Kaseya Patches Zero-Days Used in REvil Attacks

  • The security update addresses three VSA vulnerabilities used by the ransomware gang to launch a worldwide supply-chain attack on MSPs and their customers.

    Kaseya made good on its promise to issue patches by July 11.

    On Saturday, the company behind the Virtual System/Server Administrator (VSA) platform that got walloped by the REvil ransomware-as-a-service (RaaS) gang in a massive supply-chain attack released urgent updates to address critical zero-day security vulnerabilities in VSA.

    Kaseya released the VSA 9.5.7a (9.5.7.2994) update to fix three zero-day vulnerabilities used in the ransomware attacks.

    The company said on its rolling advisory page that all of its software-as-a-service (SaaS) customers were back up as of this morning, while the company was still working to restore on-premises customers that needed help:

    The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch. —Kaseya

    A Brazen Ransomware Blitz

    On July 2, the REvil gang wrenched open those three VSA zero-days in more than 5,000 attacks. As of July 5, the worldwide assault had been unleashed in 22 countries, reaching not only Kaseya’s managed service provider (MSP) customer base but also, given that many of them use VSA to manage the networks of other businesses, clawing at those MSP’s customers

    Kaseya customers use VSA to remotely monitor and manage software and network infrastructure. It’s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.

    Following the brazen ransomware attacks, CISA and FBI last week offered guidance to victims. Threat actors were quick to exploit the situation, having planted Cobalt Strike backdoors by malspamming a bogus Microsoft update along with a malicious “SecurityUpdates” executable.

    As of July 6, Kaseya said in its updated rolling advisory that there were fewer than 60 customers affected but far more – “fewer than 1,500,” it said – downstream businesses that got hit.

    Kaseya already knew about these bugs when the attacks were launched. In April, the Dutch Institute for Vulnerability Disclosure (DIVD) had disclosed seven vulnerabilities to Kaseya.

    On Saturday, Bloomberg reported that software engineering and development employees at Kaseya’s U.S. offices had brought up a laundry list of “wide-ranging cybersecurity concerns” to company leaders multiple times over the course of three years, from 2017 to 2020. When the outlet asked Kaseya to address the anonymous workers’ accusations, a Kaseya spokesperson declined, citing a policy of not commenting on matters involving personnel or the ongoing criminal investigation into the hack.

    UPDATE 1: Dana Liedholm, senior vice president of corporate marketing for Kaseya, told Threatpost on Monday that the company has bigger fish to fry than responding to “random speculation”: “Kaseya’s focus is on the customers who have been affected and the people who have actual data and are trying to get to the bottom of it, not on random speculation by former employees or the wider world,” Liedholm said via email.

    UPDATE 2: Jake Williams, co-founder and CTO at incident response firm BreachQuest, told Threatpost that dismissing workers’ input as being “speculation” doesn’t make the accusations less credible. “After a quick analysis of the VSA server product, it’s pretty easy to believe these claims,” he said via email. “Until management at software development firms begin prioritizing security fixes over feature updates, we can expect incidents like this to continue. The fact that Kaseya downplayed the reported 40-page security memo as ‘speculation’, without denying its existence, is a huge red flag and lends a lot of credence to the claims.”

    UPDATE 3: Granted, managing security is tough for any company, including software vendors, noted Dirk Schrader, global vice president of security research at New Net Technologies (NNT). That doesn’t let them off the hook, though, he told Threatpost on Monday. “A company can’t decline doing the essentials, because that is equivalent to being negligent on the risks related to cybersecurity, and there is plenty of material about what is essential.”

    Quick searches point to areas in Kaseya’s security that could be improved, Schrader added, such as outdated certificates on networking devices and on Kaseya’s own instances of VSA. “It comes down to its security operations, its processes and whether they are up to par with the current threat landscape,” Schrader said.

    To support his statement, Schrader pointed to Cisco IOS device(s) with an outdated cert used by Kaseya itself, noting that there are a couple of IPs showing the same issue. He found multiple additional certificate issues, including this one and this one.

    A Baker’s Half-Dozen of Bugs

    Most of the seven vulnerabilities reported to Kaseya by DVID were patched on Kaseya’s VSA SaaS service, but up until Saturday, three outstanding security holes were still needed to batten down the hatches on the VSA on-premise version. The attackers had snuck into that gap before Kaseya had a chance to bolster those on-premise VSA servers.

    The three on-premise VSA bugs that Kaseya has now stomped:

    • CVE-2021-30116 – A credentials leak and business logic flaw, included in version 9.5.7 rolled out on Saturday.
    • CVE-2021-30119 – A cross-site scripting (CSS) vulnerability, included in version 9.5.7.
    • CVE-2021-30120 – A bypass of two-factor authentication (2FA), included in version 9.5.7.

    Following the July 2 onslaught, Kaseya urged on-premise VSA customers to shut down their servers until the patch was ready. To punch up security still more, Kaseya is also recommending limiting network access to the VSA Application/GUI to local IP addresses only, “by blocking all inbound traffic except for port 5721 (the agent port). Administrators will only be able to access the application from the local network or by using a VPN to connect to the local network.”

    Older Bugs

    Besides the outstanding trio of bugs Kaseya addressed on Sunday, these are the other four vulnerabilities that DIVD disclosed and Kaseya already fixed before the July 2 attacks:

    • CVE-2021-30117 – An SQL injection vulnerability, resolved in a May 8 patch.
    • CVE-2021-30118 – A remote code execution (RCE) vulnerability, resolved in an April 10 patch. (v9.5.6)
    • CVE-2021-30121 – A local file inclusion (LFI) vulnerability, resolved in the May 8 patch.
    • CVE-2021-30201 – An XML external entity (XXE) vulnerability, resolved in the May 8 patch.

    071221 11:58 UPDATE: Added commentary from Dana Liedholm.

    071221 12:13 UPDATE: Added commentary from Jake Williams.

    071221 12:32 UPDATE: Added commentary from Dirk Schrader.

    Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.