Kaseya Patches Zero-Days Used in REvil Attacks

Kaseya made good on its promise to issue patches by July 11.

On Saturday, the company behind the Virtual System/Server Administrator (VSA) platform that got walloped by the REvil ransomware-as-a-service (RaaS) gang in a massive supply-chain attack released urgent updates to address critical zero-day security vulnerabilities in VSA.

Kaseya released the VSA 9.5.7a (9.5.7.2994) update to fix three zero-day vulnerabilities used in the ransomware attacks.

The company said on its rolling advisory page that all of its software-as-a-service (SaaS) customers were back up as of this morning, while the company was still working to restore on-premises customers that needed help:

The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch. —Kaseya

A Brazen Ransomware Blitz

On July 2, the REvil gang wrenched open those three VSA zero-days in more than 5,000 attacks. As of July 5, the worldwide assault had been unleashed in 22 countries, reaching not only Kaseya’s managed service provider (MSP) customer base but also, given that many of them use VSA to manage the networks of other businesses, clawing at those MSP’s customers

Kaseya customers use VSA to remotely monitor and manage software and network infrastructure. It’s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.

Following the brazen ransomware attacks, CISA and FBI last week offered guidance to victims. Threat actors were quick to exploit the situation, having planted Cobalt Strike backdoors by malspamming a bogus Microsoft update along with a malicious “SecurityUpdates” executable.

As of July 6, Kaseya said in its updated rolling advisory that there were fewer than 60 customers affected but far more – “fewer than 1,500,” it said – downstream businesses that got hit.

Kaseya already knew about these bugs when the attacks were launched. In April, the Dutch Institute for Vulnerability Disclosure (DIVD) had disclosed seven vulnerabilities to Kaseya.

On Saturday, Bloomberg reported that software engineering and development employees at Kaseya’s U.S. offices had brought up a laundry list of “wide-ranging cybersecurity concerns” to company leaders multiple times over the course of three years, from 2017 to 2020. When the outlet asked Kaseya to address the anonymous workers’ accusations, a Kaseya spokesperson declined, citing a policy of not commenting on matters involving personnel or the ongoing criminal investigation into the hack.

UPDATE: Dana Liedholm, senior vice president of corporate marketing for Kaseya, told Threatpost on Monday that the company has bigger fish to fry than responding to “random speculation”: “Kaseya’s focus is on the customers who have been affected and the people who have actual data and are trying to get to the bottom of it, not on random speculation by former employees or the wider world,” Liedholm said via email.

A Baker’s Half-Dozen of Bugs

Most of the seven vulnerabilities reported to Kaseya by DVID were patched on Kaseya’s VSA SaaS service, but up until Saturday, three outstanding security holes were still needed to batten down the hatches on the VSA on-premise version. The attackers had snuck into that gap before Kaseya had a chance to bolster those on-premise VSA servers.

The three on-premise VSA bugs that Kaseya has now stomped:

CVE-2021-30116 – A credentials leak and business logic flaw, included in version 9.5.7 rolled out on Saturday. CVE-2021-30119 – A cross-site scripting (CSS) vulnerability, included in version 9.5.7. CVE-2021-30120 – A bypass of two-factor authentication (2FA), included in version 9.5.7.

Following the July 2 onslaught, Kaseya urged on-premise VSA customers to shut down their servers until the patch was ready. To punch up security still more, Kaseya is also recommending limiting network access to the VSA Application/GUI to local IP addresses only, “by blocking all inbound traffic except for port 5721 (the agent port). Administrators will only be able to access the application from the local network or by using a VPN to connect to the local network.”

Older Bugs

Besides the outstanding trio of bugs Kaseya addressed on Sunday, these are the other four vulnerabilities that DIVD disclosed and Kaseya already fixed before the July 2 attacks:

CVE-2021-30117 – An SQL injection vulnerability, resolved in a May 8 patch. CVE-2021-30118 – A remote code execution (RCE) vulnerability, resolved in an April 10 patch. (v9.5.6) CVE-2021-30121 – A local file inclusion (LFI) vulnerability, resolved in the May 8 patch. CVE-2021-30201 – An XML external entity (XXE) vulnerability, resolved in the May 8 patch.

071221 11:58 UPDATE: Added comment from Kaseya’s Dana Liedholm.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.