DIVD-2021-00002 - Kaseya VSA
|Case lead||Frank Breedijk|
|Author||Victor GeversLennaert Oudshoorn|
|Versions||All on-premise Kaseya VSA versions.|
|Recommendation||Disable the on-premise Kaseya VSA servers immediately.|
On 2 July 2021, Kaseya published a notification advising to disable your on-premise Kaseya VSA servers immediately.
What you can do
Follow the official advisory from Kaseya:
We recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
Its critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.
What we are doing
The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya VSA servers and notify the owners directly or via the known abuse channels, Gov-CERTs, and other trusted channels.
We have identified this server by downloading the paths ‘/’, ‘/api/v1.5/cw/environment’ and ‘/install/kaseyalatestversion.xml’ and matching patterns in these files.
|02-07-2021||Kaseya publishes their advisory|
|02-07-2021||DIVD start scanning to identify exposed Kaseya VSA servers|
|03-07-2021||DIVD has sent out notifications to the listed abuse addresses of all exposed Kaseya VSA servers found online|