Kaseya Security Update Resolves Vulnerabilities Exploited in KSA Ransomware Attack
Kaseya has reported a security update published for the Kaseya KSA remote management and tracking software program to resolve the zero-day vulnerabilities, which the REvil ransomware gang fairly recently exploited in attacks on its customers and their clients.
The vulnerabilities taken advantage of in the attack were included in a group of seven flaws that the Dutch Institute for Vulnerability Disclosure (DIVD) reported to Kaseya in April 2021. Kaseya had made patches to resolve four of the seven vulnerabilities found in its Virtual System Administrator tool and introduced these as part of its April to May security updates; nonetheless, before the launch of the patches for the other three vulnerabilities, a REvil ransomware affiliate exploited one or more of them.
The attack impacted about 60 customers who had implemented the Kaseya VSA on-premises, some of which were managed service providers (MSPs). The REvil ransomware gang obtained access to their servers, encrypted them, and sent their ransomware to around 1,500 business consumers of those businesses.
Following the attack on July 2, 2021, Kaseya informed its clients to power down their on-premises VSA servers until the vulnerabilities were dealt with and its SaaS servers were turned off as the SaaS program likewise had vulnerabilities, even if its cloud-based service was not impacted by the attack. Those servers are at this time being restarted in stages and the remaining three patches were issued in the VSA 9.5.7a (220.127.116.1194) update.
The three vulnerabilities resolved in the newest security update are
- CVE-2021-30116 – a business logic and credential leak vulnerability
- CVE-2021-30120 – a 2FA bypass vulnerability
- CVE-2021-30119 – a cross-site scripting vulnerability
Kaseya tells that three more vulnerabilities in the tool were also sorted out by the update. These are
- a failure to make use of a secure flag for user portal session cookies
- a vulnerability that loaded files to a VSA server
- a vulnerability that exposed a password hash was exposed making weak passwords susceptible to brute force attacks
Kaseya has suggested a procedure for implementing the update to lessen risk. This requires making certain the VSA server is singled out and not hooked up to the Internet, seeking for Indicators of Compromise (IoCs) to find out if servers or endpoints had been compromised, then making use of the update.
The entire method for updating on-premises VSA servers and making them secure is discussed in the Kaseya On Premises Startup Readiness Guide.