• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Kaseya VSA supply-chain ransomware attack hit hundreds of companies

Kaseya VSA supply-chain ransomware attack hit hundreds of companies

Pierluigi Paganini July 03, 2021

A supply attack by REvil ransomware operators against Kaseya VSA impacted multiple managed service providers (MSPs) and their clients.

A new supply chain attack made the headlines, this afternoon, the REvil ransomware gang hit the cloud-based MSP platform impacting MSPs and their customers.

Kaseya has 40,000 customers, not all use the VSA tool which is used by MSPs to perform patch management and client monitoring for their customers.

The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.

The investigation is still ongoing, according to security firm Huntress Labs at least 200 organizations have been impacted, making this incident, one of the largest ransomware attack in history.

At the time of this writing, at least 20 MSPs have been compromised as part of this supply-chain attack, but experts believe that the attack might have impacted thousands of companies across the world.

The time of the attack could make the investigation more complex, threat actors launched the attack on Friday ahead of the July 4th holiday.

The company shut down their SaaS infrastructure and is investigating the incident with the help of the FBI and other security firms.

“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.” states a noticed published by Keseya.

“We are in the process of investigating the root cause of the incident with an abundance
of caution but we recommend that you IMMEDIATELY shutdown your VSA server until
you receive further notice from us
. It’s critical that you do this immediately because one of the first things the attacker does is shutoff administrative access to the VSA.“

A specific Reddit page was set up to provide news about the attack and share updates on the investigation.

Researchers from Sophos published a security advisory for their customers running Kaseya,  telling them what should they look for. 

Mark Loman, a Sophos malware analyst, who is investigating the incident explained that the REvil ransomware operator disables antivirus software to deploy a fake Windows Defender app that runs ransomware binary.

We are monitoring a REvil 'supply chain' attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:Windowsmpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:WindowsMsMpEng.exe to run the encryption from a legit process.

— Mark Loman (@markloman) July 2, 2021

Attack chain contains code that attempts to disable Microsoft Defender Real-Time Monitoring, Script Scanning, Controlled Folder Access, etc. via PowerShell pic.twitter.com/xgLbt5pvG2

— Mark Loman (@markloman) July 2, 2021

Loman added that owners of endpoints infected in this campaign received an initial ransom demand of 44,999 USD.

If your endpoint is hit, the initial ransom demand is 44,999 USD. pic.twitter.com/gSWbxYJbeX

— Mark Loman (@markloman) July 2, 2021

John Hammond, the cybersecurity researcher at Huntress Labs, told BleepingComputer that Kaseya VSA will drop an agent.crt file to the c:\kworking folder, which is being distributed as an update called ‘Kaseya VSA Agent Hot-fix.’ Then a PowerShell command is launched to decode the certificate file using the legitimate Windows certutil.exe command and extract an agent.exe file to the same folder.

Here's a partner provided screenshot from an impacted Kaseya VSA Server. Nothing worse for threat hunters than seeing an "Archive and Purge Logs" procedure 🙄 pic.twitter.com/uuWaFBXIxS

— Kyle Hanslovan (@KyleHanslovan) July 3, 2021

The agent.exe is digitally signed using a certificate issued for “PB03 TRANSPORT LTD” and includes the REvil encryptor. 

Kaseya VSA claims to have identified the source of the vulnerability and is working to release security updates to secure on-premises installs.

“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.” continues the Kaseya’s notice.

US CISA also published a security advisory on Kaseya supply chain ransomware attack.

“CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.” states CISA.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime Cybersecurity cybersecurity news Hacking hacking news information security news Kaseya VSA Pierluigi Paganini REvil ransomware Security Affairs Security News supply chain attack

you might also like

Pierluigi Paganini June 26, 2025
U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini June 26, 2025
CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

    Security / June 26, 2025

    CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

    Hacking / June 26, 2025

    Hackers deploy fake SonicWall VPN App to steal corporate credentials

    Hacking / June 25, 2025

    Mainline Health Systems data breach impacted over 100,000 individuals

    Data Breach / June 25, 2025

    Disrupting the operations of cryptocurrency mining botnets

    Malware / June 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT