Kaseya was informed about the vulnerabilities back in April 2021 but it failed to address the issue in time.
The remote management and monitoring solutions provider, Kaseya VSA, has released patches for three critical vulnerabilities exploited by the REvil ransomware gang to launch a devastating ransomware attack earlier in July 2021.
In April 2021, the Dutch Institute for Vulnerability Disclosure/DIVD identified seven vulnerabilities in Kaseya software and informed the company. However, Kaseya failed to address the issue allowing the Revil ransomware to exploit and target its servers.
SEE: Email offering Kaseya patch drops Cobalt Strike malware
So far, Kaseya has patched most of its VSA SaaS service vulnerabilities but hasn’t yet released a patch for the VSA’s on-premise version. Three of the seven issues have been assigned a CVE identifier.
It isn’t yet clear which of the seven vulnerabilities were exploited. According to DIVD, the ransomware attack involved two flaws, one of which was reported by its researchers.
About the Flaws and the Patches
Kaseya’s emergency update for VSA version 9.5.7a/9.5.7.2994 has addressed three flaws, classified as CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120. The three patched flaws were linked with credential leakage, a cross-site scripting flaw, a business logic flaw, and a 2FA bypass.
The other four vulnerabilities were previously patched in different versions of the VSA software. one of the four flaws is an SQL injection flaw tracked as CVE-2021-30117, the other is a remote code execution bug classified as CVE-2021-30118, the next one is a local file inclusion vulnerability, CVE-2021-30121, and an XML external entity vulnerability tracked as CVE-2021-30201.
As per Huntress, a managed detection and response company that monitored the attack and created a proof-of-concept exploit for the flaws used in the attack, the patch can prevent exploitation. Their PoC is designed to exploit arbitrary file upload, authentication, bypass, and command injection vulnerabilities. However, the attackers didn’t deliver an implant with their exploit.
Apart from the actual patches, Kaseya also released a tool for on-premises clients. They can use this tool to clear any accumulated procedures before restarting their VSA. Moreover, the company has released runbooks to help customers prepare for services restoration and patches roll out.
Ransomware Attack Targeted Kaseya’s VSA Platform
As reported by Hackread.com, the hackers used REvil ransomware to target Kaseya’s cloud-based IT management and remote monitoring VSA, which the company asserts. Still, the company claims that the attack affected around 40 on-premise customers.
Furthermore, the software is mainly used by roughly 1,500 Managed Service Providers. Therefore, compromising internet-facing VSA servers provided hackers an entry point to target their customers and expose them to the attack.
SEE: Spanish telecom giant MasMovil hit by Revil ransomware gang
On July 2, Kaseya shut down its VSA product after detecting a ransomware attack. The hackers exploited 0-day vulnerabilities in on-premise VSA to infect the MSPs and their customers using the VSA. Kaseya also shut down SaaS services as a precautionary measure. By Monday morning, SaaS services from Kaseya were restored for around 95% of its customers.
