Find Kaseya VSA Components
Kaseya reported that on July 2, there was a potential attack against their VSA module. However, it was immediately followed with the suggestions that customers immediately shut down their VSA servers. "It's critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA.", said their CEO.
At the same time, Kaseya also shut down all of its cloud servers. According to the FBI the attack is a "supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers." It is estimated that over 1000 companies have been hit by the REvil ransomware which is distributed via an automated, fake, and malicious software update using Kaseya VSA dubbed "Kaseya VSA Agent Hot-fix". The attackers were able to use a 0-day vulnerability disclosed to Kaseya earlier by the Dutch Institute for Vulnerability Disclosure (DIVD) to launch their attack. Reportedly Kaseya was in the midst of validating a patch that would have fixed the vulnerability when the attack was launched.
In addition to shutting down Kaseya VSA servers, a Kaseya VSA Detection script has been provided to check if machines either running server or agent components have been compromised. Meanwhile the group behind the attack has posted a blog where they claim that they have compromised more than a million systems and are willing to negotiate for a universal decryptor for $70 million.
To help you get an overview of all Kaseya connected devices, we've created a special report that lists all assets that meet one of the following criteria:
- Has a service with "Kaseya" in the name (either server components or endpoint client).
- Has a database with the name "ksubscribers", the common Kaseya database name.
Kaseya VSA REvil Ransomware Attack Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tsysOS.OSname As OS, Service.[Service Name], Service.[Service Path], Service.[Service Start Mode], Service.[Service State], DB.displayVersion As [SQL Version], DB.skuName As [SQL Edition], DB.name As [DB name], DB.dataFilesSizeKb As [DB Size], Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, tblAssets.Lastseen, tblAssets.Lasttried From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblState On tblState.State = tblAssetCustom.State Left Join tsysOS On tsysOS.OScode = tblAssets.OScode Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Left Join (Select tblServices.AssetID, tblServicesUni.Caption As [Service Name], tblServicesUni.Pathname As [Service Path], tblServiceStartMode.StartMode As [Service Start Mode], tblServiceState.State As [Service State] From tblServices Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID = tblServices.ServiceuniqueID Inner Join tblServiceStartMode On tblServiceStartMode.StartID = tblServices.StartID Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID Where tblServicesUni.Caption Like '%Kaseya%') As Service On Service.AssetID = tblAssets.AssetID Left Join (Select tblSqlServers.AssetID, tblSqlServers.displayVersion, tblSqlServers.skuName, tblSqlDatabases.name, tblSqlDatabases.dataFilesSizeKb From tblSqlServers Inner Join tblSqlDatabases On tblSqlDatabases.sqlServerId = tblSqlServers.sqlServerId Where tblSqlDatabases.name = 'ksubscribers') As DB On DB.AssetID = tblAssets.AssetID Where (Service.[Service Name] Is Not Null Or DB.name Is Not Null) And tblState.Statename = 'Active' Order By tblAssets.Domain, tblAssets.AssetName