Before the weekend, news came out that Kaseya (a known vendor in the RMM market and is commonly used by MSPs) was targeted as part of an attack by the ransomware group called REvil.
Kaseya’s public statement and info here –> Important Notice July 4th, 2021 – Kaseya
The main target of the attack was customers of Kaseya that were using their VSA product. The VSA product has a simple server/agent architecture, where you have agents installed on endpoints & servers (using port 5721) that you manage which then report back to the VSA appliance.
The VSA also has a web portal which is available in port 18018 (or 443) depending on the configuration. Which many unfortunately have had publicly available. (There were close to 2,200 publically available VSA’s) before the attack started)
The initial sign of the compromise was that the attackers first launched the attack from compromised web-servers (most hosted in AWS) which were then used to run a set of specific commands against the VSA. First of attackers buypassed an authentication flaw in the /dl.asp as part of the VSA which they then used to get an access token, which they then used to upload the malware files using the kupload.dll file.
Then using the malware extension, they created a deployment package containing the malware extension that deployed the ransomware to the different agents that were connected to the VSA.
In short the REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.
Source: Managed Service Providers (reddit.com)
Kaseya mentioned in their public statement that only a small percentage of their customers were hit, but if one large MSP were hit it could affect a large portion of the MSP’s customers again. So, there is currently no good indication of the number of endpoints that were compromised as part of this attack.
There are some numbers that are posted on social media, but currently not confirmed
It should be noted that Kaseya was aware of the vulnerability and was working on closing the vulnerability in their product but was a bit too late. They have asked customers to shut down the VSA appliance in the meantime.