CVE-2021-30116
published 2021-07-09CVE-2021-30116: Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
85.62%
99.7th percentile
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | vsa | < 9.5.6 | 9.5.6 |
| kaseya | vsa_agent | < 9.5.0.24 | 9.5.0.24 |
| kaseya | vsa_server | < 9.5.7a | 9.5.7a |
Detection & IOCsextracted from sources · hover to see the quote
url/InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29↗
- →Detect boolean-based blind SQL injection attempts against /InstallTab/exportFldr.asp via the fldrId parameter — a 500 response to a trailing single-quote and a 200 response to a CASE/WHEN payload is the distinguishing pattern. ↗
- →Alert on the creation of cert.exe in C:\Windows\ — this is certutil.exe copied and renamed to evade detection before decoding the ransomware payload. ↗
- →Detect PowerShell invocations that set Set-MpPreference with -DisableRealtimeMonitoring $true alongside multiple other Defender-disabling flags in a single command line. ↗
- →Monitor for IIS log deletion and application database log deletion as an early-stage indicator of the REvil VSA attack chain. ↗
- ·The SQL injection exploit requires a semi-authenticated session — the sessionId cookie value must first be obtained via CVE-2021-30116 (credential leak). Detections relying solely on unauthenticated traffic may miss this attack chain. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-30116 [CRITICAL] CWE-522 Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
Vulnerability: Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
Affected: Kaseya Virtual System/Server Administrator (VSA)
Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-30116
Remediation Due Date: 2021-11-17
GHSA
GHSA-qm28-hjhx-pwqg: Kaseya VSA before 9
ghsa_unreviewed·2022-05-24
CVE-2021-30116 [CRITICAL] CWE-522 GHSA-qm28-hjhx-pwqg: Kaseya VSA before 9
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021.
VulnCheck
Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
vulncheck·2021·CVSS 10.0
CVE-2021-30116 [CRITICAL] CWE-522 Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system.
Affected: Kaseya Virtual System/Server Administrator (VSA)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html; https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/; https://unit42.paloaltonetworks.com/revil-th
VulnCheck
Kaseya vsa Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 5.4
CVE-2021-30119 [MEDIUM] Kaseya vsa Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Kaseya vsa Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=alert(document.cookie)` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`
Affected: Kaseya vsa
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Ca
VulnCheck
Kaseya vsa Incorrect Resource Transfer Between Spheres
vulncheck·2021·CVSS 9.9
CVE-2021-30120 [CRITICAL] Kaseya vsa Incorrect Resource Transfer Between Spheres
Kaseya vsa Incorrect Resource Transfer Between Spheres
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.
Affected: Kaseya vsa
Required Action: Apply remediations or mitigations per vendor instruct
No detection rules found.
Nuclei
Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent
nuclei·CVSS 9.8
CVE-2021-30116 [CRITICAL] Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent
Kaseya VSA Download Agent', 'mkDefault.asp?id=')"
- "status_code == 200"
condition: and
internal: true
extractors:
- type: regex
name: id
group: 1
internal: true
regex:
- 'mkDefault\.asp\?id=([0-9-]+)'
- method: GET
path:
- "{{BaseURL}}/mkDefault.asp?id={{mkdefault_id}}"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- "Location: /install/VSA-default-([0-9-]+)/KcsSetup\\.exe"
- type: status
status:
- 302
# digest: 4a0a00473045022045b36f7a8088adca1f47895008696ddb9742d9fff36db6bfccb1735bdccfe8e2022100804b8d5f454766e4a8c95ef857de49fdd444fd7314fc9cdb844029bbf02080e3:922c64590222798bb761d5b6d8e72950
Trendmicro
Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks
blogs_trendmicro·2023-03-02
Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks
Ransomware
# Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks
In this blog entry, we present a case study that illustrates how data-science techniques can be used to gain valuable insights about ransomware groups' targeting patterns as detailed in our research paper, “What Decision-Makers Need to Know About Ransomware Risk.”
By: Vladimir Kropotov, Robert McArdle, Fyodor Yarochkin, Shingo Matsugaya
2023/03/02
Read time: ( words)
Save to Folio
In partnership with: Erin Burns, Eireann Leverett of Waratah Analytics
As ransomware groups continue to build on their arsenal of tactics, techniques, and procedures (TTPs), it's essential for cybersecurity professionals to assess the levels of risk to their organizations using multiple sources of information for a comp
Sentinelone
REvil
blogs_sentinelone·2022-11-30
REvil
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Trendmicro
ICS-Schwachstellen: Die letzten zehn Jahre
blogs_trendmicro·2022-04-13
ICS-Schwachstellen: Die letzten zehn Jahre
Ausnutzung von Schwachstellen
## ICS-Schwachstellen: Die letzten zehn Jahre
Wir haben ICS-Schwachstellen mit Hilfe von MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) eingehend untersucht. In einem ersten Beitrag gehen wir der Entwicklung von ICS-Lücken in den letzten zehn Jahren nach.
By: Trend Micro Apr 13, 2022 Read time: ( words)
Save to Folio
Originalartikel von Trend Micro
MITRE entdeckt jedes Jahr neue Schwachstellen und registriert sie unter einer CVE-ID (Common Vulnerabilities and Exposures). Die Details dazu werden aufgezeichnet, und Spezialisten geben unter der jeweiligen CVE-ID auch an, wie die Schwachstellen beseitigt werden können. Von Schwachstellen, die industrielle Steuerungssystemumgebungen (ICS) betreffen, erfährt die Öffentlichkeit durch Advis
Trendmicro
An In-Depth Look at ICS Vulnerabilities Part 1
blogs_trendmicro·2022-03-30
An In-Depth Look at ICS Vulnerabilities Part 1
Exploits & Vulnerabilities
# An In-Depth Look at ICS Vulnerabilities Part 1
In this blog series our team examined various ICS vulnerabilities using the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for ICS.
By: Trend Micro
2022/03/30
Read time: ( words)
Save to Folio
Every year, vulnerabilities are discovered and registered to a Common Vulnerabilities and Exposures (CVE) ID by the MITRE Corporation. Each vulnerability’s details are recorded, and specialists also include how to mitigate them under their CVE ID. Vulnerabilities that can affect industrial control system (ICS) environments are identified to the public through advisories by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
In this blog series, our team conducted an in-depth l
Tenable
Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
blogs_tenable·2022-03-11
Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Securelist
Cyberthreats to financial organizations in 2022
blogs_securelist·2021-11-23
Cyberthreats to financial organizations in 2022
Table of Contents
Analysis of forecasts for 2021
Key events in 2021
Forecasts for 2022
Authors
Dmitry Bestuzhev
Santiago Pontiroli
Fabio Assolini
Seongsu Park
## A look back on the year 2021 and what to expect in 2022
First of all, we are going to analyze the forecasts we made at the end of 2020 and see how accurate they were. Then we will go through the key events of 2021 relating to attacks on financial organizations. Finally, we will make some forecasts about financial attacks in 2022.
## Analysis of forecasts for 2021
The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime, including cybercrime. We might see certain economies crashing and local currencies plummeting, which would make Bitcoin thef
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Talos
Quarterly Report: Incident Response trends from Q3 2021
blogs_talos·2021-10-28·CVSS 10.0
CVE-2021-30116 [CRITICAL] Quarterly Report: Incident Response trends from Q3 2021
## Quarterly Report: Incident Response trends from Q3 2021
## Ransomware again dominated the threat landscape, while BEC grew
By David Liebenberg and Caitlin Huey .
Once again , ransomware was the most dominant threat observed in Cisco Talos Incident Response (CTIR) engagements this quarter.
CTIR helped resolve several significant ransomware events this quarter, including ones that involved the REvil ransomware leveraging a vulnerability in the Kaseya VSA software (CVE-2021-30116) against managed service providers (MSPs) and their downstream customers. REvil, along with Vice Society , were the only ransomware groups observed more than once this quarter. This highlights the greater democratization of emerging ransomware variants. This is the first quarter in which we had no observations
Talos
Quarterly Report: Incident Response trends from Q3 2021
blogs_talos·2021-10-28·CVSS 10.0
CVE-2021-30116 [CRITICAL] Quarterly Report: Incident Response trends from Q3 2021
### Ransomware again dominated the threat landscape, while BEC grew
By David Liebenberg and Caitlin Huey.
Once again, ransomware was the most dominant threat observed in Cisco Talos Incident Response (CTIR) engagements this quarter.
CTIR helped resolve several significant ransomware events this quarter, including ones that involved the REvil ransomware leveraging a vulnerability in the Kaseya VSA software (CVE-2021-30116) against managed service providers (MSPs) and their downstream customers. REvil, along with Vice Society, were the only ransomware groups observed more than once this quarter. This highlights the greater democratization of emerging ransomware variants. This is the first quarter in which we had no observations of the Ryuk ransomware, a variant that was often the most oft
Tenable
Focus on the Fundamentals: 6 Steps to Defend Against Ransomware
blogs_tenable·2021-07-21
Focus on the Fundamentals: 6 Steps to Defend Against Ransomware
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Management (CSPM)
Compliance
Cyber insurance
Data Security Posture Management (DSPM)
Google Cloud security
Infrastructure as Code (IaC) security
Kubernetes Security Pos
Huntress
The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident | Huntress
blogs_huntress·2021-07-20
The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident | Huntress
Kaseya has a customer base of roughly 35,000 businesses and organizations. These consist of approximately 17,000 managed service providers, 18,000 direct/VAR customers and a significant number of end users at the organizations they support. There is certainly a large attack surface offered to threat actors who might compromise the Kaseya VSA software.
In the recent ransomware incident that occurred in July 2021, the industry learned that 50-60 MSPs and their managed customers were encrypted by the REvil ransomware gang through the Kaseya VSA remote monitoring and management software.
With just 50-60 MSPs affected out of a potential 17,000 or 35,000, that leaves us with a large lingering question… “ Why weren’t there more victims?”
That is to say, in a more pointed manner, “Shouldn’t the
Qualys
Kaseya REvil Ransomware Attack (CVE-2021-30116) – Automatically Discover and Prioritize Using Qualys VMDR® | Qualys
blogs_qualys·2021-07-08·CVSS 10.0
CVE-2021-30116 [CRITICAL] Kaseya REvil Ransomware Attack (CVE-2021-30116) – Automatically Discover and Prioritize Using Qualys VMDR® | Qualys
#### Table of Contents
- Identification of Assets using Qualys VMDR
- Discover Kaseya VSA Vulnerability
- Workarounds
- Get Started Now
On July 2, 2021, Kaseya announced its software had been compromised and was being used to attack the IT infrastructure of its customers. The REvil ransomware attack leveraged multiple zero-day vulnerabilities in Kaseya’s VSA (Virtual System/Server Administrator) product that helps Kaseya customers to monitor and manage their infrastructure. To deploy ransomware payloads on the systems of Kaseya customers and their clients, the REvil operators exploited zero-day vulnerability CVE-2021-30116.
REvil ransomware (also known as Sodinokibi) is ransomware-as-a-service (RaaS), meaning an attacker distributes the licensed copy of this ransomware over the internet
Qualys
Kaseya REvil Ransomware Attack (CVE-2021-30116) – Automatically Discover and Prioritize Using Qualys VMDR®
blogs_qualys·2021-07-08·CVSS 10.0
[CRITICAL] Kaseya REvil Ransomware Attack (CVE-2021-30116) – Automatically Discover and Prioritize Using Qualys VMDR®
## Table of Contents
Identification of Assets using Qualys VMDR
Discover Kaseya VSA Vulnerability
Workarounds
Get Started Now
On July 2, 2021, Kaseya announced its software had been compromised and was being used to attack the IT infrastructure of its customers. The REvil ransomware attack leveraged multiple zero-day vulnerabilities in Kaseya’s VSA (Virtual System/Server Administrator) product that helps Kaseya customers to monitor and manage their infrastructure. To deploy ransomware payloads on the systems of Kaseya customers and their clients, the REvil operators exploited zero-day vulnerability CVE-2021-30116.
REvil ransomware (also known as Sodinokibi) is ransomware-as-a-service (RaaS), meaning an attacker distributes the licensed copy of this ransomware over the internet and th
Krebs
Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
blogs_krebs·2021-07-08·CVSS 4.0
[MEDIUM] Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
Last week cybercriminals deployed ransomware to 1,500 organizations, including many that provide IT security and technical support to other companies. The attackers exploited a vulnerability in software from Kaseya , a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.
On July 3, the REvil ransomware affiliate program began using a zero-day security hole ( CVE-2021-30116 ) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).
According to this entry for CVE-2021-30
Krebs
Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
blogs_krebs·2021-07-08·CVSS 4.0
[MEDIUM] Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
Last week cybercriminals deployed ransomware to 1,500 organizations, including many that provide IT security and technical support to other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.
On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).
According to this entry for CVE-2021-30116
Qualys
REvil Ransomware Attack Analysis | REvil Group Insights | Qualys
blogs_qualys·2021-07-07
REvil Ransomware Attack Analysis | REvil Group Insights | Qualys
#### Table of Contents
- Technical Details
- Ransomware Execution
- Dashboard
- Artifact
- REvil TTP Map
- Mitigation or Additional Important Safety Measures
- Indicators of Compromise (IOCs)
- References
Over the past year, there has been a rise in extortion malware, e.g. Nefilim and Darkside, which steal and threaten to publish sensitive data or encrypt it until a ransom is paid. Nowadays, cybercriminals use various techniques to gain their initial foothold within a network in the organization. One of the techniques is a supply chain attack.
In a software supply chain attack, hackers compromise an organization by manipulating the code in third-party software components used by the organization, such as what was seen with SolarWinds in December of 2020. On July 2, 2021, Kaseya announce
Qualys
Analyzing the REvil Ransomware Attack
blogs_qualys·2021-07-07·CVSS 10.0
[CRITICAL] Analyzing the REvil Ransomware Attack
## Table of Contents
Technical Details
Ransomware Execution
Dashboard
Artifact
REvil TTP Map
Mitigation or Additional Important Safety Measures
Indicators of Compromise (IOCs)
References
Over the past year, there has been a rise in extortion malware, e.g. Nefilim and Darkside , which steal and threaten to publish sensitive data or encrypt it until a ransom is paid. Nowadays, cybercriminals use various techniques to gain their initial foothold within a network in the organization. One of the techniques is a supply chain attack.
In a software supply chain attack, hackers compromise an organization by manipulating the code in third-party software components used by the organization, such as what was seen with SolarWinds in December of 2020. On July 2, 2021, Kaseya announced its soft
Tenable
CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware
blogs_tenable·2021-07-06·CVSS 10.0
[CRITICAL] CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
IT Management Platform Kaseya Hit With Sodinokibi REvil Ransomware Attack
blogs_trendmicro·2021-07-04·CVSS 10.0
[CRITICAL] IT Management Platform Kaseya Hit With Sodinokibi REvil Ransomware Attack
Ransomware
## IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack
Kaseya has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend. The attack was geared toward their on-premises VSA product.
By: Trend Micro Research Jul 04, 2021 Read time: ( words)
Save to Folio
Update as of 23 July, 1:48 a.m. EDT: Kaseya, with the help of a third party, has obtained a decryptor tool for the victims of the ransomware attack.
Update as of 13 July, 1:34 a.m. EDT: Kaseya released its patch on 11 July, 4:30 p.m. EDT. As of 12 July, 7:30 a.m. EDT, its SaaS is now 100% online.
Update as of 6 July, 10:37 p.m. EDT: Trend Micro released a free assessment service that checks environments for the presence of Kaseya vulnerabilities that are rel
Trendmicro
IT Management Platform Kaseya Hit With Sodinokibi REvil Ransomware Attack
blogs_trendmicro·2021-07-04·CVSS 10.0
[CRITICAL] IT Management Platform Kaseya Hit With Sodinokibi REvil Ransomware Attack
Ransomware
# IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack
Kaseya has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend. The attack was geared toward their on-premises VSA product.
By: Trend Micro Research
2021/07/04
Read time: ( words)
Save to Folio
Update as of July 23, 1:48 a.m. EDT: Kaseya, with the help of a third party, has obtained a decryptor tool for the victims of the ransomware attack.
Update as of July 13, 1:34 a.m. EDT: Kaseya released its patch on July 11, 4:30 p.m. EDT. As of July 12, 7:30 a.m. EDT, its SaaS is now 100% online.
Update as of July 6, 10:37 p.m. EDT: Trend Micro released a free assessment service that checks environments for the presence of Kaseya vulnerabilities that are relat
Trendmicro
IT Management Platform Kaseya Hit With Sodinokibi REvil Ransomware Attack
blogs_trendmicro·2021-07-04·CVSS 10.0
[CRITICAL] IT Management Platform Kaseya Hit With Sodinokibi REvil Ransomware Attack
Ransomware
## IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack
Kaseya has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend. The attack was geared toward their on-premises VSA product.
By: Trend Micro Research 2021/07/04 Read time: ( words)
Save to Folio
Update as of July 23, 1:48 a.m. EDT: Kaseya, with the help of a third party, has obtained a decryptor tool for the victims of the ransomware attack.
Update as of July 13, 1:34 a.m. EDT: Kaseya released its patch on July 11, 4:30 p.m. EDT. As of July 12, 7:30 a.m. EDT, its SaaS is now 100% online.
Update as of July 6, 10:37 p.m. EDT: Trend Micro released a free assessment service that checks environments for the presence of Kaseya vulnerabilities that are relat
Trendmicro
IT Management Platform Kaseya Hit With Sodinokibi REvil Ransomware Attack
blogs_trendmicro·2021-07-04·CVSS 10.0
[CRITICAL] IT Management Platform Kaseya Hit With Sodinokibi REvil Ransomware Attack
Ransomware
## IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack
Kaseya has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend. The attack was geared toward their on-premises VSA product.
By: Trend Micro Research Jul 04, 2021 Read time: ( words)
Save to Folio
Update as of July 23, 1:48 a.m. EDT: Kaseya, with the help of a third party, has obtained a decryptor tool for the victims of the ransomware attack.
Update as of July 13, 1:34 a.m. EDT: Kaseya released its patch on July 11, 4:30 p.m. EDT. As of July 12, 7:30 a.m. EDT, its SaaS is now 100% online.
Update as of July 6, 10:37 p.m. EDT: Trend Micro released a free assessment service that checks environments for the presence of Kaseya vulnerabilities that are rel
Talos
REvil ransomware actors attack Kaseya in supply chain attack
blogs_talos·2021-07-03·CVSS 10.0
[CRITICAL] REvil ransomware actors attack Kaseya in supply chain attack
## REvil ransomware actors attack Kaseya in supply chain attack
Updated on July 6, 2021:
As analysis of the ransomware attack affecting organizations using Kaseya VSA has continued, we are sharing an update containing additional information. As new details are identified, this information may be updated as needed.
This event consisted of two separate, but related incidents. The initial compromise was the result of a zero-day attack against MSSPs that enabled adversaries to conduct a service supply chain attack on additional victims.
The initial compromise of Kaseya VSA servers appears to have been the result of the successful exploitation of an unpatched software vulnerability (CVE-2021-30116) which allowed attackers to obtain privileged access to vulnerable Kaseya VSA servers for the
Talos
REvil ransomware actors attack Kaseya in supply chain attack
blogs_talos·2021-07-03·CVSS 10.0
[CRITICAL] REvil ransomware actors attack Kaseya in supply chain attack
Updated on July 6, 2021:
As analysis of the ransomware attack affecting organizations using Kaseya VSA has continued, we are sharing an update containing additional information. As new details are identified, this information may be updated as needed.
- This event consisted of two separate, but related incidents. The initial compromise was the result of a zero-day attack against MSSPs that enabled adversaries to conduct a service supply chain attack on additional victims.
- The initial compromise of Kaseya VSA servers appears to have been the result of the successful exploitation of an unpatched software vulnerability (CVE-2021-30116) which allowed attackers to obtain privileged access to vulnerable Kaseya VSA servers for the purposes of ransomware deployment.
- Ransom demands varied acr
Sentinelone
REvil
blogs_sentinelone
REvil
# REvil Ransomware: In-Depth Analysis, Detection, and Mitigation
As if ransomware itself wasn’t dangerous enough, a new type of attack involving ransomware is making waves in the cybersecurity community. Ransomware-as-a-Service (RaaS) operations are becoming more common and more profitable for threat actors looking to launch a variety of attacks. One such operation is known as REvil, and involved a core team of threat actors offering the malware to other attackers for a price.
Although the Russian Federal Security Service claims to have dismantled REvil and charged several of the ransomware group’s members, a deeper look at this type of ransomware and RaaS can help organizations protect themselves against these types of attacks in the future.
## What Is REvil Ransomware?
REvil ransomwa
Huntress
The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident | Huntress
blogs_huntress
The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident | Huntress
Kaseya has a customer base of roughly 35,000 businesses and organizations. These consist of approximately 17,000 managed service providers, 18,000 direct/VAR customers and a significant number of end users at the organizations they support. There is certainly a large attack surface offered to threat actors who might compromise the Kaseya VSA software.
In the recent ransomware incident that occurred in July 2021, the industry learned that 50-60 MSPs and their managed customers were encrypted by the REvil ransomware gang through the Kaseya VSA remote monitoring and management software.
With just 50-60 MSPs affected out of a potential 17,000 or 35,000, that leaves us with a large lingering question… “Why weren’t there more victims?”
That is to say, in a more pointed manner, “Shouldn’t ther
Huntress
Huntress 24/7 Security Operations Center | Huntress
blogs_huntress·CVSS 8.4
[HIGH] Huntress 24/7 Security Operations Center | Huntress
24/7 Managed SOC Services & Monitoring
Whether an incident goes down at 3:00 p.m. or 3:00 a.m., the Huntress elite AI-assisted SOC team has your back with always-on SOC monitoring and rapid response.
People-Powered Threat Hunting
Automation alone won’t cut it against today’s hackers, and this is where our human security experts come in. The Huntress Security Operations Center (SOC) fills a critical gap in your security with a team of always-on, global badasses on your side. They investigate threats, analyze tradecraft, and shut down attackers 24/7—all so you don’t have to.
8 min
Industry-leading mean time to respond (MTTR)*
Threat experts
across the globe
98.8%
Customer support satisfaction score
False positive rate
across 4M endpoints
Confirmed high/critical incident reports sen
Crowdstrike
How CrowdStrike Stops Ransomware Used in the Kaseya Attack
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How CrowdStrike Stops Ransomware Used in the Kaseya Attack
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30116
2021-07-09
Published
2021-11-03
Added to CISA KEV
Exploited in the wild