Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Reproduce Exploit Used in Kaseya Hack

Kaseya CEO Downplays Impact of Cyberattack

Researchers have successfully reproduced the exploit used in the recent cyberattack targeting IT management software maker Kaseya and its customers.

Kaseya CEO Downplays Impact of Cyberattack

Researchers have successfully reproduced the exploit used in the recent cyberattack targeting IT management software maker Kaseya and its customers.

Kaseya on July 2 urged customers to immediately shut down on-premises servers running its VSA endpoint management and network monitoring tool due to a cyberattack. SaaS deployments do not appear to be impacted, but the service has been shut down by the vendor as a precaution.

Cybercriminals associated with the REvil ransomware compromised Kaseya’s VSA product and used it to deliver the ransomware to many organizations. While the attack apparently only impacted tens of Kaseya’s direct customers, many of them are managed service providers (MSPs) and the ransomware was delivered to hundreds and possibly thousands of their own customers.

Managed detection and response company Huntress has been working with many of the impacted MSPs and the data collected from these firms has allowed its researchers to determine that the attack involved the exploitation of several zero-day vulnerabilities.

The company’s researchers have managed to reproduce the attack and on Tuesday they demonstrated the exploit chain likely used by the cybercriminals. The exploit involves authentication bypass, arbitrary file upload, and command injection flaws.

Huntress pointed out that the exploit could have allowed the attackers to deliver an implant, but they apparently did not deliver one during the attack.

The Dutch Institute for Vulnerability Disclosure (DIVD) said Kaseya had been aware of at least some of the vulnerabilities exploited in the attack and was in the process of patching them when the breach was detected.

Ransom demands

REvil operators typically also steal information from victims to increase their chances of getting paid, but in this case it seems that they only managed to encrypt files on compromised systems. Some victims have been told to pay tens of thousands of dollars to restore files, while others have been instructed to pay millions.

The hackers have also offered a universal decryptor that could be used to decrypt the files of all victims, allegedly in less than an hour. They initially asked for $70 million for this universal decryptor, but they have reportedly reduced the price to $50 million and have also offered decryptors that work only for certain file extensions.

According to reports, some victims are privately negotiating with the cybercriminals in hopes of recovering their files.

Kaseya and U.S. government comment on impact

Kaseya CEO Fred Voccola downplayed the impact of the incident in a video released on Tuesday, saying that impact “is very minimal” and that it has been made “larger than what it is.”

Voccola explained that the breach impacted only one of the 27 modules of IT Complete, a suite of products designed to help midsize businesses manage all of their IT operations. The affected module, VSA, is designed for remote monitoring and management (RMM).

The company claims to have roughly 37,000 customers and the attack allegedly only impacted roughly 50 users of the RMM module.

Voccola said the MSPs that use Kaseya products manage between approximately 800,000 and one million small businesses around the world. Of these, the company estimates that only between 800 and 1,500 were affected by the incident.

However, German news agency dpa reported that an IT services company in Germany claimed that several thousand of its customers were compromised.

Kaseya’s CEO said the VSA product was shut down within an hour after the company learned of a potential issue, and claimed that they had procedures in place for dealing with such an incident.

President Joe Biden also claimed on Tuesday that the damage to U.S. businesses appeared minimal, but said information is still being gathered.

Some cybersecurity professionals, however, questioned Kaseya’s claims regarding the relatively low number of impacted downstream businesses.

“Given the relationship between Kaseya and MSPs, it’s not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming though,” said Jake Williams, CTO of cybersecurity firm BreachQuest.

Both Kaseya and the U.S. government said critical infrastructure did not appear to be affected, but some experts pointed out that the IT sector is a critical infrastructure sector.

Kaseya fails to restore services

Kaseya was planning on restoring VSA SaaS servers on July 6, but it failed to complete the process.

The company has been working on patching the vulnerabilities exploited in the attack and promised to release fixes for on-premises systems within 24 hours after SaaS services have been restored.

“During the VSA SaaS deployment, an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline,” the company said.

Related: Swedish Supermarket Closed by Kaseya Cyberattack

Related: Hackers Demand $70 Million as Kaseya Ransomware Victim Toll Nears 1,500 Firms

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...