Compromise one MSP's RMM, ransom a thousand businesses: the Kaseya pattern

The reason Kaseya VSA keeps showing up in the exploited-vulnerabilities catalog is the same reason it was worth attacking in the first place: it’s remote monitoring and management software that managed service providers use to administer thousands of client endpoints from one console. Owning a VSA server doesn’t compromise one company; it compromises the MSP and, through it, every business the MSP manages. The Kaseya entries, CVE-2017-18362, CVE-2018-20753, and CVE-2021-30116, trace an escalating exploitation of that leverage, culminating in one of the most consequential supply-chain ransomware attacks on record.

The pattern, in three CVEs

• CVE-2017-18362 is a SQL injection in the Kaseya VSA ManagedITSync integration. In early 2019, GandCrab ransomware affiliates exploited it to push ransomware through MSP VSA servers to their clients, an early demonstration of the MSP-as-multiplier model.
• CVE-2018-20753 is a remote code execution flaw in VSA, more attack surface on the same high-value platform.
• CVE-2021-30116 is the big one. In July 2021, the REvil ransomware operation chained a set of VSA vulnerabilities, including this credential-leak/authentication-bypass flaw, against internet-facing VSA servers, then used VSA’s legitimate software-deployment mechanism to push their ransomware to managed endpoints. Because each compromised VSA server fanned out to many client networks, the attack reached an estimated 1,500 businesses worldwide over a single weekend, hitting supermarkets, schools, and small businesses far removed from Kaseya itself.

The throughline is the MSP supply chain. An RMM platform exists to control many machines efficiently, and that control is exactly what an attacker inherits.

Why RMM is the highest-leverage target there is

Remote monitoring and management tools, Kaseya VSA, ConnectWise, and others, have a property that makes them uniquely dangerous when breached: they’re trusted, privileged, and one-to-many by design. The agent runs with high privileges on every managed endpoint, the platform can deploy software and run scripts across the whole fleet, and all of that activity looks legitimate because it is the normal mechanism. Ransomware delivered through RMM doesn’t have to evade much, because it’s arriving through the trusted channel the customer installed on purpose.

This is the supply-chain risk the MOVEit and SolarWinds incidents made famous, applied to the IT-management layer. For the MSP, a VSA compromise is an existential event that propagates to every client. For the client, it’s the uncomfortable realization that their security depends on a vendor they may never have heard of, the MSP’s tooling provider, being patched and hardened.

What to do

For MSPs and anyone running RMM:

• Patch RMM platforms immediately and treat them as tier-zero. A vulnerability in VSA or any RMM is a top-priority emergency, because the blast radius is your entire client base. Don’t wait for a maintenance window.
• Never expose the RMM management interface to the open internet. The REvil attack hit internet-facing VSA servers. Put the console behind VPN/IP allowlisting; for SaaS RMM, lock down admin access tightly.
• Enforce MFA and least privilege on the RMM, and segment it. The platform that can run code everywhere needs the strongest authentication and the tightest access controls you have.
• Monitor the RMM’s own activity. Software deployments and script executions you didn’t initiate are the signature of an RMM-borne attack. Alert on unexpected mass-deployment jobs and unusual agent commands.
• Have an out-of-band kill switch and IR plan. When CISA and Kaseya responded in 2021, the guidance was to shut VSA servers down. Know how to rapidly disable your RMM and isolate clients if it’s compromised.

For organizations that rely on an MSP:

• Ask your MSP about their RMM security. Patch cadence, internet exposure, MFA, and segmentation of their management platform are now your supply-chain risk. You inherited it the moment you signed.
• Don’t assume the MSP is the strong link. Keep your own backups (offline/immutable), so an RMM-delivered ransomware event doesn’t take your recovery with it.

The reframe is to recognize RMM platforms as among the most powerful systems in any IT estate, and therefore among the most targeted. Kaseya VSA’s history, from GandCrab in 2019 to REvil’s 1,500-victim weekend in 2021, is the clearest illustration that compromising the tool that manages everything means compromising everything it manages. Patch it like the crown jewel it is, keep it off the open internet, and if you’re a customer, understand that your MSP’s RMM is part of your attack surface. We track the RMM and MSP-platform entries with particular weight, because one of these bugs doesn’t produce one victim; it produces a thousand.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• CISA: Kaseya ransomware attack guidance — 2021-07
• NVD CVE-2021-30116 — 2021
• NVD CVE-2017-18362 — 2019
• NVD CVE-2018-20753 — 2019