Last week, cyber criminals deployed ransomware to 1,500 companies, including many that provide IT security and technical support to other companies. The attackers used a security hole in software from Kaseya, a Miami-based company whose products help system administrators remotely manage large networks. Now it seems like Kaseya’s customer service portal was vulnerable to a security flaw that was first discovered in the same software six years ago until last week.
On July 3rd, the REvil ransomware affiliate program started using a zero-day vulnerability (CVE-2021-30116) to deliver ransomware to hundreds of IT management companies using Kaseya’s remote management software – known as the Kaseya Virtual System Administrator (VSA).
According to this entry for CVE-2021-30116, the vulnerability that resulted in the Kaseya VSA Zero-Day being assigned a vulnerability number on April 2, 2021, indicating that Kaseya had approximately three months to correct the bug before it was exploited in the wild.
Also on July 3rd, a security incident response company Mandiant announced to Kaseya that their billing and customer support site –portal.kaseya.net – was prone to CVE-2015-2862, a directory traversal vulnerability in Kaseya VSA that allows remote users to read all files on the server with nothing more than a web browser.
As the name suggests, CVE-2015-2862 was released in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data breach vulnerability.
Mandiant notified Kaseya after hearing about it Alex Holden, Founder and Chief Technology Officer of the Milwaukee-based cyber intelligence company Keep security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal by Saturday afternoon, so he could use the “Web.config” file, a server component that often contains sensitive information such as user names and passwords, and key database locations.
“It’s not that they forgot to patch something Microsoft fixed years ago,” said Holden. “It’s a patch for your own software. And it’s not a zero day. It’s from 2015! “
The official description of CVE-2015-2862 states that a potential attacker must already be authenticated with the server for the exploit to work. However, Holden said this was not the case with the vulnerability on the Kaseya portal that he reported through Mandiant.
“It’s worse because the CVE requires an authenticated user,” said Holden. “That was not.”
Michael Sanders, Executive Vice President of Account Management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal was phased out in 2018 in favor of a more modern customer support and ticket system, but somehow the old website is still available online.
“It was out of date but abandoned,” said Sanders.
In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product.
“We worked with CERT on Responsible Disclosure and released patches for VSA versions V7, R8, R9 and R9 along with Public Disclosures (CVEs) and notifications to our customers. Portal.kaseya.net was not considered part of the VSA shipping product by our team and was not part of the VSA product patch in 2015. It does not have access to customer endpoints and has been shut down – and is no longer activated or used by Kaseya. “
“At this point in time, there is no evidence that this portal was involved in the VSA product security incident,” the statement said. “We continue to perform forensic analyzes of the system and examine what data is actually available.”
Ransomware group REvil said affected companies could independently negotiate a decryption key with them or someone could pay $ 70 million in virtual currency to buy a key that would decrypt all systems compromised in the attack.
However, Sanders said that every ransomware expert Kaseya has consulted has advised against negotiating a ransom to unlock all victims.
“The problem is, they don’t have our data, they have our customers’ data,” said Sanders. “We have been advised not to do so by all of the ransomware negotiators we’ve dealt with. They said that with so many individual hacked and ransomware machines, it would be very difficult to fix all of these systems at the same time. “
In a video posted on Youtube on July 6, the CEO of Kaseya said Fred Voccola said the ransomware attack had “limited impact, with only about 50 of Kaseya’s 35,000+ customers being targeted.”
“Fortunately, while every single customer affected is one too many, the impact of this sophisticated attack has been found to be grossly overrated,” said Voccola.
The zero-day vulnerability that resulted in Kaseya customers (and those customers’ customers) being bought out was discovered and reported to Kaseya by Wietse Boonstra, a researcher with the Dutch Vulnerability Disclosure Institute (DIVD).
in the a blog post from July 4th, DIVDs Victor Gevers wrote that Kaseya was “very cooperative” and “asked the right questions”.
“We were also given partial patches to check their effectiveness,” wrote Gevers. “Throughout the process, Kaseya has shown that they were willing to put maximum effort and initiative into this case to both fix this issue and patch their customers. They showed a real commitment to doing the right thing. Unfortunately, we were beaten in the final spurt by REvil because they were able to exploit the weak points before customers could even patch. “
However, Kaseya has not yet released an official patch for the Boonstra bug reported in April. Kaseya said customer on July 7th that it worked “through the night” to bring out an update.
Gevers said the Kaseya vulnerability was discovered as part of a larger DIVD project to search for fatal bugs in a variety of remote network management tools.
“We’re focusing on these types of products because we’ve seen a trend where more and more products used to secure networks have structural weaknesses,” he wrote.
#Kaseya #customer #portal #vulnerable #bugs #software #Krebs #Security