Supply-Chain-Attack against Kaseya and MSP Updates

Short summary by kev the hermit + Kaseya VSA on Prem has a vuln. (RCE?) + REvil Affiliate Using this to exploit MSPs + With access to the VSA appliance Attackers push a rogue update to connected clients + Update runs Sodinikobi ransomware.

A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack.

Starting this afternoon, the REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack.

Beside OnPrem, it is not clear if the Cloud/SaaS – solution is affected as well. According to a thread on reddit (Kaseya has been hacked with randomware that spread to all MSP clients), their cloudservices went into maintainance-mode.

OnPrem-Installation are confirmed to have been hit for at least 20 MSP

The situation is unclear as of now (2021-07-03 10am UTC), but Kaseya’s official note is currently: „IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.“ [1]

More here.

Supermarket chain Coop closes 800 stores following Kaseya ransomware attack