Alert Logic is actively monitoring a large-scale ransomware attack against Kaseya's VSA software. On July 2, 2021, Kaseya confirmed it had suffered a ransomware attack on its VSA software – a set of tools used to manage and monitor computers remotely. The immediate guidance is for customers using Kaseya’s VSA software to disconnect all Kaseya VSA servers until further notice. Numerous clients of Kaseya have already reported to have been affected.
Alert Logic has detected this ransomware in our customer base, and all identified customers are being alerted by our security experts. Alert Logic does not use Kaseya VSA software; our products and infrastructure are not affected.
Kaseya VSA is a Unified Remote Monitoring & Management product used by many Managed Service Providers (MSPs) to remotely manage customer accounts. Malware was found in the Kaseya VSA official update, which set off a chain affecting VSA servers for at least 20 MSPs and from there spreading to customer machines.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic is researching this threat to develop appropriate scan coverage.
Network IDS: Alert Logic is actively researching this threat to determine whether signatures can be developed to detect attacks.
Log Management: Alert Logic has released telemetry signatures to help our Security Operations Center monitor customer environments for exploitation of this vulnerability.
Web Application Firewall: Due to the nature of this vulnerability, it is not expected that web application coverage is appropriate for this threat.
Recommendations for Mitigation
The guidance from Kaseya at this time is as follows:
- All on-premise VSA servers should be taken offline until further notice. SaaS servers are also offline until further notice.
- Customers who experience ransomware and receive communication from the attackers should not click on any links.
Additional guidance and details on how Kaseya is investigating are available on Kaseya’s incident update.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.