#Kaseya agent update
We will update this location with more information as it becomes available. This is likely one of the reasons why Kaseya was targeted.įor a detailed analysis of the attack, the malware used, and lessons learned, please see the SophosLabs Uncut article Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. As such, it has a high level of trust on customer devices.
#Kaseya agent software
Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks. As Kaseya is primarily used by Managed Service Providers (MSPs) this approach gave the attackers privileged access to the devices of the MSP’s customers. It appears that the attackers used a zero-day vulnerability to remotely access internet facing VSA Servers. Vulnerabilities in common internet facing devices allow attackers to compromise large numbers of systems at once with very little effort There's been a noticeable shift towards attacks on perimeter devices in recent years. Kaseya has stated that the attack started around 14:00 EDT/18:00 UTC on Friday, Jand they are investigating the incident. Organizations running Kaseya VSA are potentially impacted. Sophos is aware of a supply chain attack that uses Kaseya to deploy a variant of the REvil ransomware into a victim’s environment.The attack is geographically dispersed.