Kaseya is continuing to investigate an attack against their VSA remote monitoring and management platform by a group called “REvil.”
Kaseya has advised that all “on-premises VSA Servers should continue to remain offline until further instructions… [and that a] patch will be required to be installed prior to restarting the VSA.” We encourage everyone impacted to continue following Kaseya’s guidance.
Liongard’s Response
In response to this incident, we quickly identified a handful of Partners with Kaseya VSA servers that appeared to still be active. We notified them of our findings and recommended that any VSA servers be taken offline. We also reached out to all of our partners with a link to this FAQs page as a helpful resource.
Use Liongard to Check for Indicators of Compromise (IOC)
Liongard can help you check for Indicators of Compromise (IOC). Our VSA Inspector can identify any admin accounts that have been disabled (which is a key Indicator of Compromise in security events) via the Metric: Users[?IsDisabled == `true`].Email`
- Do Now: Run the Metric to check if there was an IoC when your Kaseya VSA Inspector last ran.
- Do Later: After Kaseya gives the go-ahead to turn your on-premises server back online, run the Metric again.
Per Kaseya’s instructions, VSA SaaS servers likely won’t be affected since Kaseya took them offline; however, performing an admin user audit is always a good idea, no matter where your servers are hosted.
You can also closely monitor Liongard’s timeline and change detections across all systems in potentially impacted networks to stay on top of changes.
In this short video, Sales Engineer Scott Davis walks you through how Liongard can help you review the data you have when a security incident occurs.
Please continue to follow Kaseya’s guidance.
How to Contact Us
For technical assistance, please contact our Partner Support team via the chat feature within Liongard or at any time from our Docs site. For any other business continuity assistance, please contact your Account Manager.
Message From Joe Alapat – Liongard’s CEO
When our MSP community faces a security challenge, we band together and face it as a team. We are stronger when we combine knowledge and align our strengths to adapt to challenges as one, unified ecosystem.
Liongard stands with Kaseya and the MSP community and will continue monitoring the situation and doing what we can to help impacted MSPs. We’re all in this together.
Joe Alapat
CEO, Liongard