The White Hats reported a key Kaseya VSA flaw months ago. Ransomware Outperforms Patch • Registry
One of the vulnerabilities in Kaseya’s IT management software VSA, exploited by criminals to infect up to 1,500 companies with ransomware, was reported to the vendor in April – and the fix just wasn’t ready on time .
As we covered this week, deployments of Kaseya’s flagship Virtual System Administrator (VSA) were hijacked earlier this month to inject REvil extortion software into networks around the world. Kaspersky Lab said it saw evidence of 5,000 infection attempts in 22 countries within three days of detecting the first attack.
Kaseya has ended its software as a service offering from VSA and urged all of its customers to shut down their VSA servers to avoid being affected by the ransomware. Kaseya’s customers are primarily Managed Service Providers who take care of their own customers’ IT assets. Thus, by compromising VSA deployments, attackers can hijack large numbers of downstream systems.
Rewind to April, and the Netherlands Institute for Vulnerability Disclosure (DIVD) privately reported seven security bugs in VSA to Kaseya. Four have been fixed and fixes were released in April and May. Three were to be fixed in a future release, version 9.5.7.
Unfortunately, one of those unpatched bugs – CVE-2021-30116, a logical credential leakage flaw discovered by DIVD’s Wietse Boonstra – was exploited by ransomware launchers before its fix could be released. issued.
Victor Gevers, President of DIVD, praised Kaseya’s response to bug reports, blogging: âOnce Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When things in our report were unclear, they asked In addition, partial fixes were shared with us to validate their effectiveness.
âThroughout the process Kaseya has shown that they are ready to put the maximum effort and initiative in this case both to resolve this issue and to correct their customers. They have shown a genuine commitment to making the difference. good thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit vulnerabilities before customers could even patch. “
The Infosec Tenable team gathered statements and industry research suggesting that REvil’s initial access brokers used a combination of up to three zero days to target VSA: an authentication bypass vulnerability, a arbitrary file upload bug and code injection vulnerability.
Presumably, the authentication bypass hole is CVE-2021-30116, and it seems quite likely to us that the other two bugs could not be successfully exploited without the first one. We would chain the exploits of these holes to requisition a server and push ransomware to managed endpoints.
A patch for ‘30116 is not yet available. Overnight, Kaseya said she “released a runbook of changes to be made to your on-premises environment so that customers can prepare for the patch release.” This documentation can be found here.
Palo Alto Networks Unit 42 infosec research arm released a report on Wednesday outlining known methods of REvil, including its use of Cobalt Strike beacons, PowerShell scripts designed to hide its presence on a targeted network, and metrics. compromise in the early stages of a network intrusion. Â®