Share this article on:
Kaseya has announced a security update has been released for the Kaseya KSA remote management and monitoring software solution to fix the zero-day vulnerabilities recently exploited by the REvil ransomware gang in attacks on its customers and their clients.
The vulnerabilities exploited in the attack were part of a batch of seven flaws that were reported to Kaseya in April 2021 by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had developed patches to correct four of the seven vulnerabilities in its Virtual System Administrator solution and released these as part of its April and May security updates; however, before patches could be released for the remaining three vulnerabilities, one or more of them were exploited by an REvil ransomware affiliate.
The attack affected approximately 60 customers who had deployed the Kaseya VSA on-premises, many of which were managed service providers (MSPs). The REvil ransomware gang gained access to their servers, encrypted them, and pushed their ransomware out to approximately 1,500 business clients of those companies.
Following the July 2, 2021 attack, Kaseya advised its customers to shut down their on-premises VSA servers until the exploited vulnerabilities were addressed and its SaaS servers were shut down as the SaaS solution also had vulnerabilities, although its cloud-based service was not affected by the attack. Those servers are now being restarted incrementally and the final three patches have been released in the VSA 9.5.7a (18.104.22.16894) update.
The three vulnerabilities addressed in the latest security update are a credential leak and business logic flaw tracked as CVE-2021-30116, a cross site scripting vulnerability – CVE-2021-30119 – and a 2FA bypass vulnerability – CVE-2021-30120. Kaseya says a further three vulnerabilities in the solution have also been addressed by the update. These are a failure to use a secure flag for user portal session cookies, a flaw that allowed files to be uploaded to a VSA server, and an issue where a password hash was exposed, which made weak passwords vulnerable to brute force attacks.
Kaseya has recommended a process for applying the update to minimize risk. This involves ensuring the VSA server is isolated and not connected to the Internet, searching for Indicators of Compromise (IoCs) to determine if servers or endpoints have already been compromised, then applying the update.
The full process for updating on-premises VSA servers and securing them is detailed in the Kaseya On Premises Startup Readiness Guide.
Kaseya Obtains Universal Ransomware Decryptor
Kaseya obtained a master decryptor for the ransomware on July 21, 2021 “from a trusted third party.” The decryptor was tested and found to be 100% effective and can be used by all customers and downstream businesses to recover their encrypted files free of charge. Kaseya has been working with cybersecurity firm Emsisoft to help customers recover their files using the master key.
The hackers behind the attack initially issued a $70 million ransom demand for the master key, with the price quickly reduced to $50 million. Kaseya said it obtained the master decryptor from a third-party, but at the time neither confirmed nor denied whether the ransom was paid. On July 26, 2021, Kaseya issued a statement confirming that the ransom had not in fact been paid for the decryptor, either directly or indirectly through a third party.
“Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal. “Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack, and we have not wavered from that commitment,” said Kaseya in a statement. “We continue to provide the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted during the attack to reach out to your contacts at Kaseya. We are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor,”