Kaseya patches VSA flaws exploited in REvil ransomware attack

Software firm Kaseya has issued patches for three vulnerabilities that hackers used to execute a devastating ransomware attack earlier this month.

The company’s emergency update for VSA version 9.5.7a (9.5.7.2994) address three flaws tracked as CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120. These concern credentials leakage and a business logic flaw, a cross-site scripting (XSS) vulnerability, and a two-factor authentication (2FA) bypass, respectively.

These have been patched now alongside four other vulnerabilities, which received patches in previous versions of the VSA software. All seven were identified by the security firm DIVD in April this year, with the two companies working to address them only for REvil ransomware operators to beat them to the punch.

The other four flaws are tracked as CVE-2021-30117, an SQL injection flaw, CVE-2021-30118, a remote code execution bug, CVE-202130121, a local file inclusion vulnerability, and CVE-2021-30201, an XML external entity vulnerability.

The hackers abused the flaws to target the cloud-based IT management and remote monitoring platform VSA, but Kaseya initially stated the attack had only affected roughly 40 on-premise customers. Because the software is used by many Managed Service Providers (MSPs), however, compromising internet-facing VSA servers served as an entry point to target their own customers, with roughly 1,500 businesses now thought to have been affected by the attack.

Other groups were also recently discovered to be launching opportunistic phishing attacks, with messages that claimed to be delivering important security updates for the VSA product. The emails warned victims they should “install the update from Microsoft to protect against ransomware as soon as possible”, according to Malwarebytes.

DIVD researcher Victor Gevers wrote in the immediate aftermath of the attack that a patch for these vulnerabilities had been in development, but that the two companies were beaten to the punch at the final hurdle.

“Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” he wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched.

“They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Former Kaseya staff, speaking with Bloomberg, however, have claimed that they warned executives of critical flaws in the firm’s products several times between 2017 and 2020, but that the company didn’t take these warnings seriously enough.

Workers complained that the firm was using old code, implementing poor encryption and failed to routinely patch the software. Reportedly, VSA was ridden with so many issues that employees wanted it replaced.

The publication claims that one employee said he was fired two weeks after sending senior leadership a 40-page briefing on security issues, while other works left after being frustrated that the focus seemed on adding new features rather than fixing basic problems.