with analysis, or learn more about how to prepare for cyber threats through an Incident Response Readiness program, please reach out to your HALOCK account manager or chat with us online at HALOCK to schedule a call with one of our security experts. 

Consult with HALOCK concerning this zero-day vulnerability. 

Contact Us