Kaseya Patches VSA Vulnerability, Protects Against Monero Cryptocurrency Mining Malware
Kaseya has discovered and patched a security vulnerability in VSA, the company’s remote monitoring and management (RMM) platform for MSPs. Without the patch in place, Monero cryptocurrency mining software potentially could be deployed to endpoints. Kaseya estimates that fewer than 0.1 percent (less than one tenth of one percent) of its customers were affected by this issue.
According to a statement from Kaseya Chief Product Officer Mike Puglia to ChannelE2E:
“In the course of our continuous security monitoring, we uncovered a vulnerability in VSA and immediately released a set of patches that mitigates the vulnerability. The patch has already been deployed to all of Kaseya’s SaaS and hosted server environments, and we are communicating with all on-premise VSA customers to download and install the patch immediately.
While software vulnerabilities are not uncommon, we take security seriously at Kaseya. As a result, we caught this vulnerability early and have been able to work quickly with our customers to resolve this issue and safeguard their environments. A very small fraction of our customers (initial est. 0.1%) were affected by this issue and we have seen no evidence to suggest that this vulnerability was used to harvest personal, financial, or other sensitive information. Our commitment to our customers is unwavering and we will continue to be vigilant and transparent to ensure their safety.”
Why Hackers Target MSPs
Hackers have increasingly targeted MSPs in recent years, because the MSPs and their various third-party RMM tools have aggregated access to thousands — perhaps millions — of business endpoints and associated customer data worldwide.
In one of the higher profile attacks, a hacker group called APT10, likely backed by China, compromised and infiltrated MSP networks to access end-customer systems since at least 2016, according to a 25-page PwC UK and BAE Systems report that surfaced in 2017. Those hacks, collectively dubbed Operation Cloud Hopper, may date back to 2014 or so, the report suggests.