Another dropped artifact, Screenshot.jpg, appears to be a JavaScript file and has only been partially recovered at this time. The attackers could then use KUpload.dll to drop multiple files including ‘agent.crt’, a fake certificate that contains the malware dropper.
Malware execution chain Kaseya VSA Exploit and Infection ChainĬurrent findings show logic flaws in one of the VSA components ( dl.asp) may have led to an authentication bypass. This post seeks to unravel the infection chain, highlight relevant indicators, and clarify protections for our customers. Since then, Kaseya has engaged the security community and triaged the root cause of this incident.
Kaseya’s initial advisory underscored the severity of the situation as the company instructed customers to shut down VSA servers until further notice. It was initially considered a supply chain attack, a safe assumption at that scale, but with time it became apparent that the attackers were instead leveraging a zero-day exploit against internet-facing Kaseya VSA servers.
#KASEYA AGENT DOES NOT INSTALL SOFTWARE#
On Friday, July 2nd, 2021 a well-orchestrated, mass-scale, ransomware campaign was discovered targeting customers of Kaseya’s managed services software and delivering REvil ransomware.