Our team is working to validate the patch and will have more updates soon. Kaseya has released their patch to remediate on-premises VSA servers and has brought VSA SaaS infrastructure back online on 1630 ET, July 11 2021. With this patch installed, our previous proof-of-concept exploit now fails-and we believe the attack vector is no longer present. KUpload.dll has been modified (we have yet to dig into the changes on this file). The "Deploy Agent" menu item in the GUI /mkDefault.asp. We observe that, with this patch installed, /dl.asp, /userFilterTableRpt.asp and /done.asp are no longer present. After logging back into the VSA service, you are prompted to change your password to meet the new policy requirements.
Installing the patch does suggest a Windows Update if you have not recently installed the latest updates from Microsoft.įrom our testing, installing the patch took approximately 10 minutes.
You can install the patch with the "KInstall.exe" update utility, found online here if you do not find a local copy. The Huntress team has validated the released Kaseya patch, dubbed 9.5.7a (9.) Feature Release.
Read all the details about the “proactive steps” we took in this blog post. We will send out a follow-up with details.” “For our Huntress partners using VSA, we took proactive steps to help protect your systems. In Update 5 of our Reddit post ( 2110 ET) thread, we mentioned: The Huntress team has since validated this patch, which was dubbed 9.5.7a (9.) Feature Release. Current StatusĪt 4:30pm ET on July 11, Kaseya released their patch to remediate on-premises VSA servers. This is a good resource to start with, and you can also watch our most recent webinar about recovering from a mass ransomware attack here. This is not the first time hackers have made MSPs supply chain targets, and we previously recorded a video guide to Surviving a Coordinated Ransomware Attack after 100+ MSPs were compromised in 2019. Many partners are asking " What do you do if your RMM is compromised?". They immediately started taking response actions and feedback from our team as we both learned about the unfolding situation. Our team has been in contact with the Kaseya security team since July 2 at approximately 2:00pm ET.
We have begun the process of remediating the code and will include regular status updates on our progress starting tomorrow morning. R&D has replicated the attack vector and is working on mitigating it. All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers. We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. If you need assistance-even if you're not a current Huntress partner-please contact our support team at We're working around the clock to support MSPs who have been impacted by this attack. We also hosted a webinar on Tuesday, July 6 at 1pm ET to provide additional information- access the recording here. On Tuesday, July 13, we continued our coverage of the attack during July's episode of Tradecraft Tuesday. We're continuing to update that thread and this post with new information. Our initial findings and analysis are captured in this Reddit thread. Our team continues to investigate the Kaseya VSA supply chain attack that's currently affecting a growing number of MSPs, resellers and their customers.