Kaseya patches VSA flaws exploited in REvil ransomware attack

Three now-patched vulnerabilities centred on credential leakage, cross-site scripting and 2FA bypass

Software firm Kaseya has issued patches for three vulnerabilities that hackers used to execute a devastating ransomware attack earlier this month.

The company’s emergency update for VSA version 9.5.7a (9.5.7.2994) address three flaws tracked as CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120. These concern credentials leakage and a business logic flaw, a cross-site scripting (XSS) vulnerability, and a two-factor authentication (2FA) bypass, respectively.

These have been patched now alongside four other vulnerabilities, which received patches in previous versions of the VSA software. All seven were identified by the security firm DIVD in April this year, with the two companies working to address them only for REvil ransomware operators to beat them to the punch.

The other four flaws are tracked as CVE-2021-30117, an SQL injection flaw, CVE-2021-30118, a remote code execution bug, CVE-202130121, a local file inclusion vulnerability, and CVE-2021-30201, an XML external entity vulnerability. 

The hackers abused the flaws to target the cloud-based IT management and remote monitoring platform VSA, but Kaseya initially stated the attack had only affected roughly 40 on-premise customers. Because the software is used by many Managed Service Providers (MSPs), however, compromising internet-facing VSA servers served as an entry point to target their own customers, with roughly 1,500 businesses now thought to have been affected by the attack.

Other groups were also recently discovered to be launching opportunistic phishing attacks, with messages that claimed to be delivering important security updates for the VSA product. The emails warned victims they should “install the update from Microsoft to protect against ransomware as soon as possible”, according to Malwarebytes.

Related Resource

Aberdeen Report: How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

White text against a pink-red background - whitepaper from IBMFree download

DIVD researcher Victor Gevers wrote in the immediate aftermath of the attack that a patch for these vulnerabilities had been in development, but that the two companies were beaten to the punch at the final hurdle. 

“Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” he wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. 

“They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Former Kaseya staff, speaking with Bloomberg, however, have claimed that they warned executives of critical flaws in the firm’s products several times between 2017 and 2020, but that the company didn’t take these warnings seriously enough. 

Workers complained that the firm was using old code, implementing poor encryption and failed to routinely patch the software. Reportedly, VSA was ridden with so many issues that employees wanted it replaced.

The publication claims that one employee said he was fired two weeks after sending senior leadership a 40-page briefing on security issues, while other works left after being frustrated that the focus seemed on adding new features rather than fixing basic problems.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021
Organizations warned of ransomware risk from smaller operators
ransomware

Organizations warned of ransomware risk from smaller operators

19 Oct 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

14 Oct 2021
Senator to introduce new bill to force ransomware payment disclosures
ransomware

Senator to introduce new bill to force ransomware payment disclosures

6 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021