Dear Valued Kaseya Customer,
We are writing to let you know that several Kaseya customers have been targeted in attacks in which attempts have been made to deploy ‘Litecoin’ mining malware, in some cases successfully. We have investigated these reports and discovered that an application vulnerability was exploited to compromise the ‘kaseyasupport’, ‘KTest’ or ‘SupportTest’ account(s). Using those accounts the attacker deployed the malware to end-user machines using an agent procedure.
While the malware may have allowed the unknown attacker to access end point systems that may contain sensitive data elements, we have seen nothing to suggest that this malware was harvesting personal, financial, or any other kind of sensitive information, or that any individual’s information has been misused as a result of this attack. The actions taken by the attacker appear to be a Litecoin mining operation only, aimed at generating this digital currency.
We have developed and published a patch for both the 6.3 (Patch 6.3.6, Hotfix #8813) and 6.5 (patch 18.104.22.168) releases of Kaseya Virtual System Administrator (VSA) to address this vulnerability, and our SaaS systems have already been patched.
Below is a link to the patch release notes and installation instructions for 6.5 and 6.3 Patch Releases: http://help.kaseya.com/WebHelp/EN/RN/index.asp#PatchReleaseNotes.htm
For 6.3 users, Kaseya Support also has a manually installable individual patch available for those who need it.
If you are a Kaseya VSA on-premise customer, please install these patches as soon as possible to protect your environment. If you are unable to deploy these patches immediately, or are running a VSA release prior to 6.3, please delete the “kaseyasupport” account and do not enable it until you’ve upgraded to the latest release and applied the latest patches. Also, please delete any other currently unused accounts that exist on your server that may have been created historically.
We also recommend that all Kaseya VSA customers, on-premise and SaaS, determine whether the malware has been installed on your system. The signature of this malware is a process running ‘SoftwareUpdate.exe’, version 22.214.171.124, and the file description is 'Apple Software Update’. Please run an audit across all of your endpoints for this executable name and version number to determine whether the malware is present. Instructions to assist you in running this audit are provided in the following Knowledge Base article: https://helpdesk.kaseya.com/entries/46371906
If you determine from the audit that the malware is present in your environment and you need help in removing it, please open a ticket with Kaseya Support using the keyword LCCLEAN in the description. A script is available from Support that can be customized to your environment to assist you in removing the malware efficiently.
As a reminder, you should always ensure that every administrator account password is changed regularly, and that strong passwords are always required.
If you no longer have a current maintenance agreement or subscription, please contact your account manager or send an email to firstname.lastname@example.org.
Kaseya is committed to quality and security in our products as well as to maintaining transparency in our communications with our customer base. Proactive investigation and remediation of this issue is a top priority for us. Thank you for working with us to ensure this is completed quickly.
If you have questions or require further assistance, please contact your account representative or open a ticket with Kaseya Support using the keyword LCCLEAN in the description.