In Widespread Ransomware Attack Kaseya Introduce Patches for Flaws Exploitation

In Widespread Ransomware Attack Kaseya Introduce Patches for Flaws Exploitation

On Sunday, a Florida-based software dealer Kaseya rolled out immediate updates to address the sensitive security vulnerabilities in its Virtual System Administrator (VSA) solution that was utilized as a jumping-off point to target as many as 1,500 businesses all over the globe as part of a widespread supply-chain ransomware attack.

Kaseya recently has released a security update for the VSA zero-day vulnerabilities used by the REvil ransomware group to attack MSPs and their customers.

List of Vulnerabilities Discovered by DIVD

Pursing the incident, the company had supported on-premises VSA customers to close down their server until or unless a patch is discovered. Now, almost 10 days later the firm has shipped a VSA version 9.5.7a (9.5.7.2994) with cures for these three new security flaws:

  • CVE-2021-30116 – Credentials leak and business logic flaw
  • CVE-2021-30119 – Cross-site scripting vulnerability 
  • CVE-2021-30120 – Two-factor authentication prevention

All these security issues are part of a total of seven vulnerabilities that were founded and reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) earlier in April, of which the rest of the issues were remediated in the previous release:

  • CVE-2021-30117: SQL insertion vulnerability (Fixed in VSA 9.5.6)
  • CVE-2021-30118: Remote Code Execution (RCE) (Fixed in VSA 9.5.5)
  • CVE-2021-30121: Local file inclusion vulnerability (Fixed in VSA 9.5.6)
  • CVE-2021-30201: XML external aspect vulnerability (Fixed in VSA 9.5.6)

Apart from the fixes for the above-mentioned vulnerabilities, the latest version remedies the other three flaws, including an error that exposed weak credentials hashes in some API responses to brute-force attacks as well as a separate vulnerability that could permit the unauthorized uploads of files to the VSA server.

For more security, Kasyea is suggesting limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbounds on your internet firewall. 

Kaseya Security Updates

Kaseya is also alerting its users that installing the patch would force all users to essentially change their credentials to meet new credentials needs, computing that select features have been replaced with advanced alternatives and that the “release introduces some functional errors that will be corrected in the upcoming release.”

Apart from the rollout of the patch for on-premises versions of its VSA remote monitoring and management software, the organizations have also externalized the reinstatement of its VSA SaaS framework. “The backup of the services is progressing according to the plan, with 60% of our SaaS cutomers live and servers coming online for the rest of the customers in the coming time,” Kaseya revealed in the rolling advisory.

The current progress arrives these days after Kaseya alter that spammers are exploiting the current ransomware crisis to send out a fake email notification that comes up to be Kaseya updates, only to harm customers with Cobalt Strike Payloads to access backdoor entry to the system and transmit next-stage malware.

Kaseya has said different flaws were chained together in what is named a “sophisticated Cyberattack”, but it’s concluded that a mixture of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 was utilized to take out the intervention. REvil, a prolific ransomware group located in Russia, has claimed responsibility for this incident.

The use of trusted partners like software makers or service providers like Kaseya to discover and negotiate new downstream victims, often known as supply-chain attacks, and pair with the file-encrypting ransomware infections have also made it one of the largest and most significant such attacks to date.

“Among the most conspicuous problems was software underpinned by out of date code, the use of weak encryption and credentials in Kaseya’s products and servers, a patch to observe to traditional cybersecurity practices such as constantly patching the software and a focus on sales at the expense of various priorites,” the investigator said.

The Kaseya attack highlights the third time that ransomware affiliates have harmed Kaseya products as a vector to set up ransomware.

In February 2019, the Grandcrab ransomware cartel – which later evolved into Sodinokibi and REvil – advantages a vulnerability in a Kaseya plugin for the ConnectWise Manage software to set up ransomware on the networks of MSP’s customer network. Moreover, in June 2019, the same gang went after Webroot SecureAnywhere and Kaseya VSA products to harm endpoints with Sobinokibi ransomware.

Leave a Reply