Kaseya has reported that the attackers in the 2 July ransomware incident used unpatched vulnerabilities in its VSA platform. The product codebase does not appear to be maliciously modified. An update for on-premises deployments will be available on 11 July 2021 at 4PM EDT.
- On 5 July 2021, Kaseya confirmed that attackers used unpatched vulnerabilities in its VSA product. Kaseya identified fewer than 60 of their customers to be impacted, all of whom were using their VSA on-premises product. SaaS customers do not appear to be compromised. Some of Kaseya’s customers are MSPs whose downstream clients were also affected by the incident. The number of downstream businesses affected is estimated to be close to 1,500.
- Kaseya announced that it will fix the flaw(s) with an update to be released on 11 July 2021. They also provided recommendations for resuming VSA operations and hardening customer’s on-premises environment.
- On 8 July, Kaseya warned customers of a current phishing campaign that takes advantage of the the news on the Kaseya Incident. Threat actors are sending malicious attachments and embedded links posing as legitimate VSA security updates.
- Separately, researchers investigating the attacks against their clients involving Kaseya VSA identified three potential vulnerabilities in the product, including an authentication bypass, an arbitrary file upload, and a code injection.
- Review the VSA On-Premises Hardening and Best Practice Guide to prepare your environment for the upcoming updates.
- Apply the updates as soon as they come out to prevent the risk of exploitation.
- Avoid clicking on any suspicious links in the emails appearing to be from Kaseya and refer to Kaseya website for the most up-to-date information.