Mandiant was engaged to investigate the incident and assess the manner and impact of the attack. There is no evidence that Kaseya’s VSA codebase has been maliciously modified. The VSA procedure used to deploy the encryptor was named "Kaseya VSA Agent Hot-fix”. This is configurable within HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\. However, the ransomware affiliate behind the attack obtained the zero-day's details and exploited it to deploy the ransomware before Kaseya could start rolling a fix to VSA customers.Īccording to Huntress, ransomware encryptors were dropped to Kaseya's TempPath with the file name agent.exe (c:\kworking\agent.exe by default). Kaseya was in the process of patching the zero-day vulnerability reported privately by researchers.
#Kaseya agent procedure software
VSA is an RMM (Remote Monitoring and Management) software commonly used by MSPs to manage clients’ networks. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. The attackers were able to exploit a zero-day vulnerability (CVE-2021-30116) in the VSA product to bypass authentication and run arbitrary command execution. One of Kaseya’s tools, the Virtual System Administrator (VSA), was subverted on Friday July 2nd, allowing ransomware actors to paralyze hundreds of businesses on five continents. Kaseya provides software tools to Managed Services Providers (MSPs) that typically handle IT and back-office work for companies too small or modestly-resourced to have their own departments. Visit to register via the Global Resilience Federation. *A Special Briefing webinar will be held on 7.7.21.