Potential exposure to Kaseya VSA Agent ransomware attack

critical Nessus Plugin ID 151424

Synopsis

Detects potential IoCs for Kaseya VSA Agent ransomware attack.

Description

This plugin detects the potential presence of agent.exe or agent.crt IoC's on remote host machines. This can indicate that the host might have been targeted in the Kaseya VSA ransomware attack. It is strongly recommended that the results are manually verified and appropriate remediation actions taken, if the compromise is confirmed.

Note that Nessus has not tested for this issue but has instead looked for specific files that could potentially indicate compromise.

Solution

Please refer to vendor advisory.

See Also

http://www.nessus.org/u?1a256267

https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

https://www.kaseya.com/potential-attack-on-kaseya-vsa/

Plugin Details

Severity: Critical

ID: 151424

File Name: kaseya_ioc_july_2021.nbin

Version: 1.33

Type: local

Agent: windows

Family: Windows

Published: 7/6/2021

Updated: 6/21/2022

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Rationale: Score from a more in depth analysis done by tenable

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:kaseya:vsa_agent

Required KB Items: installed_sw/Kaseya Agent, SMB/ARCH