Tuesday, April 29, 2025
HomeZero-DayKaseya Says Hackers Directly Hit Its Customers by Exploiting VSA 0-Day

Kaseya Says Hackers Directly Hit Its Customers by Exploiting VSA 0-Day

Published on

SIEM as a Service

Follow Us on Google News

The hacker group behind REvil ransomware gang has Last week launched a cyber attack against Kaseya, it’s a company based in Miami, Florida, USA and it provides software.

Kaseya has confirmed that the attack spread through its cloud VSA solution, and that’s why they decided to shut down their VSA SaaS infrastructure. Since then, those affected have been succeeding, and the first amounts demanded were made public, which have been growing since the attack.

Hackers Exploited VSA 0-Day

In this incident, the operators of REvil affected thousands of customers around the world by exploiting the VSA 0-day vulnerability. 

- Advertisement - Google News

“To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack.  While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.” Kaseya Said.

And not only that even they also demanded a total of 70 million dollars in bitcoins in exchange for a universal decryptor capable of deciphering all the affected systems.

In the previous month, the meat-processing company JBS admitted to having paid a total of $11 million of ransom to get rid of an attack that is accused to REvil.

In more than 17 countries this attack has been reported and affected the users; as a result stopped the operation of the company in several sectors like:-

  • Financial services
  • Travel companies
  • Leisure companies
  • Even public entities
  • Political organizations

Even there are hundreds of supermarkets along with Swedish supermarket chain Coop had to close due to this attack since their cash registers were stopped working.

Moreover, the FBI has also confirmed that they are investigating the case together with the Infrastructure and Cybersecurity Agency; even they also asserted that due to the magnitude of this attack they might be not able to treat customers or the users of the company individually.

However, here all the clues indicate that the hackers launched a ‘zero-day’ attack, and in these cases, the hackers infiltrate a computer system and plant ‘malware’ that presents it as useless, that’s why as a result the victims have to pay the extortion to obtain a decryption key.

Apart from this, the cybersecurity researchers have claimed that this cyberattack was carried out voluntarily at the start of the holiday week associated to July 4, and at this time the offices in the United States were understaffed due to the celebration of independence day.

While Kaseya claimed that they have developed a patch for the VSA simply to get back all its services online as soon as possible. And they also pronounced that they are closely working with the FBI to improve their security measures after the attack.

Indication of Comrpomise

Network IOCs

The following IP addresses were seen accessing VSA Servers remotely.

35.226.94[.]113
161.35.239[.]148
162.253.124[.]162

Endpoint IOCs

The following files were used as part of the deployment of the encryptor:

FilenameMD5 HashFunction
cert.exeN/A – Legitimate File with random string appendedLegit certutil.exe Utility
agent.crt939aae3cc456de8964cb182c75a5f8ccEncoded malicious content
agent.exe561cffbaba71a6e8cc1cdceda990ead4Decoded contents of agent.crt
mpsvc.dlla47cf00aedf769d60d58bfe00c0b5421Ransomware Payload

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Viasat Modems Zero-Day Vulnerabilities Let Attackers Execute Remote Code

A severe zero-day vulnerability has been uncovered in multiple Viasat satellite modem models, including...

Hackers Exploit Ivanti Connect Secure 0-Day to Deploy DslogdRAT and Web Shell

Threat actors exploited a zero-day vulnerability in Ivanti Connect Secure, identified as CVE-2025-0282, to...

Google Warns: Threat Actors Growing More Sophisticated, Exploiting Zero-Day Vulnerabilities

Google’s Mandiant team has released its M-Trends 2025 report, highlighting the increasing sophistication of...