Liongard Response to Kaseya VSA incident

On July 2, 2021 at 3PM EDT, Kaseya announced that they were investigating an attack against their VSA remote monitoring and management platform. At this time, Liongard has conducted initial research. The following are our most up-to-date responses to FAQ. We will continue to update this page as information and the situation evolves.

Is Liongard’s software affected by this compromise?

No. Liongard is monitoring the incident closely and no indicators of compromise to the Liongard Agent or platform have been identified.
Is Liongard’s VSA inspector affected?
If you were inspecting a VSA instance hosted from Kaseya’s SaaS cloud, your Inspector will return a “Failed” status. Kaseya has reported that they proactively shutdown all SaaS instances of VSA until it is safe to resume operations.
Is the Liongard Agent I had installed on the VSA server affected?

Our Agent was not compromised. If our Agent was installed or hosted on a system also hosting Kaseya VSA and if that system was taken offline per Kaseya’s current recommendation, then all Inspectors served by that Agent will also return Failed as the Agent machine is offline.
Can Liongard help me identify any indicators of compromise (IOC)?
Yes. If for any reason you have not shut down your on-premises VSA instance, then our VSA Inspector can identify any admin accounts that have been disabled (which is a key Indicator of Compromise in security events) via Metric: Users[?IsDisabled == `true`].Email`

We do, however, encourage all Partners to follow Kaseya’s guidance regarding the shutdown of all Kaseya VSA servers until further direction is provided by Kaseya. We also encourage our partners to follow the guidance given by their other security software vendors regarding this vulnerability.
We also recommend closely monitoring Liongard’s timeline and change detections across all systems in potentially impacted networks.
How can Liongard help me recover?
When Kaseya VSA systems are brought back online, our Partners can benefit from an immediate inspection of VSA systems to identify if any administrative account has been disabled. In this short video, Sales Engineer Scott Davis walks you through how Liongard can help you review the data you have when a security incident occurs.
If systems that were the subject of direct ransomware must be restored from backups that are potentially days old, Liongard’s visibility and timeline feature can be used to assist in restoring more recent valid configuration changes.
My MSP was impacted by this event. Is there any assistance I can request?
For technical assistance, please contact our Partner Support team via the chat feature (icon at the bottom of this page) or at any time from our docs site. For any other business continuity assistance, please contact your Account Manager.