Wednesday, May 28, 2025
HomeZero-DayKaseya Says Hackers Directly Hit Its Customers by Exploiting VSA 0-Day

Kaseya Says Hackers Directly Hit Its Customers by Exploiting VSA 0-Day

Published on

SIEM as a Service

Follow Us on Google News

The hacker group behind REvil ransomware gang has Last week launched a cyber attack against Kaseya, it’s a company based in Miami, Florida, USA and it provides software.

Kaseya has confirmed that the attack spread through its cloud VSA solution, and that’s why they decided to shut down their VSA SaaS infrastructure. Since then, those affected have been succeeding, and the first amounts demanded were made public, which have been growing since the attack.

Hackers Exploited VSA 0-Day

In this incident, the operators of REvil affected thousands of customers around the world by exploiting the VSA 0-day vulnerability. 

- Advertisement - Google News

“To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack.  While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.” Kaseya Said.

And not only that even they also demanded a total of 70 million dollars in bitcoins in exchange for a universal decryptor capable of deciphering all the affected systems.

In the previous month, the meat-processing company JBS admitted to having paid a total of $11 million of ransom to get rid of an attack that is accused to REvil.

In more than 17 countries this attack has been reported and affected the users; as a result stopped the operation of the company in several sectors like:-

  • Financial services
  • Travel companies
  • Leisure companies
  • Even public entities
  • Political organizations

Even there are hundreds of supermarkets along with Swedish supermarket chain Coop had to close due to this attack since their cash registers were stopped working.

Moreover, the FBI has also confirmed that they are investigating the case together with the Infrastructure and Cybersecurity Agency; even they also asserted that due to the magnitude of this attack they might be not able to treat customers or the users of the company individually.

However, here all the clues indicate that the hackers launched a ‘zero-day’ attack, and in these cases, the hackers infiltrate a computer system and plant ‘malware’ that presents it as useless, that’s why as a result the victims have to pay the extortion to obtain a decryption key.

Apart from this, the cybersecurity researchers have claimed that this cyberattack was carried out voluntarily at the start of the holiday week associated to July 4, and at this time the offices in the United States were understaffed due to the celebration of independence day.

While Kaseya claimed that they have developed a patch for the VSA simply to get back all its services online as soon as possible. And they also pronounced that they are closely working with the FBI to improve their security measures after the attack.

Indication of Comrpomise

Network IOCs

The following IP addresses were seen accessing VSA Servers remotely.

35.226.94[.]113
161.35.239[.]148
162.253.124[.]162

Endpoint IOCs

The following files were used as part of the deployment of the encryptor:

FilenameMD5 HashFunction
cert.exeN/A – Legitimate File with random string appendedLegit certutil.exe Utility
agent.crt939aae3cc456de8964cb182c75a5f8ccEncoded malicious content
agent.exe561cffbaba71a6e8cc1cdceda990ead4Decoded contents of agent.crt
mpsvc.dlla47cf00aedf769d60d58bfe00c0b5421Ransomware Payload

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Robinhood Ransomware Operator Arrested for Attacks on Government and Private Networks

On May 27, 2025, Iranian national Sina Gholinejad, 37, pleaded guilty in a North...

CISA Releases Executive Guide on SIEM and SOAR Platforms for Rapid Threat Detection

In today’s rapidly evolving threat landscape, Security Information and Event Management (SIEM) and Security...

MATLAB, Serving Over 5 Million Users, Hit by Ransomware Attack

MathWorks, the renowned developer of MATLAB and Simulink, has been grappling with the aftermath...

CISA Publishes ICS Advisories Highlighting New Vulnerabilities and Exploits

On May 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a new...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994,...

Linux Kernel Zero-Day SMB Vulnerability Discovered via ChatGPT

Security researcher has discovered a zero-day vulnerability (CVE-2025-37899) in the Linux kernel's SMB server...

Versa Concerto 0-Day Flaw Enables Remote Code Execution by Bypassing Authentication

Security researchers have uncovered multiple critical vulnerabilities in Versa Concerto, a widely deployed network...