Saturday, April 13, 2024

Kaseya Says Hackers Directly Hit Its Customers by Exploiting VSA 0-Day

The hacker group behind REvil ransomware gang has Last week launched a cyber attack against Kaseya, it’s a company based in Miami, Florida, USA and it provides software.

Kaseya has confirmed that the attack spread through its cloud VSA solution, and that’s why they decided to shut down their VSA SaaS infrastructure. Since then, those affected have been succeeding, and the first amounts demanded were made public, which have been growing since the attack.

Hackers Exploited VSA 0-Day

In this incident, the operators of REvil affected thousands of customers around the world by exploiting the VSA 0-day vulnerability. 

“To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack.  While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.” Kaseya Said.

And not only that even they also demanded a total of 70 million dollars in bitcoins in exchange for a universal decryptor capable of deciphering all the affected systems.

In the previous month, the meat-processing company JBS admitted to having paid a total of $11 million of ransom to get rid of an attack that is accused to REvil.

In more than 17 countries this attack has been reported and affected the users; as a result stopped the operation of the company in several sectors like:-

  • Financial services
  • Travel companies
  • Leisure companies
  • Even public entities
  • Political organizations

Even there are hundreds of supermarkets along with Swedish supermarket chain Coop had to close due to this attack since their cash registers were stopped working.

Moreover, the FBI has also confirmed that they are investigating the case together with the Infrastructure and Cybersecurity Agency; even they also asserted that due to the magnitude of this attack they might be not able to treat customers or the users of the company individually.

However, here all the clues indicate that the hackers launched a ‘zero-day’ attack, and in these cases, the hackers infiltrate a computer system and plant ‘malware’ that presents it as useless, that’s why as a result the victims have to pay the extortion to obtain a decryption key.

Apart from this, the cybersecurity researchers have claimed that this cyberattack was carried out voluntarily at the start of the holiday week associated to July 4, and at this time the offices in the United States were understaffed due to the celebration of independence day.

While Kaseya claimed that they have developed a patch for the VSA simply to get back all its services online as soon as possible. And they also pronounced that they are closely working with the FBI to improve their security measures after the attack.

Indication of Comrpomise

Network IOCs

The following IP addresses were seen accessing VSA Servers remotely.

35.226.94[.]113
161.35.239[.]148
162.253.124[.]162

Endpoint IOCs

The following files were used as part of the deployment of the encryptor:

FilenameMD5 HashFunction
cert.exeN/A – Legitimate File with random string appendedLegit certutil.exe Utility
agent.crt939aae3cc456de8964cb182c75a5f8ccEncoded malicious content
agent.exe561cffbaba71a6e8cc1cdceda990ead4Decoded contents of agent.crt
mpsvc.dlla47cf00aedf769d60d58bfe00c0b5421Ransomware Payload

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles