DIVD-2021-00002 - Kaseya VSA
| Our reference | DIVD-2021-00002 |
| Case lead | Frank Breedijk |
| Author | |
| Researcher(s) | |
| Product | Kaseya VSA |
| Versions | All on-premise Kaseya VSA versions. |
| Recommendation | Disable the on-premise Kaseya VSA servers immediately. |
| Status | Closed |
| Last modified | 12 Aug 2022 11:21 CEST |
Summary
On 2 July 2021, Kaseya published a notification advising to disable your on-premise Kaseya VSA servers immediately.
What you can do
Follow the official advisory from Kaseya:
We recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
Its critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.
What we are doing
The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya VSA servers and notify the owners directly or via the known abuse channels, Gov-CERTs, and other trusted channels.
We have identified this server by downloading the paths ‘/’, ‘/api/v1.5/cw/environment’ and ‘/install/kaseyalatestversion.xml’ and matching patterns in these files.
Timeline
| Date | Description |
|---|---|
| 02 Jul 2021 | Kaseya publishes their advisory |
| 02 Jul 2021 | DIVD start scanning to identify exposed Kaseya VSA servers |
| 03 Jul 2021 | DIVD has sent out notifications to the listed abuse addresses of all exposed Kaseya VSA servers found online |
| 09 Jul 2021 | With (almost) all vulnerable servers offline the work for DIVD CSIRT is done, case closed. |
More information
- official advisory from Kaseya
- DoublePulsar blog post
- Sophos blog post