UPDATE ON RECENT KASEYA VSA BREACH
July 2, 2021: Information on the Kaseya VSA Ransomware Attack & What ConnectWise is Doing to Help Our Partners
As you may be aware, Kaseya VSA is experiencing a REvil ransomware attack impacting MSP customers and end customers.
If your organization utilizes Kaseya VSA, Kaseya has advised that you IMMEDIATELY shut down your VSA server until you receive further notice from them.
Actions ConnectWise is Taking to Protect Our Partners:
The security of our partners and systems is our top priority. ConnectWise’s Security Operations Center, Network Operations Center, Product and Engineering teams are actively reviewing and monitoring and have thus far found no evidence to suggest that any of our systems are involved or impacted.
Below are the following actions we are taking to ensure the security of our products and systems:
We see no indication of similar attacks, compromises, or suspicious activity associated with ConnectWise products and services.
We have temporarily disabled all on-prem and cloud Kaseya and IT Glue integrations into Manage as a precautionary step until more information is available. Our team will share information about re-connecting the access once the all-clear message has been released.
Our Security Operations Center (SOC) team has and will continue to carefully monitor the situation. We have taken actions to review the available threat data contained in our SOC monitored systems looking for potentially compromised environments (Fortify Endpoint, Fortify Network, Perch and StratoZen). In addition, we have temporarily removed any exclusions related to the Kaseya agent, and blacklisted the IOCs related to what is currently known of the attack based on our work within the MSP cyber community.
The ConnectWise Cyber Research Unit (CRU) is monitoring threat activity from obtained malware samples. We have used these samples to generate and monitor for IoCs (Indicators of Compromise) around this threat. These IoCs are being used to hunt for true positive correlations.
CRU is actively searching for the following IoCs for partners that utilize StratoZen and Perch. Please note that there are additional IoCs that we are currently unable to share.
1. Multiple C2 domains from JSON malware configuration file which are not being shared at this time.
2. Hashes for the attack structure:
1. agent.exe: 561cffbaba71a6e8cc1cdceda990ead4 (MD5)
2. agent.exe (encrypt payload): SHA15162f14d75e96edb914d1756349d6e11583db0b0
3. mpsvc.dll(sideloaded encryption payload): SHA1 656c4d285ea518d90c1b669b79af475db31e30b1
3. Certificate Signer identity:
1. PB03 TRANSPORT LTD
4. Additional CRU malware sandbox IoCs which cannot yet be publicly shared
ConnectWise CRU Event Notifications
The CRU has deployed a new event notification in Perch and StratoZen to alert for any activity around known IoCs from this attack. The ConnectWise SOC is actively monitoring for this alert.
[Windows][CRU] Kaseya Buffalo Jump File Create in “kworking” Directory
Actions deployed in SentinelOne:
All Kaseya exclusions removed from all production SentinelOne consoles.
IOCs of agent.exe and mpsvc.dll blacklisted across all SentinelOne consoles.
IOCs searched across all SentinelOne consoles historical data.
We are working and partnering with other vendors to further assist the IT Nation community.
ConnectWise Control will offer free temporary STANDARD support licensing available to partners affected by this incident and who do not have a current Control account. Navigate here to sign up for the free license. This will enable impacted partners to maintain connectivity with their client machines during these turbulent times.