Infect machine with kaseya agent
![infect machine with kaseya agent infect machine with kaseya agent](https://boltonshield.com/wp-content/uploads/2021/07/main-image-1024x630.png)
It appears that the threat actors knew they were racing against the development of a patch. Unlike previous attacks by REvil where the dwell time was very long and data was carefully exfiltrated prior to detonating ransomware, this attack appears to have happened very quickly. A CVE was assigned for the vulnerability used: CVE-2021–30116. It seems that Kaseya VSA servers were vulnerable to a SQL injection attack, allowing the threat actors to remotely exploit them. REvil says they have more than a million infected systems, but As of July 6th, roughly 60 of Kaseya’s direct customers appear to have been impacted according to reporting by Bleeping Computer, resulting in about 800 to 1,500 compromised businesses downstream. Their payment portal is live and they are actively negotiating with victims. REvil, one of the world’s most active ransomware gangs, have updated their blog claiming responsibility. Multiple organizations throughout Europe and APAC have been forced to shut down their business entirely while they remediate. The blast radius of administrators or administrative servers is enormous. The blast radius of a single compromised user or endpoint is usually huge, as the average user typically has access to millions of files they don’t need. The attackers exploited vulnerable, internet-facing VSA servers commonly running upstream of many victims, in networks of MSPs, using them as backdoors, making it difficult or impossible for the victims to detect or prevent infection as the ransomware flowed “downstream.”Īlso, as the updates are typically distributed to many nodes, the recovery for infected organizations may be arduous.
#INFECT MACHINE WITH KASEYA AGENT UPDATE#
Unlike the SolarWinds supply chain attack, where the update servers of SolarWinds were compromised, there is no indication that Kaseya’s infrastructure was compromised.
#INFECT MACHINE WITH KASEYA AGENT SOFTWARE#
Network management software is a perfect place to hide a back door because these systems usually have broad access and perform a lot of tasks, making them difficult to monitor. Kaseya VSA is a popular piece of software for remote network management, used by many managed security providers, or MSPs, companies that provide IT services to other companies. This malicious hotfix contained a ransomware payload called Sodinokibi, known to be released by a notorious group called REvil, which resulted in the encryption of the server and shared folders. On July 3 rd, at 10:00 AM EST, a malicious hotfix was released and pushed by Kaseya VSA servers that propagated to servers managed by Kaseya, resulting in the compromise and encryption of thousands of nodes at hundreds of different businesses.
![infect machine with kaseya agent infect machine with kaseya agent](https://miro.medium.com/max/1400/1*EXOIDja5uaJR8VCc7ntpOA.png)
![infect machine with kaseya agent infect machine with kaseya agent](https://support.itglue.com/hc/article_attachments/360008380377/Executing_VSA_automation_in_IT_Glue_-_DRAFT_-_Google_Docs.png)