{"id":20525,"date":"2021-07-03T02:16:42","date_gmt":"2021-07-03T00:16:42","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=20525"},"modified":"2021-07-03T02:29:02","modified_gmt":"2021-07-03T00:29:02","slug":"revil-ransomware-befall-bei-200-firmen-ber-kaseya-vsa-und-management-service-provider-msp","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/07\/03\/revil-ransomware-befall-bei-200-firmen-ber-kaseya-vsa-und-management-service-provider-msp\/","title":{"rendered":"REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)"},"content":{"rendered":"

\"Sicherheit[German<\/a>]It is once again a nightmare come true for the IT landscape. The REvil ransomware group has succeeded in an attack via management service providers (MSPs). As a result, the servers of 200 companies were encrypted by the ransomware. It looks like the Kaseya IT management platform has been compromised. The whole thing is something like the SolarWinds supply chain attack, only this time it was ransomware.<\/p>\n

<\/p>\n

What is Kaseya VSA?<\/h2>\n

\"\"Kaseya VSA is a cloud-based MSP platform that allows vendors to perform patch management and client monitoring for their customers.\u00a0 The vendor describes<\/a> VSA as remote access and endpoint management applications. The software, Kaseya VSA, is popular with so-called managed service providers (MSPs), which provide IT infrastructure to companies that prefer to outsource these things rather than run them themselves. Hacking the MSP via compromised software like Kaseya VSA means having access to its customers.<\/p>\n

Kaseya VSA likely compromised<\/h2>\n

Brett Callow<\/a>, security analyst at Emsisoft, pointed on Twitter<\/a> to the message from the Kaseya help desk indicating a hack and recommends customers using Kaseya VSA directly shut down their servers. This is because there is a risk of losing administrative access in the event of an attack.<\/p>\n

\"Kaseya<\/a><\/p>\n

An attack is confirmed on the helpdesk pages of the provider Kaseya, where it says July 2, 2021:<\/p>\n

\n

Important Notice July 2nd, 2021<\/h4>\n

We are experiencing a potential attack against the VSA that has been limited to a small
\nnumber of on-premise customers only as of 2:00 PM EDT today.<\/p>\n

We are in the process of investigating the root cause of the incident with an abundance
\nof caution but we recommend that you IMMEDIATELY shutdown your VSA server until
\nyou receive further notice from us<\/u><\/strong>.<\/p>\n

Its critical that you do this immediately, because one of the first things the attacker does
\nis shutoff administrative access to the VSA.<\/u><\/strong><\/p><\/blockquote>\n

\"Kaseya<\/p>\n

The vendor confirms an attack on its VSA product that affected a small number of on-premises customers. It all sounds very harmless up to this point.<\/p>\n

REvil infects at least 200 companies<\/h2>\n

On reddit.com, there has been this thread<\/a> for a few hours now, informing about a major ransomware attack. It says here:<\/p>\n

Update 1 – 07\/02\/2021 – 1417 ET<\/p>\n

We are tracking four MSPs where this has happened and working in close collaboration with two of them. Although all four are running Kaseya VSA, we have not validated that VSA is being exploited (not fair at this time to say \"Kaseya has been hacked\" without evidence). Here's validated indicators of compromise:<\/p>\n