- #WHAT IS KASEYA AGENT SOFTWARE UPDATE#
- #WHAT IS KASEYA AGENT SOFTWARE FULL#
- #WHAT IS KASEYA AGENT SOFTWARE SOFTWARE#
#WHAT IS KASEYA AGENT SOFTWARE FULL#
"We expect the full scope of victim organizations to be higher than what's being reported by any individual security company. Pinpointing the identity of those involved may prove difficult thanks to a growing network of re-investment and spin-off operations among the various ranks of those who create ransomware and malware, as well as the criminal hacking groups that use them.Įven getting a full picture of the companies associated with the attack is going to be difficult in the short term, according to Sophos Vice President and CISO Ross McKerchar. The ransomware outfit operates under a sort of "crimeware-as-a-service" model where developers sell access to the tool to other criminals, sometimes in exchange for a share of the ransomware haul. It is worth noting that no single individual or hacking crew is likely responsible for launching the REvil attacks.
Sophos also said based on the incidents it observed, the REvil actors didn't exfiltrate any data from victims and there were no signs they attempted to delete volume shadow copies, which researchers said could have alerted threat detection and antimalware products. "Anything executed by the Kaseya Agent Monitor is therefore ignored because of those exclusions - which allowed REvil to deploy its dropper without scrutiny."
#WHAT IS KASEYA AGENT SOFTWARE SOFTWARE#
"This gave REvil cover in several ways: it allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code - reflected in anti-malware software exclusions that Kaseya requires for set-up for its application and agent 'working' folders," Sophos researchers said in a report published Sunday. This could allow for automated updates, but also left a direct tunnel into customer systems once the VSA server was compromised. One thing that was clear, however, was the threat actors who distributed the malware had a working knowledge of the on-premises VSA tool and some of the quirks that would allow for installations without tipping off antimalware software.ĭue to compatibility problems with some antivirus tools, Kaseya had advised customers to exclude several of the folders used by VSA for normal scans and protections against automatic downloads. "This is another concerning development on the ransomware landscape, the fact that it occurred before the July 4th holiday cannot be ignored." "The Kaseya attack consisted of 2 incidents - first an attack against dozens of managed service providers using Kasey VSA '0-day' and then the use of the VSA software to deploy the REvil ransomware throughout businesses who were customers of that managed service provider," Cisco Talos director of outreach Craig Williams said in a statement to SearchSecurity. Instead, REvil actors crafted malicious updates that appeared to be legitimate software from Kaseya. This backs up Kaseya's earlier assertion that none of its product source code was accessed or modified, as occurred in the SolarWinds attack.
Researchers at the Dutch Institute for Vulnerability Disclosure identified the flaw as an authentication bypass vulnerability in two disclosure posts Wednesday.
#WHAT IS KASEYA AGENT SOFTWARE UPDATE#
UPDATE 7/8: An earlier version of this story identified CVE-2021-30116 as an SQL injection vulnerability. The authentication bypass flaw allowed an attacker to remotely send arbitrary commands over Kaseya's VSA product in this case, REvil threat actors issued commands to feed users a dropper for the REvil ransomware. As the MSP software specialist continues to address and investigate the ransomware attacks, security researchers are unearthing new details about the breach that enabled the attacks.Īccording to the team at the Dutch Institute for Vulnerability Disclosure, which discovered the zero-day, the specific vulnerability targeted in the attack was CVE-2021-30116. Kaseya, which specializes in remote management software for managed services providers (MSPs), revealed Monday that approximately 60 of its MSP customers and as many as 1,500 MSP clients were affected by a wide-range ransomware attack from the notorious REvil gang.