IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Kaseya patches VSA flaws exploited in REvil ransomware attack

Three now-patched vulnerabilities centred on credential leakage, cross-site scripting and 2FA bypass

Software firm Kaseya has issued patches for three vulnerabilities that hackers used to execute a devastating ransomware attack earlier this month.

The company’s emergency update for VSA version 9.5.7a (9.5.7.2994) address three flaws tracked as CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120. These concern credentials leakage and a business logic flaw, a cross-site scripting (XSS) vulnerability, and a two-factor authentication (2FA) bypass, respectively.

These have been patched now alongside four other vulnerabilities, which received patches in previous versions of the VSA software. All seven were identified by the security firm DIVD in April this year, with the two companies working to address them only for REvil ransomware operators to beat them to the punch.

The other four flaws are tracked as CVE-2021-30117, an SQL injection flaw, CVE-2021-30118, a remote code execution bug, CVE-202130121, a local file inclusion vulnerability, and CVE-2021-30201, an XML external entity vulnerability. 

The hackers abused the flaws to target the cloud-based IT management and remote monitoring platform VSA, but Kaseya initially stated the attack had only affected roughly 40 on-premise customers. Because the software is used by many Managed Service Providers (MSPs), however, compromising internet-facing VSA servers served as an entry point to target their own customers, with roughly 1,500 businesses now thought to have been affected by the attack.

Other groups were also recently discovered to be launching opportunistic phishing attacks, with messages that claimed to be delivering important security updates for the VSA product. The emails warned victims they should “install the update from Microsoft to protect against ransomware as soon as possible”, according to Malwarebytes.

Related Resource

Aberdeen Report: How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

White text against a pink-red background - whitepaper from IBMFree download

DIVD researcher Victor Gevers wrote in the immediate aftermath of the attack that a patch for these vulnerabilities had been in development, but that the two companies were beaten to the punch at the final hurdle. 

“Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” he wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. 

“They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Former Kaseya staff, speaking with Bloomberg, however, have claimed that they warned executives of critical flaws in the firm’s products several times between 2017 and 2020, but that the company didn’t take these warnings seriously enough. 

Workers complained that the firm was using old code, implementing poor encryption and failed to routinely patch the software. Reportedly, VSA was ridden with so many issues that employees wanted it replaced.

The publication claims that one employee said he was fired two weeks after sending senior leadership a 40-page briefing on security issues, while other works left after being frustrated that the focus seemed on adding new features rather than fixing basic problems.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022