Kaseya announced a breach detection tool for clients of its VSA remote monitoring and management product, amid a weekend-long ransomware scare.
The tool is not currently on the website, but can be obtained by emailing [email protected] with the subject “Compromise Detection Tool Request."
On Friday, a REvil ransomware affiliate began exploiting a zero-day vulnerability in Kaseya VSA at several managed service providers, ultimately encrypting thousands of downstream accounts. Kaseya immediately recommended that its customers turn off its product.
According to a company update Saturday night, Kaseya only received a single report of a new infection Saturday from a client who left their VSA server on.
"We are confident we understand the scope of the issue and are partnering with each client to do everything possible to remediate. We believe that there is zero related risk right now for any VSA client who is a SaaS customer or on-prem VSA customer who has their server off," the company wrote.
Kaseya previously announced Friday evening it believed it had identified the vulnerability and had been working on the patch. The update expressed even more confidence that a patch would soon be made available.
"We have begun the process of remediating the code and will include regular status updates on our progress starting [Sunday] morning. We will begin working with select customers to field test the changes once we have completed the work and tested it thoroughly in our environment," the company wrote.
That a REvil affiliate uses a zero-day to target a popular RMM program raised eyebrows in the security community. It is uncommon for ransomware operators to have access to something that would otherwise be a pricey tool sold on the grey market to nation states.
"That is unprecedented," said Jake Williams, chief technology officer of BreachQuest and Rendition Infosecurity. "This is the first time we've seen it but I don't think it's the last by any stretch of the imagination. It's kind of a self-fulfilling prophecy. The more people they get to pay here the more resources they have to go either buy or research the next zero day."