Florida-based software vendor Kaseya on Sunday rolled out software updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) software that was used as a starting point to target up to 1,500 companies across the world as part of a vast supply chain ransomware attack.
Following the incident, the company urged on-premise VSA customers to shut down their servers until a fix became available. Now, almost 10 days later, the company has shipped VSA version 9.5.7a (22.214.171.12494) with fixes for three new security vulnerabilities –
- CVE-2021-30116 – Leaked credentials and business logic flaw
- CVE-2021-30119 – Cross-site scripting vulnerability
- CVE-2021-30120 – Two-factor authentication bypass
The security issues are among a total of seven vulnerabilities discovered and reported to Kaseya by the Netherlands Institute for Vulnerability Disclosure (DIVD) earlier in April, four other weaknesses of which were fixed in previous versions –
- CVE-2021-30117 – SQL injection vulnerability (Fixed in VSA 9.5.6)
- CVE-2021-30118 – Remote code execution vulnerability (Fixed in VSA 9.5.5)
- CVE-2021-30121 – Local file inclusion vulnerability (Fixed in VSA 9.5.6)
- CVE-2021-30201 – XML External Entity Vulnerability (Fixed in VSA 9.5.6)
In addition to fixes for the aforementioned shortcomings, the latest version also fixes three other flaws, including a bug that exposed weak password hashes in some API responses to brute force attacks as well as a separate vulnerability that could allow the unauthorized upload of files to the VSA. server.
For added security, Kaseya is recommend Limit access to the VSA Web GUI to local IP addresses by blocking incoming port 443 on your Internet firewall.
Kaseya is also warning its customers that installing the patch would require all users to be required to change their passwords after logging in to meet new password requirements, adding that some features have been replaced with improved alternatives and that the “version introduces functional flaws which will be corrected in a future version.”
In addition to deploying the patch for on-premises versions of its VSA remote monitoring and management software, the company also instantiated the reestablishment of its VSA SaaS infrastructure. “Service restoration is progressing as expected, with 60% of our SaaS customers live and servers online for the rest of our customers in the coming hours. »Kaseya mentionned in a slippery view.
The latest development comes days after Kaseya warned that spammers are taking advantage of the current ransomware crisis to send fake email notifications that appear to be updates from Kaseya, only to infect customers with Cobalt payloads. Strike to access systems and provide the next step. malware.
Kaseya said several flaws were chained in what she called a “sophisticated cyberattack,” but it is believed that a combination of CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120 was used to carry out intrusions. . REvil, a prolific Russian-based ransomware gang, claimed responsibility for the incident.
Using trusted partners such as software makers or service providers like Kaseya to identify and compromise new downstream victims, often referred to as a supply chain attack, and associate it with encryption ransomware infections files has also made it one of the most important and important of its kind. attacks to date.
Interestingly, Bloomberg reported on Saturday that five former Kaseya employees reported “glaring” security breaches in its software to the company between 2017 and 2020, but their concerns were dismissed.
“Among the most glaring issues were software with outdated code, the use of weak encryption and passwords in Kaseya’s products and servers, and the failure to adhere to basic business practices. cybersecurity issues such as regularly updating software and emphasizing sales at the expense of other priorities. ,” The report mentionned.
The Kaseya attack marks the third time that ransomware affiliates have abused Kaseya products as a vehicle to deploy ransomware.
In February 2019, the Gandcrab ransomware cartel – which later evolved into Sodinokibi and REvil – exploited a vulnerability in a Kaseya plug-in for ConnectWise Manage software to deploy ransomware on MSP customer networks. Then in June 2019, the same group attacked the Webroot SecureAnywhere and Kaseya VSA products to infect endpoints with Sodinokibi ransomware.