Kaseya patches VSA flaws exploited in REvil ransomware attack

Three now-patched vulnerabilities centred on credential leakage, cross-site scripting and 2FA bypass

Software firm Kaseya has issued patches for three vulnerabilities that hackers used to execute a devastating ransomware attack earlier this month.

The company’s emergency update for VSA version 9.5.7a (9.5.7.2994) address three flaws tracked as CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120. These concern credentials leakage and a business logic flaw, a cross-site scripting (XSS) vulnerability, and a two-factor authentication (2FA) bypass, respectively.

These have been patched now alongside four other vulnerabilities, which received patches in previous versions of the VSA software. All seven were identified by the security firm DIVD in April this year, with the two companies working to address them only for REvil ransomware operators to beat them to the punch.

The other four flaws are tracked as CVE-2021-30117, an SQL injection flaw, CVE-2021-30118, a remote code execution bug, CVE-202130121, a local file inclusion vulnerability, and CVE-2021-30201, an XML external entity vulnerability. 

The hackers abused the flaws to target the cloud-based IT management and remote monitoring platform VSA, but Kaseya initially stated the attack had only affected roughly 40 on-premise customers. Because the software is used by many Managed Service Providers (MSPs), however, compromising internet-facing VSA servers served as an entry point to target their own customers, with roughly 1,500 businesses now thought to have been affected by the attack.

Other groups were also recently discovered to be launching opportunistic phishing attacks, with messages that claimed to be delivering important security updates for the VSA product. The emails warned victims they should “install the update from Microsoft to protect against ransomware as soon as possible”, according to Malwarebytes.

Related Resource

Aberdeen Report: How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

White text against a pink-red background - whitepaper from IBMDownload now

DIVD researcher Victor Gevers wrote in the immediate aftermath of the attack that a patch for these vulnerabilities had been in development, but that the two companies were beaten to the punch at the final hurdle. 

“Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” he wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. 

“They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Former Kaseya staff, speaking with Bloomberg, however, have claimed that they warned executives of critical flaws in the firm’s products several times between 2017 and 2020, but that the company didn’t take these warnings seriously enough. 

Workers complained that the firm was using old code, implementing poor encryption and failed to routinely patch the software. Reportedly, VSA was ridden with so many issues that employees wanted it replaced.

The publication claims that one employee said he was fired two weeks after sending senior leadership a 40-page briefing on security issues, while other works left after being frustrated that the focus seemed on adding new features rather than fixing basic problems.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

New ransomware group is attacking US firms and educational establishments
ransomware

New ransomware group is attacking US firms and educational establishments

15 Jul 2021
Interpol calls for more action to prevent "ransomware pandemic"
cyber security

Interpol calls for more action to prevent "ransomware pandemic"

13 Jul 2021
84% of organizations experienced phishing or ransomware attacks in the last year
ransomware

84% of organizations experienced phishing or ransomware attacks in the last year

12 Jul 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

9 Jul 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021