9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Florida-based software vendor Kaseya on Sunday rolled out urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping off point to target as many as 1,500 businesses across the globe as part of a widespread supply-chain ransomware attack.
Following the incident, the company had urged on-premises VSA customers to shut down their servers until a patch was available. Now, almost 10 days later the firm has shipped VSA version 9.5.7a (9.5.7.2994) with fixes for three new security flaws โ
The security issues are part of a total of seven vulnerabilities that were discovered and reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) earlier in April, of which four other weaknesses were remediated in previous releases โ
Besides fixes for the aforementioned shortcomings, the latest version also resolves three other flaws, including a bug that exposed weak password hashes in certain API responses to brute-force attacks as well as a separate vulnerability that could allow the unauthorized upload of files to the VSA server.
For additional security, Kaseya is recommending limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on the internet firewall for on-premises installations.
Kaseya is also warning its customers that installing the patch would force all users to mandatorily change their passwords post login to meet new password requirements, adding that select features have been replaced with improved alternatives and that the โrelease introduces some functional defects that will be corrected in a future release.โ
Besides the roll out of the patch for on-premises versions of its VSA remote monitoring and management software, the company has also instantiated the reinstatement of its VSA SaaS infrastructure. โThe restoration of services is progressing according to plan, with 60% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours,โ Kaseya said in a rolling advisory.
The latest development comes days after Kaseya cautioned that spammers are capitalizing on the ongoing ransomware crisis to send out fake email notifications that appear to be Kaseya updates, only to infect customers with Cobalt Strike payloads to gain backdoor access to the systems and deliver next-stage malware.
Kaseya has said multiple flaws were chained together in what it called a โsophisticated cyberattackโ, and while it isnโt exactly clear how it was executed, itโs believed that a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 was used to carry out the intrusions. REvil, a prolific ransomware gang based in Russia, has claimed responsibility for the incident.
The use of trusted partners like software makers or service providers like Kaseya to identify and compromise new downstream victims, often called a supply-chain attack, and pair it with file-encrypting ransomware infections has also made it one of the largest and most significant such attacks to date.
Interestingly, Bloomberg on Saturday reported that five former Kaseya employees had flagged the company about โglaringโ security holes in its software between 2017 and 2020, but their concerns were brushed off.
โAmong the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseyaโs products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities,โ the report said.
The Kaseya attack marks the third time that ransomware affiliates have abused Kaseya products as a vector to deploy ransomware.
In February 2019, the Gandcrab ransomware cartel โ which later evolved into Sodinokibi and REvil โ leveraged a vulnerability in a Kaseya plugin for the ConnectWise Manage software to deploy ransomware on the networks of MSPsโ customer networks. Then in June 2019, the same group went after Webroot SecureAnywhere and Kaseya VSA products to infect endpoints with Sodinokibi ransomware.
Found this article interesting? Follow THN on Facebook, Twitter ๏ and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C