We are aware that some MSSP’s customers (Managed Security Services Providers) have been hit by a ransomware. It seems that four(4) MSSP’s have been affected until now. The ransomware was spread through the remote management solution “VSA” provided by Kaseya[1]. This looks to be a brand new type of supply chain attack.
What we know so far? Kaseya requested all customers to shutdown their on-premises servers (the cloud version is already down) because, once compromised, prevent access to the device.
The ransomware is dropped to c:kworkingagent.exe[2].
If you’re a Kaseya’s VSA user, please check as soon as possible with your representative to mitigate this attack. We will update this diary with more information when available.
[1] https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
[2] https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
