CISA and FBI released guidance for MSPs and their customers affected: Kaseya released a Compromise Detection Tool to determine whether any indicators of compromise (IoC) are present.
![block kaseya agent block kaseya agent](https://www.speartip.com/wp-content/uploads/2021/07/Copy-of-Site-PhotoPP-36-1080x565.png)
After the incident, Kaseya recommended shutting down all VSA servers as of this post, SaaS service were still offline, and they have been working on patches for both SaaS and on-prem servers. The attack was purportedly limited to on-premises instances of Kaseya VSA however SaaS services went also offline. Still, we know attackers used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the ransomware payload, and execute commands via Kaseya agents using a SQL injection vulnerability of Kaseya VSA. We do not have sufficient detail about the exploit. Credit goes to Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure researcher, who identified and reported this vulnerability to Kaseya under responsible disclosure guidelines. Our analysis first noted the exploitation of a zero-day vulnerability. Comodo Threat Research Labs (CTRL) has analyzed the VSA attack and provides analysis below to show how Comodo Active Breach Protection can protect endpoints from sophisticated attacks, even when all attack vectors have been trusted. Unfortunately, Allowlisting often leads to the initial bypassing of endpoint security protection solutions that depend on detecting suspicious activity before a blocking action can occur. The situation becomes much more severe with remote monitoring and management (RMM) tools like Kaseya VSA and Solarwinds, where attackers can penetrate directly into their customer networks and operate with implicit trust, initiating commands or deploying malware.įor RMM, most security vendors recommend allowlisting (formerly known as whitelisting) specific folders or executables to eliminate any disruption of service due to false positive detection as these folders and executables become trusted. We are seeing a trend where attackers concentrate more on finding and exploiting zero-day vulnerabilities in system administrator tools. Incidents such as these are becoming more commonplace. The result was up to 1500 companies being held hostage to a significant ransom demand.
BLOCK KASEYA AGENT SOFTWARE
On July 2, 2021, Kaseya, an IT Systems Management software firm, disclosed a security incident impacting their on-premises version of Kaseya’s Virtual System Administrator (VSA) software. The world has witnessed another large-scale cyber-attack. Kaseya VSA Breach Consequences of Security Failures