One of the vulnerabilities in Kaseya’s IT management software VSA, which has been used by rogues to infect up to 1,500 companies with ransomware, was reported to the vendor in April – and the patch simply wasn’t ready in time.
As we discussed this week, deployments of Kaseya’s flagship product, Virtual System Administrator (VSA) kidnapped Earlier this month to inject REvil ransomware into networks around the world. Kaspersky Lab said so Seen evidence of 5,000 infection attempts in 22 countries in the three days since the first attack.
Kaseya unplugged its software-as-a-service offering from VSA and urged all of its customers to turn off their VSA servers to avoid being hit by the ransomware. Kaseya’s customers are primarily managed service providers looking after their own customers’ IT resources, and by compromising VSA deployments, fraudsters can hijack large numbers of downstream systems.
Back in April, and the Dutch Vulnerability Disclosure Institute (DIVD) had privately reported seven Security bug in VSA to Kaseya. Four were fixed and patches released in April and May. Three should be fixed in an upcoming release, version 9.5.7.
Unfortunately, one of those unpatched bugs – CVE-2021-30116, a logic bug discovered by DIVD’s Wietse Boonstra that leaks credentials – was exploited by the ransomware slingers before its solution could be released.
Victor Gevers, chairman of the DIVD, praised Kaseya’s response to the bug reports. to blog: “As soon as Kaseya knew of our reported vulnerabilities, we were in constant touch and worked with them. If anything in our report was unclear, they asked the right questions. We were also given partial patches to verify their effectiveness.
“Throughout the process, Kaseya has shown that they were willing to put the maximum effort and initiative into this case to fix this issue and fix their customers. They showed a real commitment to doing the right thing. Unfortunately, we were we beaten in the final spurt by REvil because they were able to exploit the weak points before customers could even patch. “
Infosec outfit Tenable rounded up Industry statements and research suggest that REvil’s first-time brokers used a combination of up to three zero-days to attack VSA: an authentication bypass vulnerability, an arbitrary file upload bug, and a code injection vulnerability.
Presumably the auth bypass hole is CVE-2021-30116, and it seems very likely to us that the other two flaws could not be successfully exploited without the first. The bypass hole would be used to upload a malicious file which would then be executed requisition the box.
A fix for ‘30116 is not yet available. Overnight, Kaseya said it had “released a runbook of the changes that need to be made to your on-premises environment so customers can prepare for the patch release.” This documentation can be found Here.
Infosec Research Branch Unit 42 of Palo Alto Networks published a a report on Wednesday discussed REvil’s known methods, including the use of Cobalt Strike Beacons, PowerShell scripts designed to obscure presence on a target network, and indicators of compromise in the early stages of a network attack. ®
#White #Hats #reported #critical #VSA #bug #Kaseya #months #Ransomware #patch #obsolete