The above items in this specific incident were accessed by an entity potentially using the command line tool cURL based on the User Agent “curl/7.69.1” in network logs and traffic. Through exploitation, the REvil affiliate would be able to achieve command execution of the deployed payloads in the victim environment, leading to follow-on infection stages described below.Īs noted by Kaseya, the following HTTP GET and POST requests relate to the previously-described activity: POST: /dl.asp, /cgi-bin/KUpload.dll, /userFilterTableRpt.asp While upload of these items appears to have abused legitimate VSA functionality following the authentication bypass noted above, actual process execution appears to rely on another vulnerability, potentially SQL injection, via another exposed application, userFilterTableRpt.asp.
On the latter point, Kaseya repeatedly stated during response to this incident that only the on-premises version of VSA was impacted by the vulnerabilities under discussion, while the software as a service (SaaS) platform showed no evidence of exploitation.īased on analysis from Huntress, enabled through data sharing from victim MSPs, initial intrusion at MSP entities started by accessing an externally exposed VSA-related resource - dl.asp - and abusing a flaw in that application’s authentication process. At this time, it is not clear whether the MSPs targeted in this incident were deliberate selections (for example, based on the number or type of clients managed) or opportunistic identification of entities running vulnerable and exposed VSA instances. Previous examples of service-focused supply chain activity include the CloudHopper campaign and the Palmetto Fusion activity described by the U.S. In this scenario, the adversary abuses trust relationships between ultimate victims and MSPs in order to deploy a malicious capability. Rather than a software supply chain compromise, the incident instead reflects a services supply chain incident. Instead, while the company’s software was certainly impacted through the event, Kaseya itself appears to have avoided a breach of its own network. While initial reporting suggested a potential breach at Kaseya leading to the distribution of malicious VSA updates, subsequent analysis revealed this to not be the case.
Initial delivery and execution mechanisms for this incident relied on identification and subsequent exploitation of vulnerabilities within the VSA platform. While the impact of this incident will only become clear with more time, sufficient information now exists to analyze precisely how this event took place, and how network defenders can prepare for future, similar incidents should they occur. Continuous updates from security firm Huntress as well as Kaseya itself indicated dozens of VSA customers (MSPs) were impacted, leading to follow-on impacts at more than one thousand entities linked to the impacted MSPs.Īffected entities ranged from a Swedish grocery chain that shuttered hundreds of locations due to the incident, to several school systems in New Zealand.