In a significant cybersecurity response, Kaseya, a software vendor based in Florida, released urgent updates on Sunday to rectify critical vulnerabilities in its Virtual System Administrator (VSA) solution. This action follows a massive ransomware incident that exploited VSA to target up to 1,500 businesses globally, a situation categorized as a supply-chain attack.
In light of recent developments, Kaseya previously advised on-premises VSA users to suspend server operations until a patch was implemented. Nearly ten days later, the release of VSA version 9.5.7a includes remedies for three new vulnerabilities: CVE-2021-30116—affecting credentials and business logic; CVE-2021-30119—pertaining to cross-site scripting; and CVE-2021-30120—related to two-factor authentication bypass. These newly identified flaws add to a total of seven vulnerabilities that the Dutch Institute for Vulnerability Disclosure had reported to Kaseya earlier in April.
The company had previously addressed four vulnerabilities in prior releases, which included an SQL injection issue and a remote code execution flaw. The latest patch further improves security by resolving additional problems, including one that exposed weak password hashes in API responses susceptible to brute-force attacks and another that could allow unauthorized file uploads to the VSA server.
To enhance security, Kaseya recommends restricting access to the VSA Web GUI by limiting it to local IP addresses, which could be accomplished by blocking inbound traffic on port 443 via the internet firewall for on-premises installations. Notably, Kaseya has indicated that users will be required to change their passwords post-login to comply with the new password standards introduced in this update. Furthermore, customers have been forewarned about functional defects in this release, with plans for future fixes in subsequent updates.
In addition to addressing vulnerabilities in on-premises systems, Kaseya has initiated the restoration of its Software as a Service (SaaS) infrastructure. According to a rolling advisory from Kaseya, about 60% of SaaS customers are currently operational, with additional servers expected to come online shortly.
The latest security updates come amid warnings from Kaseya about ongoing phishing attempts that leverage the recent ransomware situation, where malicious actors send fraudulent email notifications mimicking Kaseya updates to gain entry into customer systems.
The attack, described by Kaseya as a “sophisticated cyberattack,” involved chaining multiple vulnerabilities, including those recently patched, to execute the intrusion. REvil, a notorious Russian ransomware gang, has claimed responsibility for this event. This incident underscores the increasing trend of supply-chain attacks, which exploit trusted third-party software providers to compromise multiple downstream victims.
Interestingly, past reports suggest that former Kaseya employees had raised alarms about significant security vulnerabilities in the software as early as 2017, but those warnings were reportedly overlooked. This serious oversight highlights potential weaknesses in Kaseya’s cybersecurity posture, an issue relevant to organizations across industries.
The approach observed in the Kaseya attack is reflective of advanced tactics outlined in the MITRE ATT&CK framework, including initial access via vulnerabilities, persistence through exploit chains, and potential privilege escalation gained through credential theft and exploitation of misconfigured systems.
As the Kaseya situation develops, the cybersecurity community continues to scrutinize the implications of these attacks, bringing to the forefront the importance of proactive security measures and timely response in safeguarding against such risks.
