- CREATED 1 HOUR AGO by AlienVault
- Public
- TLP: White
The attack leveraged the on-premises servers deployed by IT Management Software vendor Kaseya. It was initially thought that Kaseya might have been compromised themselves as a root cause — similar to the compromises associated with SolarWinds software in December of 2020. Instead, the attackers found and leveraged an unpatched zero-day vulnerability in Kaseya’s VSA software. At the time of this blog, 1,500 downstream customers of these MSPs have been infected with ransomware.
REFERENCES:https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/https://twitter.com/MBThreatIntel/status/1412518446013812737
TAGS:kaseya, cobalt strike, revil, cobaltstrike, ransomware
ADVERSARY:Kaseya VSA
MALWARE FAMILIES:Kaseya, REvil, CobaltStrike
ATT&CK IDS:T1566 – Phishing, T1574 – Hijack Execution Flow, T1190 – Exploit Public-Facing Application, T1027 – Obfuscated Files or Information