In the weeks leading up to the catastrophic attack on its VSA platform, Kaseya worked with researchers to fix the authentication bypass bug hackers that were being exploited to deliver ransomware to hundreds of businesses.
A team of researchers from the Dutch Institute for Vulnerability Disclosure (DIVD) published two articles describing how and when they found a number of vulnerabilities in the tools provided by Kaseya Managed Service Provider (MSPs). According to DIVD, the vulnerability known as CVE-2021-30116 was one of seven mistakes his team had uncovered in the Kaseya VSA software.
The authentication bypass bug was one of two vulnerabilities that attackers exploited when they broke into the VSA update service and used the compromised website to send a REvil ransomware payload to customers. The DIVD did not say what the second vulnerability was exploited by the attackers.
“Last weekend we were in the middle of a storm,” wrote DIVD-CERT manager Frank Breedijk in a Limited Disclosure Post to the Kaseya vulnerabilities. “A storm caused by the ransomware attacks carried out through the Kaseya VSA that exploited a vulnerability that we shared with Kaseya in confidence, along with six other vulnerabilities.”
According to the DIVD’s incident report, the DIVD had been in private contact with Kaseya since April to report the seven bugs it found in the MSP software provider’s internet-based services and applications. Some were fixed back in April and May while others were in the process of being fixed when the VSA attack took place.
In addition to CVE-2021-30116, the DIVD says its team revealed a SQL injection Bug, CVE-2021-30117, patched in May; a remote code execution bug, CVE-2021-30118, patched in April; a cross-site scripting bug, CVE-2021-30119, for which a patch is in the works; a two-factor authentication bypass, CVE-2021-30120, to be patched in the upcoming VSA version 9.5.7; a local file inclusion vulnerability, CVE-2021-30121, patched in May; and an XML bug for external entities, CVE-2021-30201, that was patched in May.
The researchers said they kept silent about the vulnerabilities because they feared disclosing the bug would open the door to attack.
“When we discovered the weak points at the beginning of April, it was clear to us that we should not let these weak points fall into the wrong hands,” wrote Breedijk. “After some deliberation, we decided it was the right thing to do to inform the vendor and wait for a patch to be delivered. We hypothesized that in the wrong hands, these vulnerabilities could result in the compromise of large numbers of computers managed by Kaseya VSA. “
Unfortunately, according to the DIVD, it was unable to fix the bugs before criminal hackers were able to detect and exploit one of them, what Breedijk called a “worst-case scenario”. The researchers found that Kaseya had responded to his reports and was diligently working to get the fixes out.
However, the secrecy and hard work were in vain when the criminals launched and claimed their ransomware attack on July 2nd a ransom of $ 70 million in cryptocurrency in exchange for a decryption key. So far there is no evidence that a payment has been made.
The new information from the DIVD raises the possibility that the attack could have been the result of a leak in the confidential disclosure process, particularly in connection with the fact that the attackers knew that certain VSA directories were exempt from virus protection. Earlier this year, Microsoft investigated a possible leak of several high-profile zero-day bugs in its Exchange Server software; The vulnerabilities were exploited by national threat actors before they were publicly disclosed and patched.
#Dutch #researchers #shed #light #Kaseya #vulnerabilities