Kaseya Security Update Corrects Vulnerabilities Exploited in KSA Ransomware Attack

Kaseya has made an announcement of a security update issued for the Kaseya KSA remote management and monitoring software tool to correct the zero-day vulnerabilities, which the REvil ransomware gang lately exploited in attacks targeting its customers and their prospects.

The vulnerabilities exploited in the attack were part of a set of seven vulnerabilities that the Dutch Institute for Vulnerability Disclosure (DIVD) reported to Kaseya last April 2021. Kaseya had created patches to fix four of the seven vulnerabilities identified in its Virtual System Administrator program and launched these during its April and May security releases; nevertheless, before the release of the patches for the last three vulnerabilities, an REvil ransomware affiliate exploited at least one of them.

The attack impacted roughly 60 clients including managed service providers (MSPs) that used the Kaseya VSA on-premises. The REvil ransomware group acquired access to their servers, encrypted them, and transmitted their ransomware to roughly 1,500 business customers of those firms.

After the attack on July 2, 2021, Kaseya told its consumers to turn off their on-premises VSA servers until the exploited vulnerabilities were resolved and its SaaS servers were de-activated as the SaaS software also had vulnerabilities, though its cloud-based service wasn’t affected by the attack. Those servers are currently being restarted incrementally and the last three patches were launched in the VSA 9.5.7a (9.5.7.2994) update.

The three vulnerabilities resolved in the most recent security update are

CVE-2021-30116 – a business logic and credential leak vulnerability
CVE-2021-30119 – a cross-site scripting vulnerability
CVE-2021-30120 – a 2FA bypass vulnerability.

Kaseya states that a further three vulnerabilities in the software were likewise sorted out by the new update. These are a failure to utilize a secure flag for user portal session cookies, a vulnerability that permitted files to be uploaded to a VSA server, and an issue where a password hash was compromised, which caused weak passwords to become prone to brute force attacks.

Kaseya has proposed a procedure for using the update to reduce risk. This entails making sure the VSA server is separated and not linked online, looking for Indicators of Compromise (IoCs) to know if servers or endpoints had been breached, then implementing the update.

The complete method to update on-premises VSA servers and protecting them is pointed out in the Kaseya On Premises Startup Readiness Manual.