Kaseya VSA and REvil: When the Management Tool Is the Attack
Threat Intelligence
Over a July 4 weekend in 2021 REvil used a zero-day in Kaseya VSA to push ransomware through managed service providers into roughly 1,500 downstream businesses. A practitioner walk-through of the MSP supply-chain risk model.
By Arjun Raghavan, Security & Systems Lead, BIPI · April 3, 2024 · 9 min read
The Kaseya VSA incident is the cleanest case study in MSP supply-chain risk we have. One product, one weekend, one ransomware crew, and roughly 1,500 small and mid-sized businesses across 17 countries waking up to encrypted files. The math of MSP leverage finally caught up to defenders on July 2, 2021.
Timeline
- April 2021: DIVD researchers privately disclose seven vulnerabilities in Kaseya VSA, including what would later be tracked as CVE-2021-30116. Kaseya begins remediation but does not finish before the attack.
- July 2, 2021, around 1430 UTC: REvil affiliates trigger the exploit chain against internet-facing VSA on-prem servers operated by MSPs. The chain authenticates to the VSA API and uses the agent procedure mechanism to push a payload to every managed endpoint.
- July 2, evening: VSA SaaS is taken offline as a precaution. On-prem customers are told to shut their VSA servers down immediately. Some do not see the advisory until the next morning.
- July 3-4: ransomware notes appear across MSP customers in North America, Europe, and Australia. Sweden's Coop closes 800 stores because the point-of-sale system is down.
- July 5: REvil demands a 70 million dollar universal decryptor.
- July 21: Kaseya obtains a universal decryptor through a third party. The how was never publicly confirmed.
Root cause
CVE-2021-30116 was an authentication bypass in the VSA web interface. Combined with a path traversal and an arbitrary file upload, the chain let an unauthenticated attacker drop a payload and execute it through the VSA agent procedure. From there the management tool did what it was built to do: ship code to every endpoint that the MSP managed, fast and unattended.
REvil did not need to scale. The MSP already scaled for them.
Attacker actions
The payload disabled Microsoft Defender real-time protection through a registry write, then dropped a legitimately signed but vulnerable copy of MsMpEng.exe alongside a malicious mpsvc.dll. DLL search-order hijacking gave the loader trusted execution. The ransomware encrypted with REvil's standard Salsa20 plus RSA scheme and left the familiar ReadMe note. Notably, the attackers did not exfiltrate in this campaign at scale. The leverage was the spread, not the leak.
Detection signals
- VSA agent procedure executions originating from a new or unknown procedure ID, especially one that drops files to C:\kworking\.
- Defender tamper events: Set-MpPreference disable, followed by execution of unfamiliar binaries from C:\kworking\.
- Outbound HTTP from VSA servers to non-Kaseya infrastructure in the hours before payload deployment.
- Mass file rename events across endpoints in a tight time window. Every well-tuned EDR baseline picked this up, but in MSP-managed shops nobody owned that alert pipeline.
Lessons
- Treat MSP management agents as the highest-privilege workload class. They get the same scrutiny as domain controllers.
- If you run VSA on-prem, do not put it on the internet. The 2021 victims who fronted VSA with VPN-only access were not in the blast pattern.
- Demand evidence from MSPs: their patch SLA, their MFA enforcement, their internal segmentation between MSP staff workstations and customer environments.
- Practice the MSP-down scenario. If your MSP goes silent for 72 hours during an incident, can you still operate?
Three years on, MSP attacks are still the highest-leverage move in the ransomware playbook. CVE-2023-3519 against Citrix and the ConnectWise ScreenConnect chain in February 2024 are the same idea wearing different uniforms. The lesson from Kaseya is to assume the next one is already being chained.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.