10 Big Things To Know About The Kaseya Cyberattack

8. REvil Seized Upon Kaseya’s Anti-Malware Software Exclusions

REvil exploited a zero-day vulnerability, possibly with a SQL Injection, to remotely access internet-facing VSA servers, which gave the attackers privileged access to the MSP’s customers, Sophos said. VSA has a high level of trust on customer devices since it’s normally used to deploy software and automate tasks, meaning that controlled devices will perform whatever tasks the VSA Server requests without question.

A zero-day exploit of Kaseya’s platform allowed a malicious update payload to get sent out to VSA severs, and in turn to the VSA agent applications running on managed Windows devices, Sophos said Sunday. This made it possible for REvil to compromise businesses through a trusted channel and take advantage of the software exclusions that Kaseya requires for set-up of its applications and folders.

These exclusions means that anything executed by the Kaseya Agent Monitor is ignored by anti-malware software, meaning that REvil could deploy its dropper without scrutiny, according to Sophos. REvil encoded a malicious payload in its malware intended to prevent malware defenses from performing static file analysis with pattern scanning and machine learning when the malware was first deployed.