Tuesday, July 16, 2024

Kaseya Says Hackers Directly Hit Its Customers by Exploiting VSA 0-Day

The hacker group behind REvil ransomware gang has Last week launched a cyber attack against Kaseya, it’s a company based in Miami, Florida, USA and it provides software.

Kaseya has confirmed that the attack spread through its cloud VSA solution, and that’s why they decided to shut down their VSA SaaS infrastructure. Since then, those affected have been succeeding, and the first amounts demanded were made public, which have been growing since the attack.

Hackers Exploited VSA 0-Day

In this incident, the operators of REvil affected thousands of customers around the world by exploiting the VSA 0-day vulnerability. 

“To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack.  While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.” Kaseya Said.

And not only that even they also demanded a total of 70 million dollars in bitcoins in exchange for a universal decryptor capable of deciphering all the affected systems.

In the previous month, the meat-processing company JBS admitted to having paid a total of $11 million of ransom to get rid of an attack that is accused to REvil.

In more than 17 countries this attack has been reported and affected the users; as a result stopped the operation of the company in several sectors like:-

  • Financial services
  • Travel companies
  • Leisure companies
  • Even public entities
  • Political organizations

Even there are hundreds of supermarkets along with Swedish supermarket chain Coop had to close due to this attack since their cash registers were stopped working.

Moreover, the FBI has also confirmed that they are investigating the case together with the Infrastructure and Cybersecurity Agency; even they also asserted that due to the magnitude of this attack they might be not able to treat customers or the users of the company individually.

However, here all the clues indicate that the hackers launched a ‘zero-day’ attack, and in these cases, the hackers infiltrate a computer system and plant ‘malware’ that presents it as useless, that’s why as a result the victims have to pay the extortion to obtain a decryption key.

Apart from this, the cybersecurity researchers have claimed that this cyberattack was carried out voluntarily at the start of the holiday week associated to July 4, and at this time the offices in the United States were understaffed due to the celebration of independence day.

While Kaseya claimed that they have developed a patch for the VSA simply to get back all its services online as soon as possible. And they also pronounced that they are closely working with the FBI to improve their security measures after the attack.

Indication of Comrpomise

Network IOCs

The following IP addresses were seen accessing VSA Servers remotely.


Endpoint IOCs

The following files were used as part of the deployment of the encryptor:

FilenameMD5 HashFunction
cert.exeN/A – Legitimate File with random string appendedLegit certutil.exe Utility
agent.crt939aae3cc456de8964cb182c75a5f8ccEncoded malicious content
agent.exe561cffbaba71a6e8cc1cdceda990ead4Decoded contents of agent.crt
mpsvc.dlla47cf00aedf769d60d58bfe00c0b5421Ransomware Payload

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles