Kaseya released an update for the VSA vulnerabilities used by REvil

by Ugnius Kiguolis - - 2021-07-12

Zero-day flaws used in recent ransomware attacks got patched

Zero-day flaws used in the attack got fixed Security update with the attempt to patch flaws released

On Sunday, July 11, the Kaseya software vendor released urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping-off point to target as many as 1,500 businesses across the globe as part of a widespread supply-chain ransomware attack.

Kaseya showed its 0-day vulnerabilities while overlooking the security of VSA, which is a remote management and monitoring solution commonly used by managed service providers to support their customers^[1]. It seems that finally, some real solutions are present as almost 10 days after the attack the firm has shipped VSA version 9.5.7a (9.5.7.2994) with fixes for three new security flaws:

CVE-2021-30116 – Credentials leak and business logic flaw
CVE-2021-30119 – Cross-site scripting vulnerability
CVE-2021-30120 – Two-factor authentication bypass^[2].

The latest updates also remedy three other flaws, including a bug that exposed weak password hashes in certain API responses to brute-force attacks as well as a separate vulnerability that could allow the unauthorized upload of files to the VSA server. Four other security issues like SQL injection, remote code execution, local file inclusion, and XML external entity vulnerabilities were remediated in previous updates.

While installing updates, further instructions should be followed

There is a chance that new updates won't fix all of the security flaws. However, as Kaseya is urging customers to update the systems, certain guidelines should be followed.

The easiest and the most secure way is to follow the 'On-Premises VSA Startup Readiness Guide' steps before any installation process even takes place. This way further security breaches could be avoided, devices could not be compromised.

All admins should follow these steps before starting up VSA servers and connecting them to the Internet:

Ensure your VSA server is isolated
Check System for Indicators of Compromise (IOC)
Patch the Operating Systems of the VSA Servers
Using URL Rewrite to control access to VSA through IIS
Install FireEye Agent
Remove Pending Scripts/Jobs.

Kaseya also strongly suggests customers utilize their “Compromise Detection Tool,” a collection of PowerShell scripts to detect whether a VSA server or endpoints have been compromised or not^[3].

This tool could check VSA servers for presence of 'Kaseya\\webpages\\managedfiles\\vsaticketfiles\\agent.crt' and 'Kaseya\\webpages\\managedfiles\\vsaticketfiles\\agent.exe,' and 'agent.crt' and 'agent.exe' on endpoints. agent.crt and agent.exe files were the ones the REvil gang used to breach the system.

If employees concerns would be taken seriously attack could have been avoided

Florida-based information technology firm Kaseya suffered a ransomware attack, as hackers gang REvil, which has emerged as one of the world’s most notorious ransomware operators, demanded $70m in payment for stolen data to be returned. The company shared that 800 to 1,500 businesses could have been affected, however, the real number could be bigger.

REvil earned a reputation for exfiltrating massive data sets and demanding multimillion-dollar ransoms. It is now among an elite group of cyber extortion gangs that are responsible for the surge in debilitating attacks that have made ransomware among the most pressing security threats to businesses and nations around the globe^[4].

Naturally, questions about cybersecurity and companies' actions have arisen. Recent information shows that a certain amount of employees warned Kaseya’s higher-ups for years about critical security flaws in its software but their concerns were brushed off. That lead to several staff members quit in frustration or even be fired^[5].

It is reported that between 2017 and 2020, employees noticed and shared wide-ranging cybersecurity concerns with their superiors about vulnerabilities in its antiquated Virtual System Administrator software — the system that hackers hijacked to launch this latest attack—that was supposedly so riddled with problems that they wanted it replaced.

It seems that a huge attack could have been avoided if only earlier measures would have been taken and staff members' concerns would have been analyzed.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Lawrence Abrams. Kaseya patches VSA vulnerabilities used in REvil ransomware attack. Bleeping Computer. Technology news and support..
^ Ravie Lakshmanan. Kaseya Releases Patches for Flaws Exploited in Widespread Ransomware Attack. Hacker News. News focused on computer science and entrepreneurship..
^ Kaseya. Updates Regarding VSA Security Incident. Kaseya. Software solutions and IT management..
^ John Martineau. Understanding REvil: The Ransomware Gang Behind the Kaseya VSA Attack. Unit 42. Latest cyber security research..
^ Alyse Stanley. Kaseya's Staff Sounded the Alarm About Security Flaws for Years Before Ransomware Attack. Gizmodo. Technology, science and science fiction news..