Threat Advisories:
Click, Paste, Compromise: Inside the New FileFix Campaign Hive0154 Evolves with SnakeDisk and EnhancedToneshell Backdoor HybridPetya: A Bootkit-Enabled Ransomware Threat EvilAI Malware Exploits the Trust in Artificial Intelligence kkRAT Malware Campaign Targeting Chinese-Speaking Users ZynorRAT: Go-Based Malware Taking Shape on Telegram Microsoft September 2025 Patch Tuesday Roundup The Gentlemen Ransomware: A Rising Global Cyber Threat MostereRAT: A Deep Dive into an EPL-Backed Phishing Operation Stealerium Changing the Rules of Cyber Espionage s1ngularity Nx Supply Chain Attack: AI-Driven Credential Theft & Mass Exposure GPUGate: Weaponizing Ads and GitHub to Outsmart Sandboxes Cephalus Ransomware a Wake-Up Call for Stronger Endpoint Defense Sitecore Zero-Day Powers Reconnaissance Malware TP-Link Router End-of-Service Models Exploited in Botnet Operation GhostRedirector Targets Windows Servers Globally for SEO Fraud CVE-2025-55177: WhatsApp Zero-Click Flaw Used in Targeted Campaigns Experimental AI Ransomware PromptLock Sparks Security Concerns NightSpire Ransomware Expands Reach with Aggressive Extortion Deadlines Operation HanKook Phantom: APT37’s Stealthy Espionage Campaign
🎧 Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

REvil Ransomware gang behind the Kaseya VSA Supply-Chain attack

Threat Level – Red | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

The REvil ransomware group was successful in carrying out a supply chain attack by exploiting the zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server and delivering a malicious script to all the computer devices managed by servers. The script delivered the REvil ransomware and encrypted the files of the clients managed by the server affecting almost 1 million computer devices.

Hive Pro researchers have identified that there are three more zero-day vulnerabilities that were possibly used to target the clients:

Authentication Bypass VulnerabilityArbitrary File Upload VulnerabilityCode Injection Vulnerability

The Techniques used by the REvil ransomware includes:

TA0001: Initial AccessT1189: Drive-by CompromiseT1566: PhishingT1566.001: Spear phishing AttachmentTA0002: ExecutionT1059: Command and Scripting InterpreterT1106: Native APIT1059.001: PowerShellT1059.005: Visual BasicT1059.003: Windows Command ShellTA0003: PersistenceT1204: User ExecutionT1047: Windows Management InstrumentationT1204.002: Malicious FileTA0004: Privilege EscalationT1134: Access Token ManipulationT1134.002: Create Process with TokenT1134.001: Token Impersonation/TheftT1574:Hijack Execution FlowT1574.002:Hijack Execution Flow: DLL Side-LoadingTA0005: Defense EvasionT1134: Access Token ManipulationT1134.002: Create Process with TokenT1134.001: Token Impersonation/TheftT1140: DE obfuscate/Decode Files or InformationT1055: Process InjectionTA0006: Credential AccessT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1070: Indicator Removal on HostT1070.004: File DeletionT1036: MasqueradingT1036.005: Match Legitimate Name or LocationT1112: Modify RegistryT1027: Obfuscated Files or InformationT1055: Process InjectionTA0007: DiscoveryT1083: File and Directory DiscoveryTA0008: Lateral MovementT1069: Permission Groups DiscoveryT1069.002: Domain GroupsT1012: Query RegistryT1082: System Information DiscoveryTA0011: Command and ControlT1071: Application Layer ProtocolT1071.001: Web Protocols  T1573: Encrypted Channel T1573.002: Asymmetric CryptographyT1105: Ingress Tool TransferTA0010: ExfiltrationT1041: Exfiltration Over C2 ChannelTA0040: ImpactT1485: Data DestructionT1486: Data Encrypted for ImpactT1490: Inhibit System Recovery   T1489: Service Stop

Threat Actor

Vulnerability Details

Indicators of Compromise

TypeValue
IPv4161[.]35.239.148
Hash(SHA1)d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C

References

https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/

https://otx.alienvault.com/pulse/60e40b4535299fb6755143cf

https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack

https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox

Cybersecurity Leaders Dinner at Houston

CTEM for CISOs in 2025, brought to life by Al Lindseth.

Tuesday, October 7th, 2025
6.00 pm to 9.00 pm
Del FRISCOS Double Eagle Steakhouse, Houston TX
Click here to Register!