On July 2, 2021 2:00 PM EDT, Kaseya has made an important announcement about a potential attack against the Kaseya VSA. Immediately shutting down of the VSA server is recommended until further notice.
From the advisory of Kaseya:
We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.
Trend Micro encourages you to review the Advisory and immediately follow their guidance to shutdown VSA servers.
For Worry-Free Business Security Services (WFBS-SVC) customers, please follow the Worry-Free Security Services Checklist to protect the network from REvil Ransomware. Please contact Trend Micro support for any assistance needed in configuring your protections from this threat.
Trend Micro customers who run specialized system like POS terminals running at times on legacy OS such as Windows Embedded XP very often cannot run real time AV/AM scanners equipped with the latest detection techniques, for such customers Txone Stellar Enforce and Portect software agent which can be installed on legacy OS systems and provide adequate protection against of the different type of Ransomware attacks including REvil.
Please contact Trend Micro Technical Support for any assistance needed in configuring your protections from this threat.
PROACTIVE IOC ASSESSMENT
For Worry-Free XDR or Worry-Free EDR customers, please use the following Indicators of Compromise below to initiate a proactive IOC Assessment across your network and take necessary mitigation actions.
For MSP partners, you can perform the IOC Assessment across Worry-Free XDR and Worry-Free EDR customers from your Remote Manager console – Instructions.
For TxOne Stellar customers, please use the following indicators (User-Defined Suspicious Objects).
|User-Defined Suspicious Objects (UDSO)||TYPE|