- Configure health on kaseya agent update#
- Configure health on kaseya agent full#
- Configure health on kaseya agent software#
- Configure health on kaseya agent code#
Configure health on kaseya agent update#
crt payload as a fake update to Windows endpoints managed by the VSA servers.
Configure health on kaseya agent software#
Kaseya VSA is a software used to manage software updates and IT automations, and, as such, it is commonly used by MSPs. In the same interview, the operators stated that REvil generates around $100M USD/year in revenue.
Configure health on kaseya agent code#
According to a recent interview with the REvil operators, the developers of the REvil ransomware obtained the source code of an existing ransomware (likely GandCrab) and modified it to create the REvil RaaS. – Tom Kellermann, Head of Cyber security Strategy at VMwareĪ report from Secureworks research indicates that there are strong technical links between the REvil and the GandCrab RaaS families. “This is a dramatic escalation in punitive cyber-attacks.” They are very open and for a more interesting take check out this video from the group itself. They run a business and business for them is good. REvil are innovators in the nefarious world of cyber-crime. This group was also responsible for the TravelEx ransom. This group is responsible for a spree of cyber crime as well as being the first cyber crime group to offer $1 million dollars in BTC for recruiting new members. Since it first surfaced in April 2019, this threat has successfully targeted multiple MSPs affecting several different customers from government organizations to dental health offices.
REvil (also known as Sodinokibi or Sodin) operates as a ransomware-as-a-service (RaaS). In summary, even if the software provider (Kaseya) was not compromised (as it happened in the SolarWinds incident), the managers of the software were, leading to similar disastrous results.
Configure health on kaseya agent full#
The MSPs’ Internet-facing servers were compromised using a zero-day vulnerability that allowed the attackers to access the functionality of the Kaseya application. It’s a case of remote-to-local exploitation, which was leveraged to perform additional malicious actions.įrom the point of view of the compromised clients of the MSPs, on the other hand, this incident does appear like a supply-chain attack: A vendor with full access to the client’s infrastructure was compromised, resulting in the deployment of ransomware on the client’s systems. In this case, the weakness occurred at a managed security provider.įrom the point of view of the compromised MSPs this is not a supply-chain attack. This attack shows that our supply chain and the security of it is only as strong as the weakest link in it. The press has described this attack as a supply-chain attack, drawing comparisons with the devastating SolarWinds attack of December 2020. Figure 1: REvil operator’s “Happy Blog” on the attack about the infection scale and demanded ransom.