Huge thanks to those who sent unencrypted Kaseya VSA and Windows Event logs from compromised VSA servers! Our team combed through them until 0430 ET on 3 July.
We also hosted a webinar on Tuesday, July 6 at 1pm ET to provide additional information- access the recording here. This is not the first time hackers have made MSPs into supply chain targets and we recorded a video guide to Surviving a Coordinated Ransomware Attack after 100+ MSP were compromised in 2019. Many partners are asking " What do you do if your RMM is compromised?". We appreciated that team's effort and continue to ask everyone to please consider what it's like at Kaseya when you're calling their customer support team. They immediately started taking response actions and feedback from our team as we both learned about the unfolding situation. Our team has been in contact with the Kaseya security team for since July 2 at ~1400 ET.
We have begun the process of remediating the code and will include regular status updates on our progress starting tomorrow morning. R&D has replicated the attack vector and is working on mitigating it. Huntress Security Researcher Caleb Stewart has successfully reproduced attack and released a POC video demonstrating the chain of exploits. All of these VSA servers are on-premises and we have confirmed that cybercriminals have exploited an authentication bypass, an arbitrary file upload and code injection vulnerabilities to gain access to these servers. We are tracking over 30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them.