{
	"id": "0813c840-f324-41bd-bee2-f46a33ad8a18",
	"created_at": "2026-04-06T00:11:44.981697Z",
	"updated_at": "2026-04-10T03:21:49.643607Z",
	"deleted_at": null,
	"sha1_hash": "e6b12996f3102c4cdda5ec193a72227ec8c7848a",
	"title": "Kaseya Supply-Chain Attack Targeting MSPs to Deliver REvil Ransomware - Truesec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85484,
	"plain_text": "Kaseya Supply-Chain Attack Targeting MSPs to Deliver REvil\r\nRansomware - Truesec\r\nBy siteadmin\r\nPublished: 2021-10-07 · Archived: 2026-04-05 14:01:50 UTC\r\nA Truesec investigation\r\nKaseya VSA, a product commonly used by MSPs to manage their clients’ IT environments, It was used as part of\r\na supply chain attack delivering REvil ransomware to thousands of organizations.\r\nEDIT 2021-07-04 17:40 CET: Added redacted screenshots of exploit traffic\r\nEDIT 2021-07-04 23.10 CET: Added additional details and attack overview\r\nEDIT 2021-07-05 19.40 CET: Added methods to identify compromised systems\r\nEDIT 2021-07-06 17.14 CET: Added link to script to identify infected systems\r\nEDIT 2021-07-08 14.45 CET: Further clarified the identified steps of the exploit\r\nWe have been investigating this issue and our CSIRT team has been working around the clock to help affected\r\norganizations.\r\nWe are thankful for all information that other security researchers and response teams have been sharing, such as\r\nHuntress and Kevin Beaumont. So far, we don’t see any substantial discrepancy between the results of our\r\ninvestigation and the publicly available IOCs that have been shared.\r\nAttack Overview\r\nKaseya customers using the on-prem VSA server were affected by this attack. The VSA server is used to manage\r\nlarge fleets of computers and is normally used by MSPs to manage all their clients. Without separation between\r\nclient environments, this creates a dependency: if the VSA server is compromised, all client environments\r\nmanaged from this server can be compromised too.\r\nAdditionally, if the VSA server is exposed to the internet, any potential vulnerability could be leveraged over the\r\nInternet to breach the server. This is what happened in this case. The threat actor, an affiliate of the REvil\r\nransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server.\r\nThe vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server,\r\ntherefore reaching all the end clients. The script delivered the REvil ransomware and encrypted the systems.\r\nOverview of the attack\r\nVSA Server Zero-Day\r\nhttps://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\r\nPage 1 of 4\n\nWe have identified the exploit code used by the threat actor to compromise the Internet-facing VSA servers. Since\r\na patch has been available since July 11, and after we have validated the patch and verified that the attack vector is\r\nno longer present, we published the details of the exploit in a follow-up technical post.\r\nThank you Visma for extracting traffic data from your DarkTrace appliances and providing it to us for\r\ninvestigation.\r\nTruesec has confirmed the complete exploit chain and produced a working proof-of-concept exploit. The\r\nfollowing vulnerabilities were chained in the exploit:\r\nAuthentication Bypass\r\nArbitrary File Upload\r\nRequest Forgery Token Bypass\r\nLocal File Code Injection\r\nAttack Kill Chain\r\nWe want to share an IP address that we have identified, used to launch the exploit:\r\n161[.]35.239.148\r\nUser-Agent: curl/7.69.1\r\nOrganizations and response teams can use this to identify if exploitation was launched against the VSA servers.\r\nNote that as part of the exploitation, the IIS logs are cleared, therefore a lack of indications in the IIS logs does not\r\nnecessarily mean that the system was not exploited.\r\nAt this time, we do not know if the threat actor changed the source IP address for each exploited VSA server,\r\nhowever, we expect a large overlap.\r\nPart of Exploit Against VSA Server\r\nMalicious Procedure to Clients\r\nThe code executed on the VSA server as part of the exploit triggered execution of a malicious procedure on\r\ncomputers managed by the server. This effectively reaches all managed clients.\r\nAs the first stage deletes logs in multiple locations (IIS logs as well as logs stored in the application database), not\r\nall the steps have been reconstructed yet. However, the procedure pushed to the clients was recovered and is\r\nreported below.\r\nexecFile(): Path=\"C:windowssystem32cmd.exe\", arg=\"/c ping 127.0.0.1 -n 7615 \u003e nul \u0026 C:WindowsSystem32WindowsPow\r\nhttps://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\r\nPage 2 of 4\n\nThis disables some features of Windows Defender, uses certutil to decode the previously uploaded agent.crt to\r\nagent.exe, and executes it.\r\nWhen executed, agent.exe will drop two additional files: MsMpEng.exe (a legitimate version of the Windows\r\nDefender binary) and mpsvc.dll (REvil ransomware). The execution of MsMpEng.exe triggers the loading of\r\nmpsvc.dll (side-loading execution) and therefore executes the REvil ransomware in the context of MsMpEng.exe.\r\nMethods to Identify Compromised Systems – Kaseya VSA\r\nTruesec has identified several methods to detect if systems are affected. This is possible both for a device with a\r\nKaseya agent installed, but also on a central Kaseya VSA server.\r\nSeveral logs such as the web server and database logs are cleared or deleted on the Kaseya VSA servers we have\r\ninvestigated. However, we were able to discover at least one log file that contained valuable data.\r\nIn our case, this log file was located at D:KaseyaKserverKserver.log”. When inspecting the content of the file, we\r\nwere able to find traces of the “agent.crt” file being sent out to systems.\r\nThe log for a specific system looks as follows:\r\n[I 2021-07-02T13:59:59.544250Z +02:00 ] [ProcessCmd] Systemname-and-Kaseya-agent-details (REDACTED) l\r\n [I 2021-07-02T14:00:01.512990Z +02:00 1840 16cc] [EVENT_SERVER] Fri Jul 2 16:00:01 2021: [5836] WARN\r\n [I 2021-07-02T14:00:01.559863Z +02:00 1840 12b4] [EVENT_SERVER] Fri Jul 2 16:00:01 2021: [4788] Writ\r\nThese log entries indicate that an attempt was made to send out the file “agent.crt” to the working directory\r\n(default C:kworking) of the target machine. As such, it is possible from the central Kaseya VSA servers to identify\r\nwhich systems were targeted.\r\nWe have also confirmed that it is possible that systems are part of the list, and that an attempt at encrypting them\r\nwas made, but was unsuccessful.\r\nMethods to Identify Compromised Systems – Systems With Agent\r\nOn a device that has a Kaseya agent installed, many different indicators exist. This list contains several methods\r\nwhich have been relevant in the cases we investigated so far.\r\nENCRYPTION\r\nThe registry key HKLM:SOFTWAREWow6432NodeBlackLivesMatter which contains information related\r\nto the ransomware\r\nThe ransomware “readme” file and files with the same file ending as the “-readme.txt” noted prefix\r\nATTEMPTS TO EXECUTE MALICIOUS CODE\r\nIt is possible that there was an attempt at executing the malicious code, but where the execution was unsuccessful.\r\nIn such cases the following identification methods are valuable:\r\nhttps://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\r\nPage 3 of 4\n\nC:WindowsSystem32winevtLogsWindows Powershell.evtx – Check for the malicious powershell\r\nexecution “Set-MpPreference -Set-MpPreference -DisableRealtimeMonitoring ….”\r\nAny of the files noted in the IoC list. The “C:kworking” directory is based on the working directory for the\r\nKaseya agent, which is defined in the registry key HKLM:SOFTWAREWow6432NodeKaseyaAgent.\r\nMultiple agents can be installed, and therefore multiple versions of the files.\r\nSigns of the malicious execution in the Kasey AgentMon log located at: C:Program Files\r\n(x86)Kaseya\\AgentMon.log”\r\nRunning process agent.exe\r\nRunning process MsMpEng.exe with loaded mpsvc.dll\r\nWe have also released a script to help victims and responders of the Kaseya ransomware attack to identify\r\nand mitigate affected systems. This is for the end systems, not the VSA servers.\r\nIOCs\r\n161[.]35.239.148\r\nmpsvc.dll 8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD\r\nagent.exe D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E\r\nagent.crt 45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C\r\nYouTube Video\r\nWe held a live webinar for approximately 35 minutes to answer many of the questions we have received.\r\nDue to the nature of the exploit, and the fact that it is zero-day, we are not disclosing any specific details of the\r\nexploit. We have shared the details directly with Kaseya.\r\nEDIT: since a patch has been available since July 11, and after we have validated the patch and verified that the\r\nattack vector is no longer present, we published the details of the exploit in a follow-up technical post.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nSource: https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\r\nhttps://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\r\nPage 4 of 4\n\nall the steps have reported below. been reconstructed yet. However, the procedure pushed to the clients was recovered and is\nexecFile(): Path=\"C:windowssystem32cmd.exe\", arg=\"/c ping 127.0.0.1-n 7615 \u003e nul \u0026 C:WindowsSystem32WindowsPow\n  Page 2 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/"
	],
	"report_names": [
		"kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434304,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6b12996f3102c4cdda5ec193a72227ec8c7848a.pdf",
		"text": "https://archive.orkl.eu/e6b12996f3102c4cdda5ec193a72227ec8c7848a.txt",
		"img": "https://archive.orkl.eu/e6b12996f3102c4cdda5ec193a72227ec8c7848a.jpg"
	}
}