Kaseya released an update for the VSA vulnerabilities used by REvil

Zero-day flaws used in recent ransomware attacks got patched

Zero-day flaws used in the attack got fixedSecurity update with the attempt to patch flaws released

On Sunday, July 11, the Kaseya software vendor released urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping-off point to target as many as 1,500 businesses across the globe as part of a widespread supply-chain ransomware attack.

Kaseya showed its 0-day vulnerabilities while overlooking the security of VSA, which is a remote management and monitoring solution commonly used by managed service providers to support their customers[1]. It seems that finally, some real solutions are present as almost 10 days after the attack the firm has shipped VSA version 9.5.7a ( with fixes for three new security flaws:

  • CVE-2021-30116 – Credentials leak and business logic flaw
  • CVE-2021-30119 – Cross-site scripting vulnerability
  • CVE-2021-30120 – Two-factor authentication bypass[2].

The latest updates also remedy three other flaws, including a bug that exposed weak password hashes in certain API responses to brute-force attacks as well as a separate vulnerability that could allow the unauthorized upload of files to the VSA server. Four other security issues like SQL injection, remote code execution, local file inclusion, and XML external entity vulnerabilities were remediated in previous updates.

While installing updates, further instructions should be followed

There is a chance that new updates won't fix all of the security flaws. However, as Kaseya is urging customers to update the systems, certain guidelines should be followed.

The easiest and the most secure way is to follow the 'On-Premises VSA Startup Readiness Guide' steps before any installation process even takes place. This way further security breaches could be avoided, devices could not be compromised.

All admins should follow these steps before starting up VSA servers and connecting them to the Internet:

  • Ensure your VSA server is isolated
  • Check System for Indicators of Compromise (IOC)
  • Patch the Operating Systems of the VSA Servers
  • Using URL Rewrite to control access to VSA through IIS
  • Install FireEye Agent
  • Remove Pending Scripts/Jobs.

Kaseya also strongly suggests customers utilize their “Compromise Detection Tool,” a collection of PowerShell scripts to detect whether a VSA server or endpoints have been compromised or not[3].

This tool could check VSA servers for presence of 'Kaseya\\webpages\\managedfiles\\vsaticketfiles\\agent.crt' and 'Kaseya\\webpages\\managedfiles\\vsaticketfiles\\agent.exe,' and 'agent.crt' and 'agent.exe' on endpoints. agent.crt and agent.exe files were the ones the REvil gang used to breach the system.

If employees concerns would be taken seriously attack could have been avoided

Florida-based information technology firm Kaseya suffered a ransomware attack, as hackers gang REvil, which has emerged as one of the world’s most notorious ransomware operators, demanded $70m in payment for stolen data to be returned. The company shared that 800 to 1,500 businesses could have been affected, however, the real number could be bigger.

REvil earned a reputation for exfiltrating massive data sets and demanding multimillion-dollar ransoms. It is now among an elite group of cyber extortion gangs that are responsible for the surge in debilitating attacks that have made ransomware among the most pressing security threats to businesses and nations around the globe[4].

Naturally, questions about cybersecurity and companies' actions have arisen. Recent information shows that a certain amount of employees warned Kaseya’s higher-ups for years about critical security flaws in its software but their concerns were brushed off. That lead to several staff members quit in frustration or even be fired[5].

It is reported that between 2017 and 2020, employees noticed and shared wide-ranging cybersecurity concerns with their superiors about vulnerabilities in its antiquated Virtual System Administrator software — the system that hackers hijacked to launch this latest attack—that was supposedly so riddled with problems that they wanted it replaced.

It seems that a huge attack could have been avoided if only earlier measures would have been taken and staff members' concerns would have been analyzed.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions