Skip to the content.

DIVD-2021-00002 - Kaseya VSA

Our reference DIVD-2021-00002
Case lead Frank Breedijk
Author Victor GeversLennaert Oudshoorn
Researcher(s)
Product Kaseya VSA
Versions All on-premise Kaseya VSA versions.
Recommendation Disable the on-premise Kaseya VSA servers immediately.
Status Closed
Last modified 25 Jan 2022 16:04

Summary

On 2 July 2021, Kaseya published a notification advising to disable your on-premise Kaseya VSA servers immediately.

What you can do

Follow the official advisory from Kaseya:

We recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.

Its critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya VSA servers and notify the owners directly or via the known abuse channels, Gov-CERTs, and other trusted channels.

We have identified this server by downloading the paths ‘/’, ‘/api/v1.5/cw/environment’ and ‘/install/kaseyalatestversion.xml’ and matching patterns in these files.

Timeline

Date Description
02 Jul 2021 Kaseya publishes their advisory
02 Jul 2021 DIVD start scanning to identify exposed Kaseya VSA servers
03 Jul 2021 DIVD has sent out notifications to the listed abuse addresses of all exposed Kaseya VSA servers found online
09 Jul 2021 With (almost) all vulnerable servers offline the work for DIVD CSIRT is done, case closed.
gantt title DIVD-2021-00002 - Kaseya VSA dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00002 - Kaseya VSA (99 days) :2021-04-01, 2021-07-09 section Events Kaseya publishes their advisory : milestone, 2021-07-02, 0d DIVD start scanning to identify exposed Kaseya VSA servers : milestone, 2021-07-02, 0d DIVD has sent out notifications to the listed abuse addresses of all exposed Kaseya VSA servers found online : milestone, 2021-07-03, 0d With (almost) all vulnerable servers offline the work for DIVD CSIRT is done, case closed. : milestone, 2021-07-09, 0d

More information