Author: Shashank Jain
TLP: WHITE
1. Executive Summary
On 2 July, the REvil ransomware group launched a supply chain attack that compromised Kaseya’s VSA, a remote monitoring and management software platform, to hit a large number of managed service providers (MSPs). REvil used a fake update that exploited a zero-day vulnerability to deliver the ransomware and encrypt many machines.
On 8 July, Infoblox released a Cyber Threat Advisory report that discussed the background of REvil, also known as Sodinokibi, and the Kaseya ransomware attack.¹
On 11 July, Kaseya released a patch for its on-premises version of VSA, deployed the patch to its VSA SaaS offering, and started assisting its customers with deploying the patch.
On 12 July, Kaseya confirmed that it had restored its VSA SaaS offerings.²
2. Important updates
As of 03:30 PM U.S. EDT on 12 July, Kaseya had updated the following, for both VSA on-premises and VSA SaaS offering:
VSA On-Premises:
- On-premises VSA Startup Readiness Guide: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993incident-response
- VSA On-Premises Hardening and Practice Guide: https://helpdesk.kaseya.com/hc/en-gb/articles/4403760102417
VSA SaaS:
- VSA SaaS Startup Guide: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709476369
- VSA SaaS Best Practices: https://helpdesk.kaseya.com/hc/en-gb/articles/4403622421009-VSA-SaaS-Best-Practices
¹ https://blogs.infoblox.com/cyber-threat-intelligence/kaseya-revil-ransomware-attack/
² https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689%C2%A0
