IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Kaseya patches VSA flaws exploited in REvil ransomware attack

Three now-patched vulnerabilities centred on credential leakage, cross-site scripting and 2FA bypass

Software firm Kaseya has issued patches for three vulnerabilities that hackers used to execute a devastating ransomware attack earlier this month.

The company’s emergency update for VSA version 9.5.7a (9.5.7.2994) address three flaws tracked as CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120. These concern credentials leakage and a business logic flaw, a cross-site scripting (XSS) vulnerability, and a two-factor authentication (2FA) bypass, respectively.

These have been patched now alongside four other vulnerabilities, which received patches in previous versions of the VSA software. All seven were identified by the security firm DIVD in April this year, with the two companies working to address them only for REvil ransomware operators to beat them to the punch.

The other four flaws are tracked as CVE-2021-30117, an SQL injection flaw, CVE-2021-30118, a remote code execution bug, CVE-202130121, a local file inclusion vulnerability, and CVE-2021-30201, an XML external entity vulnerability. 

The hackers abused the flaws to target the cloud-based IT management and remote monitoring platform VSA, but Kaseya initially stated the attack had only affected roughly 40 on-premise customers. Because the software is used by many Managed Service Providers (MSPs), however, compromising internet-facing VSA servers served as an entry point to target their own customers, with roughly 1,500 businesses now thought to have been affected by the attack.

Other groups were also recently discovered to be launching opportunistic phishing attacks, with messages that claimed to be delivering important security updates for the VSA product. The emails warned victims they should “install the update from Microsoft to protect against ransomware as soon as possible”, according to Malwarebytes.

Related Resource

Aberdeen Report: How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

White text against a pink-red background - whitepaper from IBMFree download

DIVD researcher Victor Gevers wrote in the immediate aftermath of the attack that a patch for these vulnerabilities had been in development, but that the two companies were beaten to the punch at the final hurdle. 

“Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” he wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. 

“They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Former Kaseya staff, speaking with Bloomberg, however, have claimed that they warned executives of critical flaws in the firm’s products several times between 2017 and 2020, but that the company didn’t take these warnings seriously enough. 

Workers complained that the firm was using old code, implementing poor encryption and failed to routinely patch the software. Reportedly, VSA was ridden with so many issues that employees wanted it replaced.

The publication claims that one employee said he was fired two weeks after sending senior leadership a 40-page briefing on security issues, while other works left after being frustrated that the focus seemed on adding new features rather than fixing basic problems.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse
components

Why India wants to become a chipmaking powerhouse

28 Jun 2022