It has long been speculated that the recent increase in network hashrate was due to botnets and the increase in GPU sales, with the focus on botnet activity. It was recently discovered that there may be some bad actors at work taking advantage of a vulnerability in the popular workstation management application, Kaseya.
Here is the January 2018 VSA Security Update posted on their Announcements Page:
In the course of our continuous security monitoring of our products, we have uncovered a security vulnerability in our VSA product.
Consistent with our commitment to providing secure solutions for our partners, we have issued a set of patches that removes this vulnerability. We strongly recommend that every on-premises VSA customer download and install this patch immediately. The patch to address this vulnerability has already been deployed to our SaaS and hosted servers.
We have seen no evidence to suggest that this vulnerability was used to harvest personal, financial, or other sensitive information. However, we are aware of a small subset of our partners where Monero cryptocurrency mining software was deployed to endpoints. Our initial estimates indicate that less than 0.1% of our customers have been affected by this issue.
Kaseya Support is available to assist customers and can be reached by submitting a request at https://helpdesk.kaseya.com/hc/en-gb/requests/new and selecting “VSA Security” under Module to ensure your question is properly routed.
On-Premise VSA Customers – Kaseya strongly recommends that on-premises customers immediately apply a patch by running the Kinstall (Kinstall.exe) that is included on the VSA server: (that matches the version of VSA that you are running):
Version R9.5: Patch 126.96.36.199
Version R9.4: Patch 188.8.131.52
Version R9.3: Patch 184.108.40.206
For customers running Version R9.2 or earlier, it is recommended to upgrade to 9.3 or higher. If needed, Kaseya support can assist you with this. Please reach out to Kaseya Support by submitting a request at https://helpdesk.kaseya.com/hc/en-gb/requests/new and selecting “VSA Security” under Module to ensure your question is properly routed.
SaaS or Hosted Customers – The updates have been applied by Kaseya, no action is required.
Assessment & Remediation
To provide further assurances, Kaseya has created Agent Procedures which customers can run across their environment to determine if they were affected by this vulnerability and remediate endpoints in the event they were impacted. The procedure and detailed technical instructions are located at the following link: https://helpdesk.kaseya.com/hc/en-gb/articles/360000346651
Kaseya is committed to quality and security in our products and maintaining transparency in our communications with our customer base.