Kaseya Security Incident

Number: AL21-013 UPDATE 1 Date: 5 July 2021 Updated: 12 July 2021 AUDIENCE This Alert is intended for IT professionals and managers of notified organizations. PURPOSE An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") seeks information to assess the impact in Canada, and to help Canadian organizations respond to this malicious activity. Should activity matching the content of this Alert be discovered, recipients are encouraged to report this to the Cyber Centre via the My Cyber Portal , contact the Cyber Centre by email contact@cyber.gc.ca , or by telephone ( 1-833-CYBER-88 or 1-833-292-3788 ). The Cyber Centre also strongly recommends that organizations report malicious activity related to this alert to their local police of jurisdiction. OVERVIEW The Cyber Centre is aware of open-source reporting [ 1 ][ 2 ] of large scale REvil (also known as Sodinokibi) ransomware activity affecting multiple managed service providers (MSPs) that use Kaseya VSA, a remote monitoring and management platform [ 3 ]. DETAILS On 2 July 2021 researchers reported ransomware dropped to a working directory of multiple on-premises servers running Kaseya VSA, a remote monitoring and management platform commonly used by MSPs. By injecting malicious code into the products and then leveraging its native functions, actors have been able to deploy ransomware at scale across MSPs to their hosted organizations. VSA is available in both an on-premises and a software-as-a-service (SaaS) model. The vendor has disabled the SaaS and will reenable it pending remediation. The company has indicated that the release of patches for on-premises VSA servers will follow restoral of the SaaS offering. The activity has affected approximately 30 MSPs [ 2 ], encrypting files of more than one-thousand businesses. Impact...

... (truncated for display)