Kaseya Says Software Fully Patched After Ransomware AttackUpdates for On-Premises Software Released; SaaS Servers Being Restarted
Software developer Kaseya on Sunday released patches for its remote monitoring and management software, which had been exploited by ransomware attackers to infect up to 60 MSPs and 1,500 of their clients. The FBI is probing the attack, and Miami-based Kaseya says it's also been working closely with the U.S. Cybersecurity and Infrastructure Security Agency.
After repeatedly pushing back promised delivery dates for patches after the attack that came to light on July 2, Kaseya has now released fixes for the on-premises version of its Virtual System Administrator - aka VSA - software. Kaseya said in a Sunday security advisory that it expects to begin bringing back online incrementally its software-as-a-service version of VSA, which it has also patched.
Attackers did not exploit the SaaS version of VSA, but it had been vulnerable.
The updated versions of both the on-premises and SaaS versions are officially known as version 9.5.7a of VSA. Kaseya also updated its guide for organizations to safely restart VSA and has support staff ready to help customers, says Mike Sanders, executive vice president, in a video update posted Sunday.
The new version fixes CVE-2021-30116, a credential leak and business logic flaw; CVE-2021-30119, a cross-site scripting vulnerability; and CVE-2021-30120, a vulnerability that allowed two-factor authentication to be bypassed.
The update also fixes three other vulnerabilities, Kaseya says.
Kaseya describes one issue as being a problem in which a secure flag was not used for user portal session cookies. Another fix stops a password hash being exposed, increasing the chance of a successful brute force attack. The last patch fixes a bug that could allow unauthorized uploading of files to a VSA server.
7 Vulnerabilities Spotted by Researchers
Those three vulnerabilities were the last of seven vulnerabilities Kaseya has been working to fix since April, when Dutch researchers first alerted it to bugs in its VSA software.
The vulnerabilities were found by Wietse Boonstra, a researcher who's part of the Dutch Institute of Vulnerability Disclosure, a volunteer group of security researchers. DIVD notified Kaseya on April 6 of vulnerabilities in VSA.
Boonstra discovered seven vulnerabilities, all of which affected on-premises VSA, with six also affecting the SaaS version of VSA. Kaseya was still working on fixes for the problems when attackers affiliated with the REvil ransomware operation struck on July 2 (see: Kaseya Raced to Patch Before Ransomware Disaster).
Managed service providers use server-based VSA together with a VSA agent that runs on endpoints to remotely manage their clients' IT infrastructure. VSA is designed to let remote administrators update, adjust and deliver software, and the REvil attackers used VSA to do precisely that - only in the service of a mass ransomware attack, pushing a ransomware executable instead of legitimate files or updates.
Kaseya has said that up to 60 of its own MSP customers were hit by attackers, as were up to 1,500 of those organizations' clients. That included small businesses, such as accounting offices and restaurants, but also much larger companies, such as Sweden's Coop grocery chain, whose point-of-sale devices were infected via its own MSP's Kaseya software (see: Kaseya: Up to 1,500 Organizations Hit in Ransomware Attack).
Organizations that were hit by the REvil attack saw their systems get crypto-locked, but investigators say it doesn't appear that any data had been stolen beforehand. Some victims have reportedly been negotiating with attackers to obtain a decryption tool.
How attackers learned of the vulnerabilities remains unclear. Reached for comment last week, a Kaseya spokeswoman told Information Security Media Group that the company plans to share more details about the attack following the culmination of an ongoing criminal investigation.
Executive Editor Mathew Schwartz contributed to this story.