Florida-based software vendor Kaseya on Sunday rolled out urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping off point to target as many as 1,500 businesses across the globe as part of a widespread supply-chain ransomware attack.
Following the incident, the company had urged on-premises VSA customers to shut down their servers until a patch was available. Now, almost 10 days later the firm has shipped VSA version 9.5.7a (18.104.22.16894) with fixes for three new security flaws —
- CVE-2021-30116 - Credentials leak and business logic flaw
- CVE-2021-30119 - Cross-site scripting vulnerability
- CVE-2021-30120 - Two-factor authentication bypass
The security issues are part of a total of seven vulnerabilities that were discovered and reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) earlier in April, of which four other weaknesses were remediated in previous releases —
- CVE-2021-30117 - SQL injection vulnerability (Fixed in VSA 9.5.6)
- CVE-2021-30118 - Remote code execution vulnerability (Fixed in VSA 9.5.5)
- CVE-2021-30121 - Local file inclusion vulnerability (Fixed in VSA 9.5.6)
- CVE-2021-30201 - XML external entity vulnerability (Fixed in VSA 9.5.6)
Besides fixes for the aforementioned shortcomings, the latest version also resolves three other flaws, including a bug that exposed weak password hashes in certain API responses to brute-force attacks as well as a separate vulnerability that could allow the unauthorized upload of files to the VSA server.
For additional security, Kaseya is recommending limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on the internet firewall for on-premises installations.
Kaseya is also warning its customers that installing the patch would force all users to mandatorily change their passwords post login to meet new password requirements, adding that select features have been replaced with improved alternatives and that the "release introduces some functional defects that will be corrected in a future release."
Besides the roll out of the patch for on-premises versions of its VSA remote monitoring and management software, the company has also instantiated the reinstatement of its VSA SaaS infrastructure. "The restoration of services is progressing according to plan, with 60% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours," Kaseya said in a rolling advisory.
The latest development comes days after Kaseya cautioned that spammers are capitalizing on the ongoing ransomware crisis to send out fake email notifications that appear to be Kaseya updates, only to infect customers with Cobalt Strike payloads to gain backdoor access to the systems and deliver next-stage malware.
Kaseya has said multiple flaws were chained together in what it called a "sophisticated cyberattack", and while it isn't exactly clear how it was executed, it's believed that a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 was used to carry out the intrusions. REvil, a prolific ransomware gang based in Russia, has claimed responsibility for the incident.
The use of trusted partners like software makers or service providers like Kaseya to identify and compromise new downstream victims, often called a supply-chain attack, and pair it with file-encrypting ransomware infections has also made it one of the largest and most significant such attacks to date.
Interestingly, Bloomberg on Saturday reported that five former Kaseya employees had flagged the company about "glaring" security holes in its software between 2017 and 2020, but their concerns were brushed off.
"Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya's products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities," the report said.
The Kaseya attack marks the third time that ransomware affiliates have abused Kaseya products as a vector to deploy ransomware.
In February 2019, the Gandcrab ransomware cartel — which later evolved into Sodinokibi and REvil — leveraged a vulnerability in a Kaseya plugin for the ConnectWise Manage software to deploy ransomware on the networks of MSPs' customer networks. Then in June 2019, the same group went after Webroot SecureAnywhere and Kaseya VSA products to infect endpoints with Sodinokibi ransomware.