Executive Summary

The Kaseya VSA attack was a sophisticated supply chain attack that leveraged multiple zero-day vulnerabilities to deploy REvil ransomware to thousands of organizations. The attack targeted Managed Service Providers (MSPs) to maximize impact.

Technical Analysis

The attack chain exploited:
1. CVE-2021-30116: SQL injection for authentication bypass
2. CVE-2021-30119: XSS for session hijacking
3. CVE-2021-30120: Two-factor authentication bypass

SQL Injection Vector

-- Authentication bypass payload
' OR '1'='1' --
username=admin' AND 1=1--&password=anything

Payload Deployment

# Malicious procedure upload
POST /api/v1.5/agent/procedures/distribute
{
    "name": "Windows Defender Update",
    "code": "powershell -enc <base64_revil_dropper>",
    "targets": "all"
}

Impact Assessment

• 1,500+ Organizations: Directly impacted
• Supply Chain Effect: Thousands more via MSPs
• $70 Million Ransom: Initial demand by REvil
• Critical Infrastructure: Multiple sectors affected

Detection Methods

# Check for Kaseya compromise indicators
# Look for suspicious agent procedures
Get-ChildItem -Path "C:\Kaseya\Scripts" -Filter "*.ps1" -Recurse |
    Select-String -Pattern "defender|update" |
    Where-Object {$_.Line -match "base64|encoded"}

# Monitor for ransomware artifacts
Get-ChildItem -Path C:\ -Include "*-readme.txt" -Recurse -ErrorAction SilentlyContinue

Mitigation Strategies

Immediate Response

1. Shutdown VSA Servers:

# Stop all Kaseya services
net stop "Kaseya Agent Service"
net stop "Kaseya Server Service"

1. Apply Patches:
2. VSA 9.5.7a (9.5.7.2994)

3. VSA 9.5.6 (9.5.6.2993)

4. Reset Credentials:

5. All VSA accounts
6. API keys
7. Agent passwords

Long-term Measures

• Implement network segmentation
• Enhanced monitoring of MSP tools
• Zero-trust architecture
• Regular security assessments

References

• Kaseya Security Advisory
• CISA-FBI Advisory