[MART] - Daily Diary #297 - Sodinokibi Gang Targeting MSPs Through Supply-Chain Attack

CTAS-MAT ctas-mat at appgate.com
Fri Jul 2 21:14:47 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

07/02/2021 - Diary entry #297:

This week a new supply-chain attack by Sodinokibi gang (a.k.a REvil) was disclosed. The attackers managed to infect the infrastructure of Kaseya, a company that provides IT management solutions. One of its products is Kaseya VSA, a cloud based MSP platform that allows providers to deploy software updates to customer network and access remote systems to troubleshoot IT problems.

The first signs of the attack appeared today, July 2nd, in a Reddit Forum, where system administrators noticed MSP instances being encrypted after the on-premises VSA product update. After receiving the malicious update, the VSA process is disabling local antivirus solutions and then deploying a Microsoft Windows Defender copy that loads a malicious REvil DLL through a technique known as side-loading. So far at least 6 MSP providers were affected, but as non-MSP entities also use MSP to manage large computer networks, the real extent of the attack is yet unknown.

Kaesya already posted a notice in their support page, claiming that they are "experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers". The notice also recommends to shut down VSA servers until they received further notice, and that these actions need to be taken immediately, because the attackers are removing administrative access to the VSA right after the infection. Kaseya also shut down its own cloud infrastructure to stop the malicious update to reach out clients.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210702/0e664878/attachment.html>

More information about the MART mailing list