Agent.crt, an encoded REvil ransomware payload that would be distributed to MSP clients.Once authentication was circumvented, the intruders used built-in VSA functionality to upload at least two files:
On the latter point, Kaseya repeatedly stated during response to this incident that only the on-premises version of VSA was impacted by the vulnerabilities under discussion, while the software as a service (SaaS) platform showed no evidence of exploitation.īased on analysis from Huntress, enabled through data sharing from victim MSPs, initial intrusion at MSP entities started by accessing an externally exposed VSA-related resource - dl.asp - and abusing a flaw in that application’s authentication process. At this time, it is not clear whether the MSPs targeted in this incident were deliberate selections (for example, based on the number or type of clients managed) or opportunistic identification of entities running vulnerable and exposed VSA instances.
Previous examples of service-focused supply chain activity include the CloudHopper campaign and the Palmetto Fusion activity described by the U.S. In this scenario, the adversary abuses trust relationships between ultimate victims and MSPs in order to deploy a malicious capability. Rather than a software supply chain compromise, the incident instead reflects a services supply chain incident. Instead, while the company’s software was certainly impacted through the event, Kaseya itself appears to have avoided a breach of its own network. While initial reporting suggested a potential breach at Kaseya leading to the distribution of malicious VSA updates, subsequent analysis revealed this to not be the case.
Initial delivery and execution mechanisms for this incident relied on identification and subsequent exploitation of vulnerabilities within the VSA platform. While the impact of this incident will only become clear with more time, sufficient information now exists to analyze precisely how this event took place, and how network defenders can prepare for future, similar incidents should they occur. Please Note: This application includes a client intended for the installed versions of Kaseya running the Mobile Device Management module.Continuous updates from security firm Huntress as well as Kaseya itself indicated dozens of VSA customers (MSPs) were impacted, leading to follow-on impacts at more than one thousand entities linked to the impacted MSPs.Īffected entities ranged from a Swedish grocery chain that shuttered hundreds of locations due to the incident, to several school systems in New Zealand. An on-premises or cloud implementation of Kaseya K2 Works with iPhone & iPad with iOS 4.2 and above Lock, wipe and reset lost or stolen devices Force Alarm sound to help track lost device
Track location of mobile devices based on location history or in real time Collect detailed inventory information in a central repository that can be easily accessed by administrators and technicians for fast resolution while providing a complete network view Automate email configuration and settings to one or many devices Kaseya Agent allows your IT organization to: Kaseya solutions empower everyone - from individual consumers to large corporations and IT service providers - to proactively manage and control IT assets remotely, easily and efficiently from one integrated Web-based platform. Kaseya is the leading global provider of enterprise class IT Systems Management software. Kaseya Agent extends the reach of the Kaseya IT systems management platform to mobile phone and tablet devices and provides IT professionals with remote management and security visibility to ensure IT policies and best practices are followed.