#KASEYA AGENT UPDATE#
Please note that agent.exe is a malicious version of the actual Kaseya VSA Agent and is installed in the default update path c:\kworking\. It installs at least the following two files on each managed system (file hashes included): Next, a job is installed in VSA that deploys and subsequently installs a malicious VSA Agent to all hosts managed by the VSA server. Exploiting the vulnerability results in a compromise the VSA management servers. The initial compromise of the VSA management servers seems to have taken place from the IP address 18.223.199.234 with a HTTP request to the /userFilterTableRpt.asp, which is allegedly vulnerable to SQL injection. SaaS) version of the software.Īt the time of writing this report, it cannot be ruled out that systems that are not exposed to the internet are not affected by this attack.
#KASEYA AGENT SOFTWARE#
#KASEYA AGENT FULL#
In those cases where the management interface is exposed to the internet, a remote attacker can obtain full administrative control over VSA. The vulnerability allows attackers to gain full administrative access to a VSA management server. VSA consists of one or more central management servers and agent software installed on the systems that are managed.Īround July 2 nd 2021, 20:00 CEST Kaseya noticed that an SQL injection vulnerability in its VSA software was being actively exploited on the internet. It is a popular software product with Managed Service Providers (MSPs). One of its software products is Kaseya VSA which allows remotely managing customer systems.
Kaseya is a software company providing IT management software.