At around 2 PM EST, Kaseya published on their website an important notice to immediately shut down VSA servers due to a malicious threat in its recent update. According to Kaseya, one of the first things that the attacker does is shut off Administrative access to the VSA.
This threat has been identified with ThreatLocker, and we can confirm that these files are not in our Built-In definition for Kaseya VSA.
ThreatLocker has created a separate application, titled "Kaseya Virus - DENY (Built-In)" that contains the hashes of these malicious files. There is a suggested policy created now that specifically denies those malicious hashes if using a custom definition.
We highly suggest that you create this policy on an Organizational/Global level in order to fully deny the identified files.
ThreatLocker also suggests moving this policy strictly into a "Secured" state, meaning that it'll override any devices currently in Learning or Monitor mode.
You will need to deploy policies for all Organizations in order for this to take effect.
If deploying on the Global level
- Navigate to the "Organizations" page on the left side of the Portal
- Select all Organizations with the checkbox located at the top
- Click "Deploy Policies" to effectively deploy policies for all selected Organizations
All devices should receive their new policy changes within a few minutes.