On Sat., the company behind the Virtual System/Server Administrator (VSA) platform that got hit by the REvil ransomware-as-a-service (RaaS) gang in a massive supply-chain attack released urgent updates to address critical zero-day security vulnerabilities in VSA.
The security update addresses 3 VSA vulnerabilities used by the ransomware gang to launch a worldwide supply-chain attack on MSPs & their customers.
Kaseya made good on its promise to issue patches by July 11.
Update
Kaseya released the VSA 9.5.7a (9.5.7.2994) update to fix 3 zero-day vulnerabilities used in the ransomware attacks.
The company stated on its rolling advisory page that all of its software-as-a-service (SaaS) customers were back up as of this morning, while the company was still working to restore on-premise customers that needed help:
The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premise customers who have requested assistance with the patch. —Kaseya
Brazen Ransomware
On July 2, the REvil gang wrenched open those 3 VSA zero-days in more than 5,000 attacks. By July 5, the worldwide assault had been unleashed in 22 countries, reaching not only Kaseya’s managed service provider (MSP) customer base but also, given that many of them use VSA to manage the networks of other businesses, attacking MSP’s customers
Kaseya customers use VSA to remotely monitor & manage software & network infrastructure. It is supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.
Guidance
After the overt ransomware attacks, the US CISA & FBI last week offered guidance to victims. Threat players were fast to exploit the situation, having planted Cobalt Strike backdoors by ‘malspamming’ a bogus Microsoft update along with a malicious “Security Updates” executable.
As of July 6, Kaseya said in its updated rolling advisory that there were fewer than 60 customers affected but far more – “fewer than 1,500,” it claimed – downstream businesses that got hit.
Kaseya already knew about those bugs when the attacks started. In April, the Dutch Institute for Vulnerability Disclosure (DIVD) had disclosed 7 vulnerabilities to Kaseya.
Employees
On Sat., Bloomberg reported that software engineering & development employees at Kaseya’s US offices had brought up a list of “wide-ranging cybersecurity concerns” to company leaders many times over the course of 3 years, from 2017 to 2020.
When the outlet asked Kaseya to address the anonymous workers’ accusations, a Kaseya spokesperson declined, citing a policy of not commenting on matters involving personnel or the ongoing criminal investigation into the hack.
Latest Comments on Situation
Dana Liedholm, Senior VP of Corporate Marketing for Kaseya, explained on Monday that the company has bigger issues than responding to “random speculation”: “Kaseya’s focus is on the customers who have been affected & the people who have actual data & are trying to get to the bottom of it, not on random speculation by former employees or the wider world,” Liedholm observed.
Jake Williams, Co-Founder & CTO at incident response firm Breach Quest, describing & dismissing workers’ input as being “speculation” does not make the accusations less credible. “After a quick analysis of the VSA server product, it’s pretty easy to believe these claims,” he explained.
Speculation
“Until management at software development firms begin prioritising security fixes over feature updates, we can expect incidents like this to continue. The fact that Kaseya downplayed the reported 40-page security memo as ‘speculation’, without denying its existence, is a huge red flag & lends a lot of credence to the claims.”
Managing security is hard for any company, including software vendors, noted Dirk Schrader, Global VP of Security Research at New Net Technologies (NNT). That does not let them off, though, he observed on Mond. “A company can’t decline doing the essentials, because that is equivalent to being negligent on the risks related to cybersecurity, & there is plenty of material about what is essential.”
Outdated Certificates
Quick searches point to areas in Kaseya’s security that could be improved, Schrader added, such as outdated certificates on networking devices & on Kaseya’s own instances of VSA. “It comes down to its security operations, its processes & whether they are up to par with the current threat landscape,” Schrader explained.
To support his statement, Schrader pointed to Cisco IOS device(s) with an outdated cert used by Kaseya itself, noting that there are a couple of IPs showing the same issue. He found multiple additional certificate issues, including this one & this one.
Many Bugs
Most of the 7 vulnerabilities reported to Kaseya by DVID were patched on Kaseya’s VSA SaaS service, but up until Sat., 3 outstanding security holes were still needed on the VSA on-premises version. The attackers had struck before Kaseya had a chance to improve those on-premises VSA servers.
The 3 on-premise VSA bugs that Kaseya has now stomped:
- CVE-2021-30116 – A credentials leak & business logic flaw, included in version 9.5.7 rolled out Sat.
- CVE-2021-30119 – A cross-site scripting (CSS) vulnerability, included in version 9.5.7.
- CVE-2021-30120 – A bypass of 2-factor authentication (2FA), included in version 9.5.7.
Upgrade Security
After the July 2 attack, Kaseya urged on-premises VSA customers to shut down their servers until the patch was ready.
To upgrade security still more, Kaseya is also recommending limiting network access to the VSA Application/GUI to local IP addresses only, “by blocking all inbound traffic except for port 5721 (the agent port).
Administrators will only be able to access the application from the local network or by using a VPN to connect to the local network.”
Older Bugs
Besides the outstanding 3 bugs Kaseya addressed on Sun, these are the other 4 vulnerabilities that DIVD disclosed & Kaseya already fixed before the July 2 attacks:
- CVE-2021-30117 – An SQL injection vulnerability, resolved in a May 8 patch.
- CVE-2021-30118 – A remote code execution (RCE) vulnerability, resolved in an April 10 patch. (v9.5.6)
- CVE-2021-30121 – A local file inclusion (LFI) vulnerability, resolved in the May 8 patch.
- CVE-2021-30201 – An XML external entity (XXE) vulnerability, resolved in the May 8 patch.