Register for Zero Trust World 25!
Contact Us
833-292-7732
Client Portal Login
Use Case:

Kaseya VSA Attack

The REvil group exploited Kaseya's VSA SaaS platform with zero-day vulnerabilities, allowing them to access and spread malicious software to customers and systems.

More Use Cases

Zero-Day Vulnerability and Kaseya's VSA Saas Platform

The ransomware gang known as REvil attacked Kaseya’s VSA SaaS platform using zero-day exploits to gain access and distribute malicious software to their customers and their systems. They used an authentication bypass vulnerability to compromise the VSA and distribute a malicious payload to hosts using the remote monitoring and management software, amplifying the reach of the initial foothold.

The Kaseya VSA agent (C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE) was deployed to Kaseya’s customers and then deployed to the MSP customer’s systems. This agent is responsible for pulling from Kaseya servers, which are hosted in the cloud. Since the malware was already wrapped in the platform, it was signed by Kaseya’s platform. As a result, the malware was able to pass everything on to these clients’ systems. To normal users, it looked like legitimate Kaseya traffic when it was installers for malware.

This Kaseya VSA attack impacted between 800 and 1500 companies. Each customer was asked to pay a ransom of between $50,000 and $5 million. There was also a $70 million master key available as a bundled deal paid in Bitcoin.

How ThreatLocker® Mitigated This Exploit

During this incident, ThreatLocker® noticed a file c:\kworking\agent.exe being blocked on multiple devices. EDRs and other threat detection tools weren’t able to effectively detect the Kaseya breach due to the fact that the malicious code was signed off and appeared to be a part of a reputable company. ThreatLocker Allowlisting was able to mitigate the attack because an executable file changed within the program folder. Whether or not the application is reputable or is signed off with a certification, ThreatLocker can deny all applications from running except those that are explicitly allowed by hash. This means untrusted software, including ransomware and other malware, will be denied by default.
See Allowlisting

ThreatLocker® Key Uses

Proactive Approach to Cybersecurity

Unlike antivirus or traditional EDR, ThreatLocker Allowlisting solution puts you in control of what software, scripts, executables, and libraries can run on your endpoints and servers. This approach stops not only malicious software in its tracks but also stops other unpermitted applications from running. This process greatly minimizes cyber threats and other rogue applications from running on your network.

Preventing the Weaponization of Legitimate Tools

Normally, applications have access to all the same data as the end user. If an application is absolutely necessary, ThreatLocker® Ringfencing™ can implement Zero Trust controls comparable to, but more granular than, traditional application containment toolsThreatLocker Ringfencing™ controls what applications are able to do once they are running. By limiting how software can interact on your devices, ThreatLocker® can reduce the likelihood of an exploit being successful or an attacker weaponizing legitimate tools such as PowerShell.. These controls can prevent applications from interacting with another application, your files, data, or the internet.

Limiting Application Hopping for Administrators

Elevation Control puts IT administrators in the driver’s seat, enabling them to control specific applications that can run as a local admin without giving users local admin rights.With applications such as Quickbooks that need to run with local admin access; Elevation control can limit that access without impacting operational workflow, which can prevent the further spread of an attack, like application hopping, in case there is a breach in the endpoint.

Control Over Storage Devices and Data Access

ThreatLocker Storage Control provides policy-driven control over storage devices, whether the storage device is a local folder, a network share, or external storage such as a USB drive. Storage Control allows you to set granular policies, such as blocking USB drives or blocking access to your backup share except when your backup application is accessed.

ThreatLocker Benefits

Increased Security

Increasing endpoint security coverage and reduce the risk of potential security breaches

24/7 Cyber Hero Support

Resolve any questions or issues with our ThreatLocker Cyber Heroes, who are available within 30 seconds via the admin portal chat or telephone 24/7/365

Save Time & Money

Reduce time dedicated to endpoint security by 25% and reevaluate annual spending on multiple licensing for antivirus and EDR solutions.

Seamless Onboarding & Deployment

ThreatLocker Learning Mode and Unified Audit simplifies setting up your Zero Trust environment during the initial onboarding and deployment.